CISA Topic 2
Question #: 439
Topic #: 1
Which of the following would be a result of utilizing a top-down maturity model process?
A. A means of comparing the effectiveness of other processes within the enterprise
B. Identification of older, more established processes to ensure timely review
C. Identification of processes with the most improvement opportunities
D. A means of benchmarking the effectiveness of similar processes with peers
Selected Answer: C
Question #: 437
Topic #: 1
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?
A. Guest operating systems are updated monthly.
B. Antivirus software has been implemented on the guest operating system only.
C. A variety of guest operating systems operate on one virtual server.
D. The hypervisor is updated quarterly.
Selected Answer: C
Question #: 434
Topic #: 1
Which of the following is the PRIMARY reason for using a digital signature?
A. Authenticate the sender of a message
B. Provide confidentiality to the transmission
C. Verify the integrity of the data and the identity of the recipient
D. Provide availability to the transmission
Selected Answer: A
Question #: 431
Topic #: 1
Which of the following provides the BEST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?
A. Disabling unnecessary network connectivity options
B. Implementing mobile device management (MDM)
C. Enabling remote data destruction capabilities
D. Requiring security awareness training for mobile users
Selected Answer: B
Question #: 427
Topic #: 1
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
A. Remediation dates included in management responses
B. Availability of IS audit resources
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
Selected Answer: A
Question #: 425
Topic #: 1
During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the associated risk?
A. Explain the impact to resource requirements.
B. Explain the impact to disaster recovery.
C. Explain the impact to backup scheduling.
D. Explain the impact to incident management.
Selected Answer: B
Question #: 423
Topic #: 1
Which of the following is the MOST appropriate control to ensure integrity of online orders?
A. Public key encryption
B. Digital signature
C. Data Encryption Standard (DES)
D. Multi-factor authentication
Selected Answer: B
Question #: 421
Topic #: 1
Which of the following would be of GREATEST concern if noted during an audit of compliance with licensing agreements?
A. Distribution software is only maintained on a centralized server.
B. The software vendor required monthly verification of licenses.
C. Desktop software is personally expensed and not capitalized.
D. The organization does not monitor upgrades to its software.
Selected Answer: C
Question #: 123
Topic #: 1
The practice of periodic secure code reviews is which type of control?
A. Compensating
B. Detective
C. Preventive
D. Corrective
Selected Answer: B
Question #: 418
Topic #: 1
Which of the following techniques is MOST appropriate for verifying application program controls?
A. Observation of data entry
B. Statistical sampling
C. Use of test data
D. Code review
Selected Answer: D
Question #: 415
Topic #: 1
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
A. Validating enterprise risk management (ERM)
B. Establishing a risk management framework
C. Operating the risk management framework
D. Establishing a risk appetite
Selected Answer: A
Question #: 410
Topic #: 1
Which of the following is the BEST point in time to conduct a post-implementation review (PIR)?
A. To coincide with the annual PIR cycle
B. Immediately after deployment
C. After a full processing cycle
D. Six weeks after deployment
Selected Answer: C
Question #: 409
Topic #: 1
Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?
A. Rollback plans for changes
B. Sufficiency of implemented controls
C. Updates required for end user manuals
D. Resource management plan
Selected Answer: B
Question #: 405
Topic #: 1
Which of the following is the BEST use of a maturity model in a small organization?
A. To assess the current maturity level and the level of compliance with key controls
B. To identify required actions to close the gap between current and desired maturity levels
C. To benchmark against peer organizations that have attained the highest maturity level
D. To develop a roadmap for the organization to achieve the highest maturity level
Selected Answer: B
Question #: 404
Topic #: 1
Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
A. Determine if the organization has a secure connection to the provider.
B. Review the roles and responsibilities of the third- party provider.
C. Evaluate the organization’s third-party monitoring process.
D. Review the third party’s monitoring logs and incident handling.
Selected Answer: B
Question #: 403
Topic #: 1
Which of the following is the FIRST step in initiating a data classification program?
A. Inventory of data assets
B. Assignment of data ownership
C. Assignment of sensitivity levels
D. Risk appetite assessment
Selected Answer: A
Question #: 400
Topic #: 1
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
A. The exceptions are likely to continue indefinitely.
B. The exceptions may negatively impact process efficiency.
C. The exceptions may elevate the level of operational risk.
D. The exceptions may result in noncompliance.
Selected Answer: D
Question #: 398
Topic #: 1
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.
B. Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).
C. Job failure alerts are automatically generated and routed to support personnel.
D. Jobs are scheduled and a log of this activity is retained for subsequent review.
Selected Answer: C
Question #: 178
Topic #: 1
Following an internal audit of a database, management has committed to enhance password management controls. Which of the following provides the BEST evidence that management has remediated the audit finding?
A. Screenshots from end users showing updated password settings
B. Interviews with management about remediation completion
C. Change tickets of recent password configuration updates
D. Observation of updated password settings with database administrators (DBAs)
Selected Answer: D
Question #: 396
Topic #: 1
Which of the following should an IS auditor review FIRST during the audit of an organization’s business continuity plan (BCP)?
A. System recovery time objectives (RTOs)
B. List of critical business processes
C. System recovery manuals and documentation
D. Frequency of business database replication
Selected Answer: B
Question #: 395
Topic #: 1
Which of the following is the MOST important consideration for an organization when strategizing to comply with privacy regulations?
A. Ensuring up-to-date knowledge of where customer personal data is saved.
B. Ensuring there are staff members with in-depth knowledge of the regulations.
C. Ensuring regular access recertification to information systems.
D. Ensuring contracts with third parties that process customer data are regularly updated.
Selected Answer: A
Question #: 394
Topic #: 1
Which of the following would be of GREATEST concern to an IS auditor reviewing an organization’s security incident handling procedures?
A. Annual tabletop exercises are performed instead of functional incident response exercises.
B. Roles for computer emergency response team (CERT) members have not been formally documented.
C. Guidelines for prioritizing incidents have not been identified.
D. Workstation antivirus software alerts are not regularly reviewed.
Selected Answer: C
Question #: 392
Topic #: 1
Which of the following should be done by an IS auditor during a post-implementation review of a critical application that has been operational for six months?
A. Test program system interfaces.
B. Verify the accuracy of data conversions.
C. Assess project management risk reports.
D. Examine project change request logs.
Selected Answer: D
Question #: 389
Topic #: 1
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
A. Including the creator’s user ID as a field in every transaction record created
B. Ensuring that audit trails exist for transactions
C. Restricting access to update programs to accounts payable staff only
D. Restricting program functionality according to user security profiles
Selected Answer: D
Question #: 385
Topic #: 1
Which of the following is the BEST justification for deferring remediation testing until the next audit?
A. The auditor who conducted the audit and agreed with the timeline has left the organization.
B. Management’s planned actions are sufficient given the relative importance of the observations.
C. Auditee management has accepted all observations reported by the auditor.
D. The audit environment has changed significantly.
Selected Answer: B
Question #: 379
Topic #: 1
Which of the following is MOST likely to ensure that an organization’s systems development meets its business objectives?
A. Business owner involvement
B. A project plan with clearly identified requirements
C. A focus on strategic projects
D. Segregation of systems development and testing
Selected Answer: A
Question #: 370
Topic #: 1
Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery controls?
A. Backup procedures are not documented.
B. Weekly and monthly backups are stored onsite.
C. Backups are stored in an external hard drive.
D. Restores from backups are not periodically tested.
Selected Answer: D
Question #: 366
Topic #: 1
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization’s bring your own device (BYOD) policy?
A. Not all devices are approved for BYOD.
B. The policy does not include the right to audit BYOD devices.
C. A mobile device management (MDM) solution is not implemented.
D. The policy is not updated annually.
Selected Answer: C
Question #: 364
Topic #: 1
Which of the following is the BEST use of a balanced scorecard when evaluating IT performance?
A. Determining compliance with relevant regulatory requirements
B. Monitoring alignment of IT with the rest of the organization
C. Evaluating implementation of the business strategy
D. Monitoring alignment of the IT project portfolio to budget
Selected Answer: B
Question #: 362
Topic #: 1
Which of the following security testing techniques is MOST effective in discovering unknown malicious attacks?
A. Penetration testing
B. Sandboxing
C. Vulnerability testing
D. Reverse engineering
Selected Answer: A
Question #: 361
Topic #: 1
Which of the following features of a library control software package would protect against unauthorized updating of source code?
A. Access controls for source libraries
B. Date and time stamping of source and object code
C. Required approvals at each life cycle step
D. Release-to- release comparison of source code
Selected Answer: A
Question #: 359
Topic #: 1
Which of the following is the BEST data integrity check?
A. Tracing data back to the point of origin
B. Performing a sequence check
C. Counting the transactions processed per day
D. Preparing and running test data
Selected Answer: A
Question #: 358
Topic #: 1
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
A. Sign-off from the IT team
B. Quality assurance (QA) review
C. Ongoing participation by relevant stakeholders
D. Expected deliverables meeting project deadlines
Selected Answer: C
Question #: 356
Topic #: 1
Which of the following is MOST important when implementing a data classification program?
A. Planning for secure storage capacity
B. Understanding the data classification levels
C. Formalizing data ownership
D. Developing a privacy policy
Selected Answer: B
Question #: 354
Topic #: 1
Which of the following would an IS auditor consider the GREATEST risk associated with a mobile workforce environment?
A. Loss or damage to the organization’s assets
B. Lack of compliance with organizational policies
C. Decrease in employee productivity and accountability
D. Inability to access data remotely
Selected Answer: A
Question #: 327
Topic #: 1
Data anonymization helps to prevent which types of attacks in a big data environment?
A. Man-in-the-middle
B. Denial of service (DoS)
C. Correlation
D. Spoofing
Selected Answer: C
Question #: 347
Topic #: 1
The implementation of an IT governance framework requires that the board of directors of an organization:
A. approve the IT strategy.
B. be informed of all IT initiatives.
C. have an IT strategy committee.
D. address technical IT issues.
Selected Answer: A
Question #: 341
Topic #: 1
Internal audit is conducting an audit of customer transaction risk. Which of the following would be the BEST reason to use data analytics?
A. Transactional data is contained in multiple discrete systems that have varying levels of reliability.
B. Anomalies and risk trends in the data set have yet to be defined.
C. The audit is being performed to comply with regulations requiring periodic random sample testing.
D. The audit focus is on a small number of predefined high-risk transactions.
Selected Answer: A
Question #: 339
Topic #: 1
When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?
A. Project plan
B. Requirements analysis
C. Implementation plan
D. Project budget provisions
Selected Answer: B
Question #: 338
Topic #: 1
Invoking a business continuity plan (BCP) is demonstrating which type of control?
A. Preventive
B. Corrective
C. Directive
D. Detective
Selected Answer: B
Question #: 1422
Topic #: 1
Which of the following is the GREATEST security concern specific to virtualized environments?
A. A management console grants administrative access.
B. Unmanaged memory may leak data between guests.
C. Performance issues of the host can affect security capabilities.
D. Vulnerabilities can result in exposure of sensitive data.
Selected Answer: B
Question #: 337
Topic #: 1
During an audit of an access control system, an IS auditor finds that RFID card readers are not connected via the network to a central server. Which of the following is the GREATEST risk associated with this finding?
A. Lost or stolen cards cannot be disabled immediately.
B. Card reader firmware updates cannot be rolled out automatically.
C. The system is not easily scalable to accommodate a new device.
D. Incidents cannot be investigated without a centralized log file.
Selected Answer: A
Question #: 335
Topic #: 1
During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data from any Internet-connected web browser.
Which of the following is the auditor’s BEST recommendation to help prevent unauthorized access?
A. Utilize strong anti-malware controls on all computing devices.
B. Implement an intrusion detection system (IDS).
C. Update security policies and procedures.
D. Implement multi-factor authentication.
Selected Answer: D
Question #: 334
Topic #: 1
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST:
A. conduct additional compliance testing.
B. issue an intermediate report to management.
C. perform a business impact analysis (BIA).
D. evaluate the impact on current disaster recovery capability.
Selected Answer: D
Question #: 330
Topic #: 1
The use of which of the following would BEST enhance a process improvement program?
A. Balanced scorecard
B. Project management methodologies
C. Capability maturity models
D. Model-based design notations
Selected Answer: C
Question #: 324
Topic #: 1
An organization uses multiple offsite data center facilities. Which of the following is MOST important to consider when choosing related backup devices and media?
A. Associated costs
B. Standardization
C. Backup media capacity
D. Restoration speed
Selected Answer: B
Question #: 318
Topic #: 1
After discussing findings with an auditee, an IS auditor is required to obtain approval of the report from the CEO before issuing it to the audit committee. This requirement PRIMARILY affects the IS auditor’s:
A. judgment
B. effectiveness
C. independence
D. integrity
Selected Answer: C
Question #: 1460
Topic #: 1
Which of the following controls BEST ensures the integrity of data exchanged between two systems?
A. Data classification
B. Encryption
C. Hash values
D. Control totals
Selected Answer: C
Question #: 30
Topic #: 1
When an intrusion into an organization’s network is detected, which of the following should be done FIRST?
A. Contact law enforcement.
B. Identify nodes that have been compromised.
C. Block all compromised network nodes.
D. Notify senior management
Selected Answer: C
Question #: 1301
Topic #: 1
Following a security incident, which of the following BEST enables the integrity of the data captured during a forensic investigation?
A. An expert presenting the results of forensic analysis
B. Comparison of the hash of data files in storage
C. Comparison of the data with printouts from the investigation
D. Maintenance of chain of custody
Selected Answer: B
Question #: 1257
Topic #: 1
An audit program indicates that a specific number of transactions are to be sampled for testing a particular control. However, it has been determined that the control design is deficient. What should the IS auditor do in response to this information?
A. Recommend a change to the audit program to increase the sample size.
B. Recommend a change to the audit program and testing methodology used.
C. Document the observation and the testing methodology used.
D. Notify audit management and continue to use the sample size.
Selected Answer: D
Question #: 1247
Topic #: 1
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
A. Interview the application developer.
B. Obtain management attestation and sign-off.
C. Review system configuration parameters and output.
D. Review the application implementation documents.
Selected Answer: C
Question #: 777
Topic #: 1
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
A. To identify areas with relatively high probability of material problems
B. To help ensure maximum use of audit resources during the engagement
C. To help prioritize and schedule auditee meetings
D. To address the overall risk associated with the activity under review
Selected Answer: A
Question #: 293
Topic #: 1
A data analytics team has developed a process automation bot for internal audit that scans user access to all servers in the environment and then randomly selects a sample of new users for testing. Which of the following presents the GREATEST concern with this approach?
A. The bot can only select samples from the current period.
B. Auditor judgment is removed from the process.
C. Evidence of population completeness is not maintained.
D. Data must be validated manually before being loaded into the bot.
Selected Answer: C
Question #: 289
Topic #: 1
IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?
A. More frequent data backups
B. Periodic table link checks
C. Performance monitoring tools
D. Concurrent access controls
Selected Answer: B
Question #: 970
Topic #: 1
Which of the following is the BEST indication that an IT service desk function needs to improve its incident management processes?
A. Information found in many incident records is incomplete
B. The service desk spends most of its time on recurring incidents
C. Back-end releases are the major cause of system disruptions
D. Service level metrics for resolution time have not been met several times
Selected Answer: B
Question #: 229
Topic #: 1
What is the MAIN purpose of an organization’s internal IS audit function?
A. Provide assurance to management about the effectiveness of the organization’s risk management and internal controls.
B. Identify and initiate necessary changes in the control environment to help ensure sustainable improvement.
C. Review the organization’s policies and procedures against industry best practice and standards.
D. Independently attest the organization’s compliance with applicable legal and regulatory requirements.
Selected Answer: A
Question #: 226
Topic #: 1
An employee approaches an IS auditor and expresses concern about a critical security issue in a newly installed application. Which of the following would be the
MOST appropriate action for the auditor to take?
A. Discuss the concern with audit management
B. Recommend reverting to the previous application.
C. Immediately conduct a review of the application.
D. Discuss the concern with additional end users.
Selected Answer: A
Question #: 245
Topic #: 1
An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the
QA program requirements?
A. Long-term internal audit resource planning
B. Feedback from internal audit staff
C. Analysis of user satisfaction reports from business lines
D. Ongoing monitoring of the audit activities
Selected Answer: D
Question #: 1508
Topic #: 1
What is the BEST way for an IS auditor to test the effectiveness of physical security controls for an organization’s data center?
A. Compare physical security controls against industry best practice.
B. Inspect surveillance footage of the data center.
C. Conduct an onsite inspection of physical security at the data center.
D. Review badge access logs for the data center.
Selected Answer: C
Question #: 243
Topic #: 1
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
A. Include strategic objectives in IT staff performance objectives.
B. Review IT staff job descriptions for alignment.
C. Identify required IT skill sets that support key business processes.
D. Develop quarterly training for each IT staff member.
Selected Answer: C
Question #: 223
Topic #: 1
During a post-implementation review, an IS auditor learns that while benefits were realized according to the business case, complications during implementation added to the cost of the solution. Which of the following is the auditor’s BEST course of action?
A. Design controls that will prevent future added costs.
B. Verify that lessons learned were documented for future projects.
C. Determine if project deliverables were provided on time
D. Ensure costs related to the complications were subtracted from realized benefits.
Selected Answer: B
Question #: 166
Topic #: 1
Which of the following is the MOST significant risk associated with the use of virtualization?
A. Insufficient network bandwidth
B. Single point of failure
C. Inadequate configuration
D. Performance issues of hosts
Selected Answer: D
Question #: 286
Topic #: 1
During the post-implementation review of an application that was implemented six months ago, which of the following would be MOST helpful in determining whether the application meets business requirements?
A. Project closure report and lessons-learned documents from the project management office (PMO)
B. User acceptance testing (UAT) results and sign-off from users on meeting business requirements
C. Difference between approved budget and actual project expenditures determined post implementation
D. Comparison between expected benefits from the business case and actual benefits after implementation
Selected Answer: B
Question #: 285
Topic #: 1
As part of business continuity planning, which of the following is MOST important to assess when conducting a business impact analysis (BIA)?
A. Risk appetite
B. Completeness of critical asset inventory
C. Critical applications in the cloud
D. Recovery scenarios
Selected Answer: B
Question #: 284
Topic #: 1
Of the following, who are the MOST appropriate staff for ensuring the alignment of user authorization tables with approved authorization forms?
A. Security administrators
B. System owners
C. Database administrators (DBAs)
D. IT managers
Selected Answer: B
Question #: 283
Topic #: 1
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
A. perform a user access review for the development team.
B. hire another person to perform migration to production.
C. implement continuous monitoring controls.
D. remove production access from the developers.
Selected Answer: C
Question #: 281
Topic #: 1
Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?
A. Corrective control
B. Preventive control
C. Detective control
D. Directive control
Selected Answer: D
Question #: 280
Topic #: 1
End users have been demanding the ability to use their own devices for work, but want to keep personal information out of corporate control. Which of the following would be MOST effective at reducing the risk of security incidents while satisfying end user requirements?
A. Encrypt corporate data on the devices.
B. Enable remote wipe capabilities for the devices.
C. Require complex passwords.
D. Implement an acceptable use policy.
Selected Answer: A
Question #: 275
Topic #: 1
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
A. Configure to auto-wipe after multiple failed access attempts.
B. Require employees to attend security awareness training.
C. Enable device auto-lock function.
D. Password protect critical data files.
Selected Answer: A
Question #: 271
Topic #: 1
During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that not all critical systems are covered. What should the auditor do NEXT?
A. Evaluate the impact of not covering the systems
B. Escalate the finding to senior management
C. Evaluate the prior year’s audit results regarding critical system coverage
D. Verify whether the systems are part of the business impact analysis (BIA)
Selected Answer: D
Question #: 270
Topic #: 1
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
A. development methodology employed.
B. controls incorporated into the system specifications.
C. future compatibility of the design.
D. proposed functionality of the application.
Selected Answer: B
Question #: 269
Topic #: 1
Following significant business model changes, which of the following is the MOST important consideration when updating the IT policy?
A. The policy is endorsed by IT leadership.
B. The policy is compliant with relevant laws and regulations.
C. The policy is integrated into job descriptions.
D. The policy is aligned with industry standards and best practice.
Selected Answer: B
Question #: 249
Topic #: 1
Which of the following MUST be completed as part of the annual audit planning process?
A. Fieldwork
B. Risk control matrix
C. Risk assessment
D. Business impact analysis (BIA)
Selected Answer: C
Question #: 254
Topic #: 1
Which cloud deployment model is MOST likely to be limited in scalability?
A. Hybrid
B. Private
C. Community
D. Public
Selected Answer: B
Question #: 257
Topic #: 1
An algorithm in an email program analyzes traffic to quarantine emails identified as spam. The algorithm in the program is BEST characterized as which type of control?
A. Detective
B. Directive
C. Preventive
D. Corrective
Selected Answer: C
Question #: 256
Topic #: 1
A chief information officer (CIO) has asked an IS auditor to implement several security controls for an organization’s IT processes and systems. The auditor should:
A. refuse due to independence issues.
B. communicate the conflict of interest to audit management.
C. perform the assignment and future audits with the due professional care.
D. obtain approval from executive management for the implementation.
Selected Answer: B
Question #: 593
Topic #: 1
An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited. Which of the following should be of GREATEST concern to the auditor?
A. The risk assessment database does not include a complete audit universe.
B. The risk assessment methodology does not permit the collection of financial audit data.
C. The risk assessment methodology relies on subjective audit judgments at certain points of the process.
D. The risk assessment approach has not been approved by the risk manager.
Selected Answer: C
Question #: 248
Topic #: 1
An advantage of object-oriented system development is that it:
A. is easier to code than procedural languages.
B. partitions systems into a client/server architecture.
C. decreases the need for system documentation.
D. is suited to data with complex relationships.
Selected Answer: D
Question #: 246
Topic #: 1
While planning a review of IT governance, the IS auditor is MOST likely to:
A. obtain information about the framework of control adopted by management.
B. examine audit committee minutes for IS-related matters and their control.
C. assess whether business process owner responsibilities are consistent across the organization.
D. review compliance with policies and procedures issued by the board of directors.
Selected Answer: A
Question #: 233
Topic #: 1
Several unattended laptops containing sensitive customer data were stolen from personnel offices. Which of the following would be an IS auditor’s BEST recommendation to protect data in case of recurrence?
A. Enhance physical security.
B. Require the use of cable locks.
C. Require two-factor authentication.
D. Encrypt the disk drive.
Selected Answer: D
Question #: 228
Topic #: 1
The PRIMARY objective of value delivery in reference to IT governance is to:
A. increase efficiency.
B. optimize investments.
C. ensure compliance.
D. promote best practices.
Selected Answer: B
Question #: 224
Topic #: 1
When reviewing an organization’s IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?
A. Achievement of established security metrics
B. Approval of the security program by senior management
C. Utilization of an internationally recognized security standard
D. Implementation of a comprehensive security awareness program
Selected Answer: A
Question #: 220
Topic #: 1
A help desk has been contacted regarding a lost business mobile device. The FIRST course of action should be to:
A. consult the legal team regarding the impact of intellectual property loss.
B. verify the user’s identity through a challenge response system.
C. involve the security response team to launch an investigation.
D. attempt to locate the device remotely.
Selected Answer: B
Question #: 218
Topic #: 1
An organization has adopted a backup and recovery strategy that involves copying on-premise virtual machine (VM) images to a cloud service provider. Which of the following provides the BEST assurance that VMs can be recovered in the event of a disaster?
A. Existence of a disaster recovery plan (DRP) with specified roles for emergencies
B. Periodic on-site restoration of VM images obtained from the cloud provider
C. Procurement of adequate storage for the VM images form the cloud service provider
D. Inclusion of the right to audit in the cloud service provider contract
Selected Answer: B
Question #: 216
Topic #: 1
An organization sends daily backup media by courier to an offsite location. Which of the following provides the BEST evidence that the media is transported reliably?
A. Documented backup media transport procedures
B. Signed acknowledgments by offsite manager
C. Certification of the courier company
D. Delivery schedule of the backup media
Selected Answer: B
Question #: 215
Topic #: 1
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
A. Updating the continuity plan for critical resources
B. Updating the security policy
C. Verifying that access privileges have been reviewed
D. Investigating access rights for expiration dates
Selected Answer: C
Question #: 210
Topic #: 1
When reviewing an organization’s information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:
A. an information security framework.
B. past information security incidents.
C. a risk management process.
D. industry best practices.
Selected Answer: A
Question #: 204
Topic #: 1
Following a merger, a review of an international organization determines the IT steering committee’s decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor’s BEST recommendation?
A. Create regional centers of excellence.
B. Engage an IT governance consultant.
C. Update the IT steering committee’s formal charter.
D. Create regional IT steering committees.
Selected Answer: C
Question #: 201
Topic #: 1
During a project meeting for the implementation of an enterprise resource planning (ERP). a new requirement is requested by the finance department. Which of the following would BEST indicate to an IS auditor that the resulting risk to the project has been assessed?
A. The project status as reported in the meeting minutes
B. The analysis of the cost and time impact of the requirement
C. The updated business requirements
D. The approval of the change by the finance department
Selected Answer: B
Question #: 200
Topic #: 1
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if:
A. the information owner is required to approve access to the asset.
B. senior IT managers are identified as information owners.
C. the security criteria are clearly documented for each classification.
D. each information asset is assigned to a different classification.
Selected Answer: C
Question #: 188
Topic #: 1
A characteristic of a digital signature is that it:
A. is under control of the receiver.
B. is unique to the message.
C. has a reproducible hashing algorithm.
D. is validated when data are changed.
Selected Answer: B
Question #: 184
Topic #: 1
During an audit of a financial application, it was determined that many terminated users’ accounts were not disabled. Which of the following should be the IS auditor’s NEXT step?
A. Perform a review of terminated users’ account activity.
B. Conclude that IT general controls are ineffective.
C. Communicate risks to the application owner.
D. Perform substantive testing of terminated users’ access rights.
Selected Answer: C
Question #: 156
Topic #: 1
To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system.
Which type of control is in place?
A. Directive
B. Detective
C. Preventive
D. Corrective
Selected Answer: B
Question #: 1450
Topic #: 1
Which of the following is MOST important for an IS auditor to review when an audit identifies that the business continuity plan (BCP) does not address scenarios involving extended system outages?
A. Risk rating of business non-continuity
B. Disaster recovery plan (DRP)
C. Historical incidents resulting in extended system outages
D. Enterprise risk assessment
Selected Answer: B
Question #: 150
Topic #: 1
Which type of testing is MOST important to perform during a project audit to help ensure business objectives are met?
A. Regression testing
B. Pilot testing
C. Functional testing
D. System testing
Selected Answer: C
Question #: 143
Topic #: 1
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to “never expire.” Which of the following recommendations would BEST address the risk with minimal disruption to the business?
A. Schedule downtime to implement password changes.
B. Introduce database access monitoring into the environment.
C. Modify the access management policy to make allowances for application accounts.
D. Modify applications to no longer require direct access to the database.
Selected Answer: C
Question #: 140
Topic #: 1
An organization is shifting to a remote workforce. In preparation, the IT department is performing stress and capacity testing of remote access infrastructure and systems. What type of control is being implemented?
A. Directive
B. Detective
C. Preventive
D. Compensating
Selected Answer: C
Question #: 128
Topic #: 1
Which of the following is MOST important to include in a contract with a software development service provider?
A. A list of key performance indicators (KPIs)
B. Service level agreement (SLA)
C. Ownership of intellectual property
D. Explicit contract termination requirements
Selected Answer: C
Question #: 120
Topic #: 1
Which of the following is MOST important to ensure when reviewing a global organization’s controls to protect data held on its IT infrastructure across all of its locations?
A. The capacity of underlying communications infrastructure in the host locations is sufficient.
B. The threat of natural disasters in each location hosting infrastructure has been accounted for.
C. Relevant data protection legislation and regulations for each location are adhered to.
D. Technical capabilities exist in each location to manage the data and recovery operations.
Selected Answer: C
Question #: 107
Topic #: 1
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
Selected Answer: C
Question #: 102
Topic #: 1
During a review of an organization’s network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Omit the finding from the report as this practice is in compliance with the current policy.
Selected Answer: A
Question #: 1425
Topic #: 1
Which of the following is the GREATEST advantage of outsourcing the development of an e-banking solution when in-house technical expertise is not available?
A. Increased ability to adapt the system
B. Reduced risk of system downtime
C. Direct oversight of risks
D. Lower start-up costs
Selected Answer: A
Question #: 252
Topic #: 1
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor’s BEST recommendation?
A. Ensure corrected program code is compiled in a dedicated server.
B. Ensure change management reports are independently reviewed.
C. Ensure programmers cannot access code after the completion of program edits.
D. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
Selected Answer: B
Question #: 65
Topic #: 1
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
A. Assurance that the new system meets functional requirements
B. Significant cost savings over other system implementation approaches
C. More time for users to complete training for the new system
D. Assurance that the new system meets performance requirements
Selected Answer: D
Question #: 53
Topic #: 1
Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and objectives?
A. IT strategies are communicated to all business stakeholders.
B. Organizational strategies are communicated to the chief information officer (CIO).
C. The chief information officer (CIO) is involved in approving the organizational strategies.
D. Business stakeholders are involved in approving the IT strategy.
Selected Answer: D
Question #: 24
Topic #: 1
Which of the following BEST indicates that an incident management process is effective?
A. Decreased number of calls to the help desk
B. Increased number of incidents reviewed by IT management
C. Decreased time for incident resolution
D. Increased number of reported critical incidents
Selected Answer: C
Question #: 22
Topic #: 1
When evaluating whether the expected benefits of a project have been achieved, it is MOST important for an IS auditor to review:
A. the project schedule.
B. quality assurance (QA) results.
C. post-implementation issues.
D. the business case
Selected Answer: D
Question #: 59
Topic #: 1
Which of the following findings from an IT governance review should be of GREATEST concern?
A. IT value analysis has not been completed.
B. All IT services are provided by third parties.
C. IT supports two different operating systems.
D. The IT budget is not monitored.
Selected Answer: D
Question #: 19
Topic #: 1
Management receives information indicating a high level of risk associated with potential flooding near the organization’s data center with in the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
A. Risk reduction
B. Risk acceptance
C. Risk transfer
D. Risk avoidance
Selected Answer: D
Question #: 18
Topic #: 1
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A. reflect current practices.
B. be subject to adequate quality assurance (QA).
C. include new systems and corresponding process changes.
D. incorporate changes to relevant laws.
Selected Answer: A
Question #: 8
Topic #: 1
An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?
A. Cutover
B. Phased
C. Pilot
D. Parallel
Selected Answer: D
Question #: 387
Topic #: 1
Which of the following security assessment techniques attempts to exploit a system’s open ports?
A. Vulnerability scanning
B. Penetration testing
C. Network scanning
D. Password cracking
Selected Answer: B
Question #: 44
Topic #: 1
In an online application, which of the following would provide the MOST information about the transaction audit trail?
A. File layouts
B. Data architecture
C. System/process flowchart
D. Source code documentation
Selected Answer: D
Question #: 306
Topic #: 1
An organization’s enterprise architecture (EA) department decides to change a legacy system’s components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system
B. The database entity relationships within the legacy system
C. The proposed network topology to be used by the redesigned system
D. The data flows between the components to be used by the redesigned system
Selected Answer: D
Question #: 279
Topic #: 1
In an IT organization where many responsibilities are shared, which of the following is the BEST control for detecting unauthorized data changes?
A. Users are required to periodically rotate responsibilities.
B. Segregation of duties conflicts are periodically reviewed.
C. Data changes are logged in an outside application.
D. Data changes are independently reviewed by another group.
Selected Answer: D
Question #: 282
Topic #: 1
What is the BEST way for an IS auditor to assess the adequacy of an expert consultant who was selected to be involved in an audit engagement?
A. Obtain an understanding of the expert’s relevant experience.
B. Verify that the engagement letter outlines the expert’s responsibilities.
C. Review the independence and objectivity of the expert.
D. Review the industry reputation of the expert consultant’s firm.
Selected Answer: C
Question #: 1510
Topic #: 1
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
A. Business management has completed the implementation of agreed actions on schedule.
B. Progress updates indicate that the implementation of agreed actions is on track.
C. Sufficient time has elapsed since implementation to provide evidence of control operation.
D. Regulators have announced a timeline for an inspection visit.
Selected Answer: B
Question #: 1507
Topic #: 1
A new regulation has been enacted that mandates specific information security practices for the protection of customer data. Which of the following is MOST useful for an IS auditor to review when auditing against the regulation?
A. Compliance gap analysis
B. Customer data protection roles and responsibilities
C. Customer data flow diagram
D. Benchmarking studies of adaptation to the new regulation
Selected Answer: A
Question #: 1504
Topic #: 1
When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?
A. Increase in the frequency of software upgrades
B. Significantly higher turnover
C. Aging staff
D. Lack of customer satisfaction surveys
Selected Answer: B
Question #: 1503
Topic #: 1
Which of the following BEST enables a benefits realization process for a system development project?
A. Metrics are evaluated immediately after the project has been implemented.
B. Metrics for the project have been selected before the project begins.
C. Project budget includes costs to execute the project and costs associated with the solution.
D. Estimates of business benefits are backed by similar previously completed projects.
Selected Answer: D
Question #: 1497
Topic #: 1
Which of the following indicates an effective change control environment?
A. There is version control for the program documentation.
B. User management formally approves change requests.
C. Release management is automated.
D. The quality assurance (QA) group reports to the application development manager.
Selected Answer: B
Question #: 1495
Topic #: 1
What is the FIRST step when creating a data classification program?
A. Develop a policy.
B. Develop data process maps.
C. Categorize and prioritize data.
D. Categorize information by owner.
Selected Answer: A
Question #: 1491
Topic #: 1
Which of the following is MOST important for an IS auditor to confirm during the implementation phase of a new system?
A. Accuracy of error reports in recognizing erroneous data
B. Whether system objectives and requirements were documented
C. Whether appropriate internal controls are in place
D. System parameters for scheduling and running the system
Selected Answer: C
Question #: 1484
Topic #: 1
Which of the following sampling methodologies is PRIMARILY used to detect significant deficiencies?
A. Discovery sampling
B. Compliance testing
C. Attribute sampling
D. Substantive testing
Selected Answer: A
Question #: 344
Topic #: 1
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
A. Industry standards
B. Information security policy
C. Incident response plan
D. Industry regulations
Selected Answer: C
Question #: 316
Topic #: 1
An employee transfers from an organization’s risk management department to become the lead IS auditor. While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?
A. Evaluating the effectiveness of IT risk management processes
B. Recommending controls to address the IT risks identified by KPIs
C. Developing KPIs to measure the internal audit team
D. Training the IT audit team on IT risk management processes
Selected Answer: C
Question #: 1481
Topic #: 1
Which of the following software versions would an IS auditor MOST likely find in the production environment during a post-deployment review?
A. The version used in the test environment
B. The version used in the staging environment
C. The version used in the development environment
D. The version used in the integration environment
Selected Answer: B
Question #: 1476
Topic #: 1
Which of the following is the BEST way for an IS auditor to verify whether help desk tickets are being managed by IT support in accordance with business expectations?
A. Compare the response and resolution times against the service level agreement (SLA).
B. Review end user satisfaction survey results.
C. Review IT management metrics reported quarterly to the board.
D. Compare the resolved date and the due date recorded on the help desk tickets.
Selected Answer: A
Question #: 1473
Topic #: 1
Which of the following documents is MOST likely to include an audit’s quality assurance (QA) process?
A. Audit charter
B. Post-audit review
C. Audit scope
D. Audit report
Selected Answer: A
Question #: 1468
Topic #: 1
Which of the following is the GREATEST benefit of an effective data classification process?
A. Data retention periods are well defined.
B. Data is protected according to its sensitivity.
C. Data custodians are identified.
D. Appropriate ownership over data is assigned.
Selected Answer: B
Question #: 1467
Topic #: 1
Which of the following is MOST important for an IS auditor to verify during an audit closing meeting?
A. The findings and agreed-upon resolutions are communicated to executive management.
B. The agreed-upon resolutions are cost-effective and do not disrupt the business.
C. The organization has the applicable resources to implement the agreed-upon resolutions.
D. The agreed-upon resolutions and the time allotted to address the findings are correct.
Selected Answer: A
Question #: 1465
Topic #: 1
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization’s incident response management program?
A. All identified incidents are escalated to the CEO and the CISO.
B. The alerting tools and incident response team can detect incidents.
C. Incident response is within defined service level agreements (SLAs).
D. All incidents have a severity level assigned.
Selected Answer: B
Question #: 1464
Topic #: 1
An IS auditor has identified deficiencies within the organization’s software development life cycle policies. Which of the following should be done NEXT?
A. Escalate the situation to the lead auditor.
B. Identify who approved the policies.
C. Document the findings in the audit report.
D. Communicate the observation to the auditee.
Selected Answer: D
Question #: 1459
Topic #: 1
During an IT governance review, an IS auditor finds that all IT expenditures are included as a single line item in the enterprise-wide budget. Which of the following documentation would provide the BEST evidence for evaluating how IT expenditures support business objectives?
A. Profit and loss statements
B. IT steering committee approval
C. Business impact analysis (BIA)
D. IT purchase orders
Selected Answer: B
Question #: 1454
Topic #: 1
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
A. Reduced system performance
B. Inability to recover from cybersecurity attacks
C. Version control issues
D. Increase in IT investment cost
Selected Answer: B
