CISA Topic 3
Question #: 1447
Topic #: 1
Which of the following should be done FIRST to protect evidence on a computer suspected to be involved in online fraud?
A. Unplug the computer from its power source.
B. Eject removable media.
C. Use the computer to trace the source of the crime.
D. Make a copy of the affected system.
Selected Answer: D
Question #: 1445
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing a report of an unsuccessful disaster recovery test?
A. A root cause analysis was not performed.
B. The report was not discussed with the IT steering committee.
C. The disaster recovery procedures are not up to date.
D. The disaster recovery test was conducted during non-peak hours.
Selected Answer: A
Question #: 1443
Topic #: 1
Which of the following should be an IS auditor’s PRIMARY consideration when determining which issues to include in an audit report?
A. Inherent risk
B. Materiality
C. Professional skepticism
D. Management’s agreement
Selected Answer: B
Question #: 1438
Topic #: 1
Which of the following should an IS auditor regard as the PRIMARY role of IT governance when considering an outsourcing arrangement for IT services?
A. Ensuring the risk associated with outsourcing has been mitigated
B. Ensuring stakeholder input in the outsourcing decision process
C. Ensuring vendor due diligence during the vendor selection process
D. Ensuring the outsourcing contract includes a right-to-audit clause
Selected Answer: A
Question #: 1434
Topic #: 1
When evaluating evidence as part of an IS audit, which of the following sources should be considered MOST reliable?
A. Evidence demonstrated in front of the auditor
B. Evidence provided directly from the auditee
C. Evidence curated by senior management
D. Evidence provided by a third party
Selected Answer: A
Question #: 1431
Topic #: 1
When assessing the quality of personnel data, an IS auditor finds that the data values reconcile to values outside of the database and logical access is appropriately restricted. Which of the following should also be reviewed to provide a comprehensive assessment of the data quality?
A. Whether the data can be used in the correct context
B. Whether the data is classified appropriately
C. Whether procedures for using the database are followed
D. Whether users are appropriately trained
Selected Answer: A
Question #: 1423
Topic #: 1
Which of the following is the BEST recommendation to mitigate the risk associated with remote access through the hypervisor interface?
A. Presentation-layer and application-layer controls
B. Enterprise security policies and controls
C. Secure configuration of guest systems
D. Network-layer and transport-layer controls
Selected Answer: D
Question #: 55
Topic #: 1
Which of the following is the MOST important responsibility of user departments associated with program changes?
A. Analyzing change requests
B. Providing unit test data
C. Updating documentation to reflect latest changes
D. Approving changes before implementation
Selected Answer: D
Question #: 41
Topic #: 1
During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditor
BEST validate that appropriate security controls are in place to prevent data loss?
A. Verify the data loss prevention (DLP) tool is properly configured by the organization.
B. Review compliance with data loss and applicable mobile device user acceptance policies.
C. Verify employees have received appropriate mobile device security awareness training.
D. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.
Selected Answer: B
Question #: 1339
Topic #: 1
Which of the following is the BEST way for senior audit leadership to be engaged during the planning phase of an audit in order to improve audit quality?
A. Meet with auditee leadership.
B. Prepare audit planning documents.
C. Review the proposed audit scope.
D. Attend planning walk-throughs.
Selected Answer: D
Question #: 1415
Topic #: 1
Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?
A. Conduct code review for both systems and inspect design documentation.
B. Inspect interface configurations and an example output of the systems.
C. Confirm that the encryption standard applied to the interface is in line with best practice.
D. Perform data reconciliation between the two systems for a sample of 25 days.
Selected Answer: D
Question #: 1410
Topic #: 1
During an IS audit, it is discovered that data classification rules are often ignored by programmers developing in-house software. Which of the following recommendations would BEST mitigate the risk in this situation?
A. Revise the organization’s data classification policy.
B. Require application owners to classify data used by programmers.
C. Ensure code reviews include data classification checks.
D. Prevent programmers from accessing sensitive data during development.
Selected Answer: C
Question #: 1406
Topic #: 1
Which test approach provides the GREATEST assurance of the completeness of transactions transferred between systems?
A. Testing the reconciliations of the totals of transactions in the two systems
B. Testing a sample of transactions in the source system from a list of all transactions in the destination system
C. Testing the processes used to review processing exceptions
D. Testing a sample of transactions in the destination system from a list of all transactions in the source system
Selected Answer: D
Question #: 1399
Topic #: 1
Which of the following would be of GREATEST concern to an IS auditor assessing the organizational risk associated with fraud?
A. Unauthorized changes to the production environment have been detected.
B. Periodic user access reviews to financial systems are inconsistent.
C. A major financial application is developed and maintained by the application team.
D. The organization does not require employees to take mandatory leave.
Selected Answer: B
Question #: 1398
Topic #: 1
An IS auditor learns that an organization’s business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor’s BEST course of action?
A. Assess the risk to operations from the closing of the plant.
B. Determine whether the business impact analysis (BIA) is current with the organization’s structure and context.
C. Perform testing to determine the impact to the recovery time objective (RTO).
D. Determine the types of technologies used at the plant and how they may affect the BCP.
Selected Answer: B
Question #: 1396
Topic #: 1
Which of the following BEST indicates that the effectiveness of an organization’s security awareness program has improved?
A. An increase in the number of staff who complete awareness training
B. A decrease in the number of malware outbreaks
C. An increase in the number of phishing emails reported by employees
D. A decrease in the number of information security audit findings
Selected Answer: C
Question #: 1386
Topic #: 1
An IS auditor is planning an audit of an organization’s risk management practices. Which of the following would provide the MOST useful information about risk appetite?
A. Prior audit reports
B. Risk policies
C. Management assertion
D. Risk assessments
Selected Answer: B
Question #: 1382
Topic #: 1
Which of the following is an objective of IT project portfolio management?
A. Selection of sound, strategically aligned investment opportunities
B. Successful implementation of projects
C. Validation of business case benefits
D. Establishment of tracking mechanisms
Selected Answer: A
Question #: 1362
Topic #: 1
Which of the following is the MOST appropriate control to have in place after data migration?
A. Review of representative samples of migrated data
B. Clearly defined and documented data migration roles
C. Formal sign-off by senior management after completion
D. Mapping of transactions from source to receiving system
Selected Answer: A
Question #: 1355
Topic #: 1
An IS auditor is asked to review an organization’s technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate for this review?
A. Application architecture
B. Infrastructure architecture
C. Reference architecture
D. Information security architecture
Selected Answer: C
Question #: 1345
Topic #: 1
During a security access review, an IS auditor identifies a segregation of duties issue involving financial reporting for which there are no mitigating controls. Which of the following stakeholders should be notified of this finding FIRST?
A. The audit committee
B. External auditors
C. Operational management
D. The board of directors
Selected Answer: A
Question #: 1343
Topic #: 1
Which of the following provides the BEST overview of an organization’s audit universe when developing a long-term audit plan?
A. IT strategy
B. Risk register
C. Logical data architecture
D. Enterprise architecture (EA)
Selected Answer: D
Question #: 1334
Topic #: 1
When evaluating an information security risk assessment, what is MOST important to review to gain an understanding of how risk is reduced?
A. Inherent risk
B. Residual risk
C. Mitigation efforts
D. Control effectiveness
Selected Answer: C
Question #: 1333
Topic #: 1
Which of the following is the BEST way to ensure an organization’s data classification policies are preserved during the process of data transformation?
A. Conduct a data discovery exercise across all business applications.
B. Control access to extract, transform, and load (ETL) tools.
C. Implement classification labels in metadata during data creation.
D. Map data classification controls to data sets.
Selected Answer: C
Question #: 947
Topic #: 1
When using data analytics to perform an audit, the IS auditor should FIRST:
A. identify testing models
B. define data needs
C. identify data sources
D. prepare the data
Selected Answer: C
Question #: 933
Topic #: 1
Which of the following is the GREATEST advantage of utilizing guest operating systems in a virtual environment?
A. They can be logged into and monitored from any location.
B. They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP)
C. They can be wiped quickly in the event of a security breach.
D. They are easier to containerize with minimal impact to the rest of the environment
Selected Answer: C
Question #: 931
Topic #: 1
Which of the following is MOST important to consider when establishing the retention period for customer data within a specific database or application?
A. Enterprise classification level
B. System performance
C. Hardware capacity
D. Minimum regulatory requirements
Selected Answer: D
Question #: 928
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s vulnerability scanning program?
A. Scans are performed less frequently than required by the organization’s vulnerability scanning schedule.
B. Steps taken to address identified vulnerabilities are not formally documented.
C. Results are not approved by senior management.
D. Results are not reported to individuals with authority to ensure resolution.
Selected Answer: D
Question #: 926
Topic #: 1
Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?
A. Better understanding of the business and processes
B. Ability to negotiate recommendations with management
C. Increased IS audit staff visibility and availability throughout the year
D. Increased independence and impartiality of recommendations
Selected Answer: A
Question #: 924
Topic #: 1
Which of the following is the MOST important element of quality control with respect to an audit engagement?
A. Increase of audit quality through multiple follow-up audits
B. Responsibility of leadership for quality in audits
C. Assignment of engagement teams for audits
D. Resolution procedures for differences of opinion in audits
Selected Answer: B
Question #: 923
Topic #: 1
Which of the following tests would BEST indicate that a software development project is ready to be deployed into the production environment?
A. Performance
B. Parallel
C. Unit
D. Quality assurance (QA)
Selected Answer: D
Question #: 921
Topic #: 1
Which of the following is a PRIMARY benefit of a maturity model?
A. It facilitates communication with regulatory bodies.
B. It benchmarks the organization to peer performance levels.
C. It facilitates the establishment of organizational capability.
D. It provides the organization with a standard assessment tool.
Selected Answer: C
Question #: 920
Topic #: 1
An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?
A. At least one year after the transition
B. As soon as the new operating model is in place
C. During the next scheduled review
D. As soon as the decision about the transition is announced
Selected Answer: B
Question #: 919
Topic #: 1
Which of the following approaches would BEST enable an e-commerce website to handle unpredictable amounts of traffic?
A. Index key databases to improve response time.
B. Re-factor applications to improve efficiency.
C. Cluster application servers to distribute web traffic.
D. Configure resources to scale.
Selected Answer: D
Question #: 918
Topic #: 1
During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?
A. Industry standard business definitions
B. Input from customers
C. Validation of rules by the business
D. Built-in data error prevention application controls
Selected Answer: A
Question #: 916
Topic #: 1
Which of the following is the BEST report for an IS auditor to reference when tasked with reviewing the security of code written for a newly developed website?
A. Black box testing report
B. Static software composition analysis
C. Penetration test report
D. Web application vulnerability report
Selected Answer: B
Question #: 912
Topic #: 1
During an information security audit of a mid-sized organization, an IS auditor notes that the organization’s information security policy is not sufficient. What is the auditor’s BEST recommendation for the organization?
A. Obtain an external consultant’s support to rewrite the policy.
B. Identify and close gaps compared to a best-practice framework.
C. Perform a benchmark with competitors’ policies.
D. Define roles and responsibilities for regularly updating the policy.
Selected Answer: B
Question #: 908
Topic #: 1
Which of the following is the MOST appropriate indicator of change management effectiveness?
A. Time lag between changes to the configuration and the update of records
B. Number of system software changes
C. Number of incidents resulting from changes
D. Time lag between changes and updates of documentation materials
Selected Answer: A
Question #: 905
Topic #: 1
Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?
A. Electronic copies of customer sales receipts are maintained.
B. Monthly bank statements are reconciled without exception.
C. The data transferred over the POS interface is encrypted.
D. Nightly batch processing has been replaced with real-time processing.
Selected Answer: B
Question #: 1357
Topic #: 1
An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required, which of the following is the BEST action for the IS auditor to take?
A. Obtain approval from audit management to submit the report.
B. Obtain approval from auditee management to release the report.
C. Obtain approval from both audit and auditee management to release the report.
D. Submit the report to appropriate regulators immediately.
Selected Answer: A
Question #: 904
Topic #: 1
Which of the following is PRIMARY responsibility of an IT steering committee?
A. Prioritizing IT projects in accordance with business requirements
B. Validating and monitoring the skill sets of IT department staff
C. Establishing IT budgets for the business
D. Reviewing periodic IT risk assessments
Selected Answer: A
Question #: 903
Topic #: 1
Which of the following should be an IS auditor’s GREATEST concern when assessing an IT service configuration database?
A. The database is not encrypted at rest.
B. The database is read-accessible for all users.
C. The database is executable for all users.
D. The database is write-accessible for all users.
Selected Answer: D
Question #: 902
Topic #: 1
Who would provide an IS auditor with the MOST helpful input during an interview to determine whether business requirements for an application were met?
A. User management
B. Project sponsors
C. Senior management
D. Project management
Selected Answer: A
Question #: 897
Topic #: 1
Which of the following poses the GREATEST risk to a virtualized environment?
A. Server cloning occurs without appropriate approval from IT management.
B. A network map has not been updated.
C. Backup testing does not occur at regular intervals.
D. Security zones within the environment are combined.
Selected Answer: D
Question #: 882
Topic #: 1
An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?
A. Quality assurance (QA)
B. Change management
C. Key performance indicator (KPI) monitoring
D. Configuration management
Selected Answer: A
Question #: 871
Topic #: 1
Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
A. Consultation with security staff
B. Alignment with an information security framework
C. Inclusion of mission and objectives
D. Compliance with relevant regulations
Selected Answer: C
Question #: 843
Topic #: 1
In an annual audit cycle, the audit of an organization’s IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?
A. Limiting the review to the deficient areas
B. Following up on the status of all recommendations
C. Verifying that all recommendations have been implemented
D. Postponing the review until all of the findings have been rectified
Selected Answer: C
Question #: 813
Topic #: 1
Which of the following provides the BEST assurance that a new process for purging transactions does not have a detrimental impact on the integrity of the database?
A. Reviewing the entity relationship diagram of the database
B. Reviewing results of the process in a test environment
C. Assessing the design of triggers
D. Analyzing the database structure
Selected Answer: B
Question #: 808
Topic #: 1
For the implementation of a program change in a production environment, the MOST important approval required is from:
A. the security administrator
B. the project manager
C. user management
D. IS management
Selected Answer: D
Question #: 1349
Topic #: 1
Which of the following BEST facilitates strategic program management?
A. Aligning projects with business portfolios
B. Implementing stage gates
C. Establishing a quality assurance (QA) process
D. Tracking key project milestones
Selected Answer: A
Question #: 795
Topic #: 1
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of on e-commerce application system’s edit routine?
A. Review of program documentation
B. Review of source code
C. Use of test transactions
D. Interviews with knowledgeable users
Selected Answer: C
Question #: 1225
Topic #: 1
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?
A. Completeness testing has not been performed on the log data.
B. Log feeds are uploaded via batch process.
C. The log data is not normalized.
D. Data encryption standards have not been considered.
Selected Answer: A
Question #: 784
Topic #: 1
Which of the following occurs during the issues management process for a system development project?
A. Configuration management
B. Help desk management
C. Contingency planning
D. Impact assessment
Selected Answer: D
Question #: 780
Topic #: 1
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
A. An operational level agreement (OLA) was not negotiated.
B. Software escrow was not negotiated.
C. The contract does not contain a right-to-audit clause.
D. Several vendor deliverables missed the commitment date.
Selected Answer: C
Question #: 776
Topic #: 1
Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?
A. Provide ongoing information security awareness training.
B. Establish behavioral analytics monitoring.
C. Review perimeter firewall logs.
D. Implement data loss prevention (DLP) software
Selected Answer: B
Question #: 774
Topic #: 1
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
A. Ensure compliance with the data classification policy.
B. Reduce the risk of data leakage that could lead to an attack.
C. Comply with business continuity best practice.
D. Protect the plan from unauthorized alteration.
Selected Answer: D
Question #: 773
Topic #: 1
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
A. Emergency change records
B. Penetration test results
C. IT security incidents
D. Server room access history
Selected Answer: B
Question #: 772
Topic #: 1
An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report. Which of the following is the IS auditor’s BEST course of action when preparing the final report?
A. Come to an agreement prior to issuing the final report.
B. Ensure the auditee’s comments are included in the working papers.
C. Exclude the disputed recommendation from the final engagement report.
D. Include the position supported by senior management in the final engagement report.
Selected Answer: A
Question #: 770
Topic #: 1
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor’s
BEST course of action?
A. Determine exposure to the business.
B. Increase monitoring for security incidents.
C. Hire a third party to perform security testing.
D. Adjust future testing activities accordingly.
Selected Answer: A
Question #: 769
Topic #: 1
Which of the following would BEST help to support an auditor’s conclusion about the effectiveness of an implemented data classification program?
A. Access rights provisioned according to scheme
B. Detailed data classification scheme
C. Purchase of information management tools
D. Business use cases and scenarios
Selected Answer: D
Question #: 765
Topic #: 1
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
A. Processes for on-boarding and off-boarding users to the platform
B. Processes for reviewing administrator activity
C. Types of data that can be uploaded to the platform
D. Role-based access control policies
Selected Answer: A
Question #: 762
Topic #: 1
Which of the following is the BEST evidence that an organization’s IT strategy is aligned to its business objectives?
A. The IT strategy has significant impact on the business strategy.
B. The IT strategy is modified in response to organizational changes.
C. The IT strategy is based on IT operational best practices.
D. The IT strategy is approved by executive management.
Selected Answer: A
Question #: 753
Topic #: 1
Which of the following is MOST important for an IS auditor to look for in a project feasibility study?
A. An assessment indicating the benefits will exceed the investment
B. An assessment indicating security controls will operate effectively
C. An assessment of whether the expected benefits can be achieved
D. An assessment of whether requirements will be fully met
Selected Answer: C
Question #: 751
Topic #: 1
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor’s BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
A. the organization’s web server.
B. the demilitarized zone (DMZ).
C. the Internet.
D. the organization’s network.
Selected Answer: B
Question #: 748
Topic #: 1
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
A. Inability to utilize the site when required
B. Inability to test the recovery plans onsite
C. Mismatched organizational security policies
D. Equipment compatibility issues at the site
Selected Answer: A
Question #: 741
Topic #: 1
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
A. Project manager
B. Information security officer
C. Project sponsor
D. Enterprise risk manager
Selected Answer: C
Question #: 733
Topic #: 1
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
A. Security incident policies are out of date.
B. Lessons learned have not been properly documented.
C. Vulnerabilities have not been properly addressed.
D. Abuses by employees have not been reported.
Selected Answer: C
Question #: 727
Topic #: 1
Which of the following should be of GREATEST concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP)?
A. The DRP has not been updated since an IT infrastructure upgrade.
B. The DRP has not been distributed to end users.
C. The DRP has not been formally approved by senior management.
D. The DRP contains recovery procedures for critical servers only.
Selected Answer: A
Question #: 722
Topic #: 1
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
A. A management response in the final report with a committed implementation date
B. A heat map with the gaps and recommendations displayed in terms of risk
C. Supporting evidence for the gaps and recommendations mentioned in the audit report
D. Available resources for the activities included in the action plan
Selected Answer: A
Question #: 721
Topic #: 1
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
A. Have an independent party review the source calculations.
B. Verify EUC results through manual calculations.
C. Execute copies of EUC programs out of a secure library.
D. Implement complex password controls.
Selected Answer: A
Question #: 716
Topic #: 1
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the
MOST significant risk?
A. Data center environmental controls not aligning with new configuration
B. System documentation not being updated to reflect changes in the environment
C. Vulnerability in the virtualization platform affecting multiple hosts
D. Inability of the network intrusion detection system (IDS) to monitor virtual server-to-server communications.
Selected Answer: C
Question #: 705
Topic #: 1
Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?
A. Irregularities and illegal acts
B. Noncompliance with organizational policies
C. Misalignment with business objectives
D. Process and resource inefficiencies
Selected Answer: A
Question #: 1312
Topic #: 1
Which of the following changes intended to improve and streamline an organization’s incident management process would be a potential concern to an IS auditor?
A. Implementing automatic reporting for all open incidents over three months old
B. Enabling the capability for the individual reporting the incident to assign priority to a ticket
C. Configuring automated messaging to service lines notifying them of the status of the ticket
D. Introducing self-service functions for selected low-complexity incident types
Selected Answer: A
Question #: 1310
Topic #: 1
An IS auditor noted a recent production incident in which a teller transaction system incorrectly charged fees to customers due to a defect from a recent release. Which of the following should be the auditor’s NEXT step?
A. Evaluate developer training.
B. Evaluate secure code practices.
C. Evaluate the incident management process.
D. Evaluate the change management process.
Selected Answer: C
Question #: 1300
Topic #: 1
Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?
A. Variable sampling
B. Stop-or-go sampling
C. Discovery sampling
D. Judgmental sampling
Selected Answer: C
Question #: 701
Topic #: 1
Which of the following is the MOST important activity in the data classification process?
A. Determining accountability of data owners
B. Labeling the data appropriately
C. Identifying risk associated with the data
D. Determining the adequacy of privacy controls
Selected Answer: A
Question #: 689
Topic #: 1
If enabled within firewall rules, which of the following services would present the GREATEST risk?
A. File transfer protocol (FTP)
B. Simple object access protocol (SOAP)
C. Hypertext transfer protocol (HTTP)
D. Simple mail transfer protocol (SMTP)
Selected Answer: A
Question #: 685
Topic #: 1
A proper audit trail of changes to server start-up procedures would include evidence of:
A. program execution.
B. operator overrides.
C. subsystem structure.
D. security control options.
Selected Answer: B
Question #: 1266
Topic #: 1
Which of the following is an example of inherent risk?
A. Quality assurance (QA) processes may not effectively reduce errors.
B. An approval process may not detect significant errors.
C. The organization may not comply with regulations.
D. Projects may still be delayed despite management controls.
Selected Answer: C
Question #: 679
Topic #: 1
Which of the following is a concern when an organization’s disaster recovery strategy utilizes a hot site?
A. Insufficient environmental controls
B. Significant distance from the primary data center
C. The lack of networking infrastructure
D. Conflicts due to reciprocal agreements with other organizations
Selected Answer: B
Question #: 677
Topic #: 1
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
A. Compliance with industry standards and best practice
B. Compliance with action plans resulting from recent audits
C. Compliance with local laws and regulations
D. Compliance with the organization’s policies and procedures
Selected Answer: C
Question #: 669
Topic #: 1
An organization has developed mature risk management practices that are followed across all departments. What is the MOST effective way for the audit team to leverage this risk management maturity?
A. Implementing risk responses on management’s behalf
B. Providing assurances to management regarding risk
C. Facilitating audit risk identification and evaluation workshops
D. Integrating the risk register for audit planning purposes
Selected Answer: D
Question #: 662
Topic #: 1
What is the BEST way to evaluate a control environment where the organization and a third party have shared responsibility?
A. Conduct a control self-assessment (CSA).
B. Review the service level agreement (SLA).
C. Perform an onsite evaluation.
D. Review complementary user entity controls.
Selected Answer: D
Question #: 661
Topic #: 1
Audit frameworks can assist the IS audit function by:
A. outlining the specific steps needed to complete audits.
B. defining the authority and responsibility of the IS audit function.
C. providing details on how to execute the audit program.
D. providing direction and information regarding the performance of audits.
Selected Answer: D
Question #: 654
Topic #: 1
Which of the following is the PRIMARY reason to follow a configuration management process to maintain applications?
A. To optimize system resources
B. To optimize asset management workflows
C. To ensure proper change control
D. To follow system hardening standards
Selected Answer: C
Question #: 631
Topic #: 1
An IS auditor observes that exceptions have been approved for an organization’s information security policy. Which of the following is MOST important for the auditor to confirm?
A. Exceptions do not change residual risk.
B. Exceptions are approved for predefined periods.
C. Exceptions require changes to the policy.
D. Exceptions are approved by the board of directors.
Selected Answer: A
Question #: 627
Topic #: 1
An external IS auditor has been engaged to determine the organization’s cybersecurity posture. Which of the following is MOST useful for this purpose?
A. Capability maturity assessment
B. Compliance reports
C. Control self-assessment (CSA)
D. Industry benchmark report
Selected Answer: A
Question #: 625
Topic #: 1
An IS auditor has been asked to perform an assurance review of an organization’s mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure, it is MOST important for the auditor to determine whether:
A. lost devices can be located remotely.
B. procedures for lost devices include remote wiping of data.
C. a mobile security awareness training program exists.
D. a security policy exists for mobile devices.
Selected Answer: D
Question #: 624
Topic #: 1
An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
A. Ensure that data is encrypted before leaving the facility.
B. Confirm that data transfers are logged and recorded.
C. Confirm that data is transported in locked tamper-evident containers.
D. Ensure that the transport company obtains signatures for all shipments.
Selected Answer: A
Question #: 613
Topic #: 1
Which of the following is MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?
A. IT project governance and management
B. Standardized enterprise architecture (EA)
C. IT performance monitoring and reporting
D. A uniform IT chargeback process
Selected Answer: C
Question #: 609
Topic #: 1
Which of the following would be MOST useful to an organization planning to adopt a public cloud computing model?
A. Service level agreement (SLA) performance metrics
B. Management attestation report
C. Independent control assessment
D. Audit report prepared by the service provider
Selected Answer: A
Question #: 577
Topic #: 1
An IS auditor is reviewing an organization’s business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor’s GREATEST concern?
A. Copies of the BCP have not been distributed to new business unit end users since the reorganization
B. The most recent business impact analysis (BIA) was performed two years before the reorganization
C. A test plan for the BCP has not been completed during the last two years
D. Key business process end users did not participate in the business impact analysis (BIA)
Selected Answer: A
Question #: 737
Topic #: 1
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
A. Verify all patches have been applied to the software system’s outdated version.
B. Monitor network traffic attempting to reach the outdated software system.
C. Close all unused ports on the outdated software system.
D. Segregate the outdated software system from the main network.
Selected Answer: D
Question #: 549
Topic #: 1
Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
A. Software cost estimation
B. Work breakdown structure
C. Critical path analysis
D. Function point analysis
Selected Answer: D
Question #: 1074
Topic #: 1
A database administrator (DBA) should be prevented from:
A. accessing sensitive information.
B. having end user responsibilities.
C. having access to production files.
D. using an emergency user ID.
Selected Answer: B
Question #: 1323
Topic #: 1
During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement. What should the auditor do NEXT?
A. Verify whether a third-party security attestation exists.
B. Verify whether IT management monitors the effectiveness of the environment.
C. Verify whether a right-to-audit clause exists.
D. Verify whether service level agreements (SLAs) are defined and monitored.
Selected Answer: D
Question #: 1314
Topic #: 1
Which of the following should be responsible for verifying changes to an application are authorized?
A. Project oversight board
B. Business line management
C. Release management team
D. Steering committee
Selected Answer: B
Question #: 1283
Topic #: 1
In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:
A. project management methodologies used.
B. allocation of IT staff.
C. major IT initiatives.
D. links to operational tactical plans.
Selected Answer: C
Question #: 1282
Topic #: 1
How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?
A. Fewer manual milestones
B. Easy software version rollback
C. Automated software testing
D. Smaller incremental changes
Selected Answer: C
Question #: 1276
Topic #: 1
An organization performs virtual machine (VM) replication instead of daily backups of its critical servers. Which of the following is MOST important to validate when evaluating the adequacy of recovery procedures?
A. Periodic testing of VM replication is completed.
B. Replication servers are located offsite.
C. VM load balancing is configured.
D. Internet access is restricted for VM backup administrators.
Selected Answer: A
Question #: 1234
Topic #: 1
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
A. Determine service level requirements.
B. Perform a business impact analysis (BIA).
C. Complete a risk assessment.
D. Conduct a vendor audit.
Selected Answer: A
Question #: 1185
Topic #: 1
An IS auditor has identified potential fraud activity perpetrated by the network administrator.
What should the auditor do FIRST?
A. Review the audit finding with the audit committee prior to any other discussions.
B. Share the potential audit finding with the security administrator.
C. Perform more detailed tests prior to disclosing the audit results.
D. Notify the audit committee to ensure a timely resolution.
Selected Answer: D
Question #: 1181
Topic #: 1
What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?
A. Develop a metadata repository to store and access metadata.
B. Implement data entry controls for new and existing applications.
C. Implement a consistent database indexing strategy.
D. Establish rules for converting data from one format to another.
Selected Answer: D
Question #: 1166
Topic #: 1
Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?
A. Producing a header page with classification level for printed documents
B. Encrypting the data stream between the user’s computer and the printer
C. Using passwords to allow authorized users to send documents to the printer
D. Requiring a key code to be entered on the printer to produce hard copy
Selected Answer: A
Question #: 1163
Topic #: 1
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s method to transport sensitive data between offices?
A. The method relies exclusively on the use of 128-bit encryption.
B. The method relies exclusively on the use of digital signatures.
C. The method relies exclusively on the use of asymmetric encryption algorithms.
D. The method relies exclusively on the use of public key infrastructure (PKI).
Selected Answer: D
Question #: 1162
Topic #: 1
Which of the following is the GREATEST benefit related to disaster recovery for an organization that has converted its infrastructure to a virtualized environment?
A. Virtual servers decrease the recovery time objective (RTO).
B. Virtual servers reduce the time and complexity associated with backup procedures.
C. Virtual servers can be recreated on similar hardware faster than restoring from backups.
D. Virtual servers eliminate the need to verify backups.
Selected Answer: C
Question #: 1156
Topic #: 1
Which of the following would be MOST helpful to an IS auditor assessing the reliability of an organization’s network?
A. Protocol analyzer
B. Online monitoring
C. Downtime report
D. Response time report
Selected Answer: B
Question #: 1155
Topic #: 1
An organization has decided to outsource a critical application due to a lack of specialized resources. Which risk response has been adopted?
A. Mitigation
B. Avoidance
C. Sharing
D. Acceptance
Selected Answer: B
Question #: 1250
Topic #: 1
Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
A. Classifies documents to correctly reflect the level of sensitivity of information they contain
B. Ensures documents are handled in accordance with the sensitivity of information they contain
C. Defines the conditions under which documents containing sensitive information may be transmitted
D. Classifies documents in accordance with industry standards and best practices
Selected Answer: C
Question #: 1000
Topic #: 1
Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?
A. Changes are promoted to production by the development group.
B. Developers have access to the testing environment.
C. Object code can be accessed by the development group.
D. Change approvals are not formally documented.
Selected Answer: D
Question #: 994
Topic #: 1
An IS auditor has been asked to investigate critical business applications that have been producing suspicious results. Which of the following should be done FIRST?
A. Evaluate control design
B. Evaluate incident management
C. Review configuration management
D. Review user access rights
Selected Answer: C
Question #: 1227
Topic #: 1
Which of the following is MOST likely to increase if an organization increases its risk appetite?
A. Audit findings
B. Key controls
C. Opportunities
D. Security incidents
Selected Answer: D
Question #: 1217
Topic #: 1
An IS auditor reviewing an IT organization should be MOST concerned if the IT steering committee:
A. does not meet regularly for oversight of IT investments and projects.
B. consults the board of directors on procedural and standard changes.
C. reviews IT-related policies and standards only once per year.
D. does not include business-level representation.
Selected Answer: D
Question #: 1212
Topic #: 1
Audit observations should be FIRST communicated with the auditee:
A. during fieldwork.
B. at the end of fieldwork.
C. within the audit report.
D. when drafting the report.
Selected Answer: A
Question #: 1200
Topic #: 1
Which of the following BEST ensures that effective change management is in place in an IS environment?
A. Adequate testing was carried out by the development team.
B. User-prepared detailed test criteria for acceptance testing of the software.
C. User authorization procedures for application access are well established.
D. Access to production source and object programs is well controlled.
Selected Answer: D
Question #: 1072
Topic #: 1
Which of the following is the BEST way for an organization that is using a Software as a Service (SaaS) application to reduce its risk associated with the collection and protection of personal information?
A. Limit the amount of personal information collected to industry standards.
B. Encrypt personal information held by the organization.
C. Limit the amount of personal information collected to the minimum required.
D. Only allow remote access to personal information from an alternate site.
Selected Answer: B
Question #: 1191
Topic #: 1
An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
A. enterprise architecture (EA) impacts.
B. a risk-based ranking of projects.
C. IT budgets linked to the organization’s budget.
D. a comparison of future needs against current capabilities.
Selected Answer: D
Question #: 619
Topic #: 1
An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
A. Ensure a change management process is followed prior to implementation.
B. Identify whether any compensating controls exist.
C. Determine whether another database administrator (DBA) could make the changes.
D. Report a potential segregation of duties (SoD) violation.
Selected Answer: B
Question #: 1151
Topic #: 1
What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?
A. Implementation plan for restricting the collection of personal information
B. Analysis of systems that contain privacy components
C. Privacy legislation in other countries that may contain similar requirements
D. Operational plan for achieving compliance with the legislation
Selected Answer: B
Question #: 1119
Topic #: 1
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization?
A. Comprehensive coverage of fundamental and critical risk and control areas for IT governance
B. Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies
C. Readily available resources such as domains and risk and control methodologies
D. Wide acceptance by different business and support units with IT governance objectives
Selected Answer: A
Question #: 842
Topic #: 1
Which of the following is a core functionality of a configuration and release management system?
A. Identifying other configuration items that will be impacted by a given change
B. Identifying vulnerabilities in configuration settings
C. Deploying a configuration change to the sandbox environment
D. Managing privileged access to databases, servers, and infrastructure
Selected Answer: B
Question #: 1174
Topic #: 1
The BEST way to evaluate the effectiveness of a newly developed application is to:
A. perform a post-implementation review.
B. review acceptance testing results.
C. perform a secure code review
D. analyze load testing results.
Selected Answer: A
Question #: 1120
Topic #: 1
Which of the following would provide the BEST evidence of the effectiveness of mandated annual security awareness training?
A. Trending of social engineering test results
B. Surveys completed by randomly selected employees
C. Number of security incidents
D. Results of a third-party penetration test
Selected Answer: D
Question #: 1391
Topic #: 1
When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?
A. Review the changes and determine whether the risks have been addressed.
B. Accept management’s assertion and report that the risks have been addressed.
C. Report that the changes make it impractical to determine whether the risks have been addressed.
D. Determine whether the changes have introduced new risks that need to be addressed.
Selected Answer: A
Question #: 1502
Topic #: 1
Which of the following is BEST used for detailed testing of a business application’s data and configuration files?
A. Utility software
B. Audit hooks
C. Audit analytics tool
D. Version control software
Selected Answer: C
Question #: 1483
Topic #: 1
The business case for an information system investment should be available for review until the:
A. information system investment is retired.
B. formal investment decision is approved.
C. information system has reached end of life.
D. benefits have been fully realized.
Selected Answer: D
Question #: 1453
Topic #: 1
Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?
A. Document the anomalies in audit work papers.
B. Deprioritize further testing of the anomalies and refocus on issues with higher risk.
C. Update the audit plan to include the information collected during the audit.
D. Ask auditees to promptly remediate the anomalies.
Selected Answer: A
Question #: 1394
Topic #: 1
Which of the following is the GREATEST concern when consolidating several applications from two outdated servers onto one new server?
A. Network traffic may increase.
B. Power usage will increase.
C. The new server will not be fully utilized after migration.
D. System maintenance may require more coordination.
Selected Answer: D
Question #: 1389
Topic #: 1
An IS auditor finds a computer that is suspected to have been involved in a cyber crime. Which of the following activities is MOST critical to ensure data collected is admissible in a court of law?
A. Notify law enforcement upon detection.
B. Track possession of the computer.
C. Collect audit logs from the affected computer.
D. Power off the computer to ensure data is not changed.
Selected Answer: C
Question #: 1369
Topic #: 1
Which of the following should be the GREATEST concern for an IS auditor reviewing the implementation of a security information and event management (SIEM) system?
A. SIEM rule tuning is only reviewed annually.
B. Network monitoring events are not aggregated into the SIEM.
C. Only the last seven days of logs from the SIEM are maintained for review.
D. Security operations center (SOC) staff have not been fully trained on how to use the SIEM.
Selected Answer: D
Question #: 1341
Topic #: 1
In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
A. Discovery sampling
B. Stop-or-go sampling
C. Variable sampling
D. Judgmental sampling
Selected Answer: B
Question #: 1318
Topic #: 1
A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?
A. Assess the threat landscape.
B. Perform penetration testing.
C. Review remediation reports.
D. Establish control objectives.
Selected Answer: A
Question #: 1313
Topic #: 1
Which type of risk would MOST influence the selection of a sampling methodology?
A. Inherent
B. Residual
C. Control
D. Detection
Selected Answer: A
Question #: 1305
Topic #: 1
During an organization’s implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
A. Configuring rule sets
B. Enabling detection points
C. Establishing exceptions workflow
D. Configuring reports
Selected Answer: B
Question #: 1265
Topic #: 1
Which of the following should an IS auditor use when verifying a three-way match has occurred in an enterprise resource planning (ERP) system?
A. Goods delivery notification
B. Purchase order
C. Purchase requisition
D. Bank confirmation
Selected Answer: A
Question #: 1231
Topic #: 1
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST recommendation to address this situation?
A. Prioritize contract amendments for third-party providers.
B. Review privacy requirements when contracts come up for renewal.
C. Suspend contracts with third-party providers that handle sensitive data.
D. Require third-party providers to sign nondisclosure agreements (NDAs).
Selected Answer: D
Question #: 1201
Topic #: 1
What is the PRIMARY reason for an organization to classify the data stored on its internal networks?
A. To comply with the organization’s data policies
B. To follow industry best practices
C. To implement data protection requirements
D. To determine data retention policy
Selected Answer: C
Question #: 1168
Topic #: 1
Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?
A. Reporting
B. Proficiency
C. Due professional care
D. Sufficient evidence
Selected Answer: C
Question #: 1154
Topic #: 1
Which of the following is MOST likely to increase non-sampling risk?
A. Improperly stratified populations
B. Decreased tolerance rate
C. Inappropriate materiality ratings
D. Poor knowledge of the audit process
Selected Answer: B
Question #: 1153
Topic #: 1
An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation?
A. Airlock entrance
B. Intruder alarms
C. Procedures for escorting visitors
D. Biometrics
Selected Answer: D
