CISA Topic 4
Question #: 1055
Topic #: 1
An IS auditor may be justified in using a SMALLER sample size under which of the following circumstances?
A. Lower confidence coefficient
B. Higher expected error rate
C. Higher reliability factor
D. Lower precision amount
Selected Answer: A
Question #: 1042
Topic #: 1
Which of the following findings should be of MOST concern to an IS auditor assessing agile software development practices?
A. There is a low acceptance rate by the business of delivered software.
B. Testing is performed by both software developers and testers.
C. Release plans have been revised several times before actual release.
D. The IT team feels unable to strictly follow standard agile practices.
Selected Answer: A
Question #: 153
Topic #: 1
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
A. Blocking external IM traffic
B. Blocking attachments in IM
C. Allowing only corporate IM solutions
D. Encrypting IM traffic
Selected Answer: A
Question #: 1027
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s newly established enterprise architecture (EA)?
A. The business leaders were not consulted when designing the IT architecture.
B. Standard architecture methodology was not adopted for designing the IT architecture.
C. Staff responsible for designing the IT architecture do not hold a related certification.
D. External experts were not consulted when designing the IT architecture.
Selected Answer: A
Question #: 1025
Topic #: 1
A national bank recently migrated a large number of business-critical applications to the cloud. Which of the following is MOST important to ensuring the resiliency of the applications?
A. Conducting periodic system stress testing
B. Negotiating a service level agreement (SLA) with the provider
C. Using a monitoring tool to assess uptime
D. Creating restore points for critical applications
Selected Answer: B
Question #: 867
Topic #: 1
An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?
A. Developer status reports
B. Critical path analysis reports
C. Change management logs
D. Backlog consumption reports
Selected Answer: A
Question #: 855
Topic #: 1
The use of which of the following is an inherent risk in the application container infrastructure?
A. Shared data
B. Shared registries
C. Shared kernel
D. Host operating system
Selected Answer: C
Question #: 801
Topic #: 1
An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?
A. There are no notices indicating recording is in progress.
B. Cameras are not monitored 24/7.
C. There are no backups of the videos.
D. The retention period for video recordings is undefined.
Selected Answer: B
Question #: 778
Topic #: 1
Which of the following should be the IS auditor’s PRIMARY focus when evaluating an organization’s offsite storage facility?
A. Adequacy of physical and environmental controls
B. Results of business continuity plan (BCP) tests
C. Shared facilities
D. Retention policy and period
Selected Answer: A
Question #: 717
Topic #: 1
During an audit of an organization’s risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date. When assessing the severity of this finding, which mitigating factor would MOST significantly minimize the associated impact?
A. There are documented compensating controls over the business processes.
B. The risk acceptances with issues reflect a small percentage of the total population.
C. The business environment has not significantly changed since the risk acceptances were approved.
D. The risk acceptances were previously reviewed and approved by appropriate senior management.
Selected Answer: D
Question #: 713
Topic #: 1
Which of the following is the BEST recommendation to include in an organization’s bring your own device (BYOD) policy to help prevent data leakage?
A. Specify employee responsibilities for reporting lost or stolen BYOD devices.
B. Require multi-factor authentication on BYOD devices.
C. Require employees to waive privacy rights related to data on BYOD devices.
D. Allow only registered BYOD devices to access the network.
Selected Answer: D
Question #: 148
Topic #: 1
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
A. Develop a maturity model.
B. Evaluate key performance indicators (KPIs).
C. Conduct a gap analysis.
D. Implement a control self-assessment (CSA).
Selected Answer: C
Question #: 595
Topic #: 1
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?
A. The data analysis tools have been recently updated.
B. The data can be obtained in a timely manner.
C. There is no privacy information in the data.
D. The data is taken directly from the system.
Selected Answer: C
Question #: 594
Topic #: 1
An IS auditor is assigned to review the IS department’s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards. Which of the following should be the auditor’s NEXT action?
A. Finalize the audit and report the finding.
B. Document and test compliance with the informal standards.
C. Postpone the audit until IS management implements written standards.
D. Make recommendations to IS management as to appropriate quality standards.
Selected Answer: B
Question #: 579
Topic #: 1
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
A. Technical specifications are not documented.
B. Disaster recovery plans (DRPs) are not in place.
C. Attack vectors are evolving for industrial control systems.
D. There is a greater risk of system exploitation.
Selected Answer: C
Question #: 581
Topic #: 1
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor’s NEXT course of action?
A. Disclose the findings to senior management.
B. Identify existing mitigating controls.
C. Attempt to exploit the weakness.
D. Assist in drafting corrective actions.
Selected Answer: B
Question #: 519
Topic #: 1
Which of the following approaches provides the BEST assurance and user confidence when an organization migrates data to a more complex enterprise resource planning (ERP) system?
A. User acceptance testing (UAT)
B. Parallel processing
C. Phased changeover
D. Pilot testing
Selected Answer: C
Question #: 498
Topic #: 1
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
A. Validate that all data files contain digital watermarks.
B. Implement an intrusion detection system (IDS).
C. Ensure that paper documents are disposed securely.
D. Verify that application logs capture any changes made.
Selected Answer: A
Question #: 497
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
A. Antivirus software was unable to prevent the attack even though it was properly updated.
B. Backups were only performed within the local network.
C. The most recent security patches were not tested prior to implementation.
D. Employees were not trained on cybersecurity policies and procedures.
Selected Answer: B
Question #: 486
Topic #: 1
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
A. Impact assessment
B. Control self-assessment (CSA)
C. Risk classification
D. Risk identification
Selected Answer: A
Question #: 936
Topic #: 1
A large organization has a centralized infrastructure team and decentralized application support teams reporting into their respective business units. Which of the following is the GREATEST potential issue with his organizational structure?
A. Redundancy of IT resources used across the organization
B. Failure to align with industry best practices across the organization
C. Inconsistent allocation of IT spend across the organization
D. Inconsistent IT strategy across the organization
Selected Answer: D
Question #: 430
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
A. The information security policy does not include mobile device provisions.
B. The information security policy is not frequently reviewed.
C. The information security policy has not been approved by the chief audit executive (CAE).
D. The information security policy has not been approved by the policy owner.
Selected Answer: D
Question #: 452
Topic #: 1
Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?
A. Packet filtering router
B. Circuit gateway
C. Application level gateway
D. Screening router
Selected Answer: C
Question #: 399
Topic #: 1
Which of the following is MOST important when creating a forensic image of a hard drive?
A. Generating a content hash of the hard drive
B. Choosing an industry-leading forensics software tool
C. Requiring an independent third-party be present w hi le imaging
D. Securing a backup copy of the hard drive
Selected Answer: D
Question #: 983
Topic #: 1
An organization has outsourced the maintenance of its customer database to an external vendor, and the vendor has requested live data to test the performance of the database. Which of the following is MOST important for the IS auditor to recommend?
A. Ensure sensitive field data is anonymized by random characters.
B. Ensure both parties agree the data will be destroyed after the testing is complete.
C. Ensure the data is backed up before providing it to the vendor.
D. Ensure data transfer details are specified in the service engagement contract.
Selected Answer: D
Question #: 302
Topic #: 1
An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:
A. based on the business requirements for confidentiality of the information.
B. aligned with the organization’s segregation of duties requirements.
C. based on the results of an organization-wide risk assessment.
D. based on the business requirements for authentication of the information.
Selected Answer: A
Question #: 300
Topic #: 1
The application systems quality assurance (QA) function should:
A. compare programs to approved system changes.
B. ensure adherence of programs to standards.
C. assist programmers in designing and developing applications.
D. design and develop quality applications by employing system development methodology.
Selected Answer: B
Question #: 297
Topic #: 1
Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?
A. Control
B. Inherent
C. Audit
D. Residual
Selected Answer: D
Question #: 296
Topic #: 1
A company converted its payroll system from an external service to an internal package. Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?
A. Cut-off dates and overwrites for a sample of employees
B. Turnaround time for payroll processing
C. Master file employee data to payroll journals
D. Employee counts and year-to-date payroll totals
Selected Answer: C
Question #: 264
Topic #: 1
An organization is acquiring a new customer relationship management (CRM) system. In which of the following would the IS auditor find the MOST relevant information on projected cost savings?
A. Request for proposal (RFP)
B. Feasibility study document
C. Business case
D. Results of prototype testing
Selected Answer: C
Question #: 247
Topic #: 1
Many departments of an organization have not implemented audit recommendations by their agreed upon target dates. Who should address this situation?
A. Head of internal audit
B. External auditor
C. Department managers
D. Senior management
Selected Answer: D
Question #: 237
Topic #: 1
To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?
A. Criteria
B. Responsible party
C. Impact
D. Root cause
Selected Answer: D
Question #: 232
Topic #: 1
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
A. the access control system’s configuration.
B. how the latest system changes were implemented.
C. the access rights that have been granted.
D. the access control system’s log settings.
Selected Answer: A
Question #: 230
Topic #: 1
Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?
A. Employees are not required to sign a non-compete agreement.
B. Security education and awareness workshops have not been completed.
C. Users lack technical knowledge related to security and data protection.
D. Desktop passwords do not require special characters.
Selected Answer: C
Question #: 1408
Topic #: 1
Which of the following is the BEST security control to validate the integrity of data communicated between production databases and a big data analytics system?
A. Hashing in-scope data sets
B. Hosting a digital certificate for in-scope data sets
C. Encrypting in-scope data sets
D. Running and comparing the count function within the in-scope data sets
Selected Answer: B
Question #: 185
Topic #: 1
When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST important consideration is that the metrics:
A. measure the effectiveness of IT controls in the achievement of IT strategy.
B. provide quantitative measurement of IT initiatives in relation with business targets.
C. are expressed in terms of how IT risk impacts the achievement of business goals.
D. are used by similar industries to measure the effect of IT on business strategy.
Selected Answer: B
Question #: 179
Topic #: 1
Reviewing project plans and status reports throughout the development life cycle will:
A. eliminate the need to perform a risk assessment.
B. postpone documenting the project’s progress until the final phase.
C. guarantee that the project will meet its intended deliverables.
D. facilitate the optimal use of resources over the life of the project.
Selected Answer: D
Question #: 171
Topic #: 1
Which of the following BEST facilitates detection of zero-day exploits?
A. Anti-malware software
B. User behavior analytics
C. Intrusion detection systems (IDS)
D. Intrusion prevention systems (IPS)
Selected Answer: D
Question #: 169
Topic #: 1
Which of the following would BEST detect unauthorized modification of data by a database administrator (DBA)?
A. Audit database change requests
B. Audit database activity logs
C. Review changes to edit checks
D. Compare data to input records
Selected Answer: B
Question #: 168
Topic #: 1
Secure code reviews as part of a continuous deployment program are which type of control?
A. Detective
B. Corrective
C. Logical
D. Preventive
Selected Answer: D
Question #: 163
Topic #: 1
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
A. Periodically running and reviewing test data against production programs
B. Verifying user management approval of modifications
C. Reviewing the last compile date of production programs
D. Manually comparing code in production programs to controlled copies
Selected Answer: C
Question #: 159
Topic #: 1
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon. The MOST effective plan of action would be to:
A. evaluate replacement systems and performance monitoring software.
B. use analytical tools to produce exception reports from the system and performance monitoring software.
C. re-install the system and performance monitoring software.
D. restrict functionality of system monitoring software to security-related events.
Selected Answer: B
Question #: 157
Topic #: 1
A new privacy regulation requires a customer’s privacy information to be deleted within 72 hours, if requested. Which of the following would be an IS auditor’s
GREATEST concern regarding compliance to this regulation?
A. Outdated online privacy policies
B. End user access to applications with customer information
C. Incomplete backup and retention policies
D. Lack of knowledge of where customers’ information is saved
Selected Answer: D
Question #: 155
Topic #: 1
The use of cookies constitutes the MOST significant security threat when they are used for:
A. obtaining a public key from a certification authority (CA).
B. forwarding email and Internet Protocol (IP) addresses.
C. authenticating using username and password.
D. downloading files from the host server.
Selected Answer: C
Question #: 154
Topic #: 1
An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?
A. Check regular execution of the calculation batch job.
B. Interview the lead system developer.
C. Obtain post-change approval from management.
D. Perform substantive testing using computer-assisted audit techniques (CAATs).
Selected Answer: D
Question #: 149
Topic #: 1
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items to the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
A. Statistical sampling of adjustment transactions
B. Separate authorization for input of transactions
C. An edit check for the validity of the inventory transaction
D. Unscheduled audits of lost stock lines
Selected Answer: B
Question #: 138
Topic #: 1
The BEST indicator of an optimized quality management system (QMS) is that it:
A. is endorsed by senior management
B. aligns with an industry recognized framework.
C. is integrated and enforced in all IT activities.
D. defines and monitors all IT QMS activities.
Selected Answer: C
Question #: 132
Topic #: 1
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization’s goals?
A. Enterprise architecture (EA)
B. Key performance indicators (KPIs)
C. Balanced scorecard
D. Enterprise dashboard
Selected Answer: C
Question #: 130
Topic #: 1
An organization needs to comply with data privacy regulations forbidding the display of personally identifiable information (PII) on customer bills or receipts.
However, it is a business requirement to display at least one attribute so that customers can verify the bills or receipts are intended for them. What is the BEST recommendation?
A. Data sanitization
B. Data masking
C. Data encryption
D. Data tokenization
Selected Answer: B
Question #: 126
Topic #: 1
An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor’s GREATEST concern?
A. The data model is not clearly documented.
B. The vendor development team is located overseas.
C. The cost of outsourcing is lower than in-house development.
D. A training plan for business users has not been developed.
Selected Answer: A
Question #: 125
Topic #: 1
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
A. Mobile device testing program
B. Mobile device upgrade program
C. Mobile device awareness program
D. Mobile device tracking program
Selected Answer: C
Question #: 121
Topic #: 1
An organization is planning to re-purpose workstations that were used to handle confidential information. Which of the following would be the IS auditor’s BEST recommendation to dispose of this information?
A. Overwrite the disks with random data.
B. Reformat the disks.
C. Erase the disks by degaussing.
D. Delete the disk partitions.
Selected Answer: A
Question #: 114
Topic #: 1
An organization’s security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would
BEST assure compliance with this policy?
A. Number of new hires who have violated enterprise security policies
B. Percentage of new hires that have completed the training
C. Number of reported incidents by new hires
D. Percentage of new hires who report incidents
Selected Answer: D
Question #: 112
Topic #: 1
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
A. FM-200
B. Dry pipe
C. Carbon dioxide
D. Halon
Selected Answer: C
Question #: 104
Topic #: 1
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor’s BEST recommendation for a compensating control?
A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members.
Selected Answer: C
Question #: 98
Topic #: 1
An organization wants to classify database tables according to its data classification scheme. From an IS auditor’s perspective, the tables should be classified based on the:
A. specific functional contents of each single table.
B. frequency of updates to the table.
C. number of end users with access to the table.
D. descriptions of column names in the table.
Selected Answer: A
Question #: 87
Topic #: 1
Which of the following BEST indicates the effectiveness of an organization’s risk management program?
A. Residual risk is minimized.
B. Inherent risk is eliminated.
C. Control risk is minimized.
D. Overall risk is quantified.
Selected Answer: A
Question #: 86
Topic #: 1
During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST concerned with the:
A. allocation of resources during an emergency.
B. maintenance of hardware and software compatibility.
C. differences in IS policies and procedures.
D. frequency of system testing.
Selected Answer: B
Question #: 75
Topic #: 1
Which of the following is the PRIMARY basis on which audit objectives are established?
A. Audit risk
B. Consideration of risks
C. Assessment of prior audits
D. Business strategy
Selected Answer: B
Question #: 74
Topic #: 1
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
A. The system does not have a maintenance plan.
B. The system contains several minor defects.
C. The system deployment was delayed by three weeks.
D. The system was over budget by 15%.
Selected Answer: A
Question #: 73
Topic #: 1
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period complies with data owner responsibilities.
C. The retention period allows for review during the year-end audit.
D. The total transaction amount has no impact on financial reporting.
Selected Answer: B
Question #: 66
Topic #: 1
During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago. Which of the following should the auditor do NEXT?
A. Review previous system interface testing records.
B. Document the finding in the audit report.
C. Review relevant system changes.
D. Review IT testing policies and procedures.
Selected Answer: C
Question #: 64
Topic #: 1
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial draft of the audit report. Which of the following findings should be ranked as the HIGHEST risk?
A. Network penetration tests are not performed.
B. The network firewall policy has not been approved by the information security officer.
C. Network firewall rules have not been documented.
D. The network device inventory is incomplete.
Selected Answer: C
Question #: 58
Topic #: 1
An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?
A. Audit logging is not enabled.
B. Single sign-on is not enabled.
C. Complex passwords are not required.
D. Security baseline is not consistently applied.
Selected Answer: A
Question #: 56
Topic #: 1
Which of the following would be of GREATEST concern when reviewing an organization’s security information and event management (SIEM) solution?
A. SIEM reporting is ad hoc.
B. SIEM reporting is customized.
C. SIEM configuration is reviewed annually.
D. The SIEM is decentralized.
Selected Answer: D
Question #: 52
Topic #: 1
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor’s BEST course of action?
A. Request management wait until a final report is ready for discussion.
B. Request the auditee provide management responses.
C. Review working papers with the auditee.
D. Present observations for discussion only.
Selected Answer: D
Question #: 49
Topic #: 1
Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
A. Results of a risk assessment
B. Policies including BYOD acceptable use statements
C. Findings from prior audits
D. An inventory of personal devices to be connected to the corporate network
Selected Answer: A
Question #: 47
Topic #: 1
Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization’s disaster recovery plan (DRP)?
A. Performing a full interruption test
B. Performing a parallel test
C. Performing a tabletop test
D. Performing a cyber-resilience test
Selected Answer: B
Question #: 46
Topic #: 1
The IS quality assurance (QA) group is responsible for:
A. monitoring the execution of computer processing tasks.
B. designing procedures to protect data against accidental disclosure.
C. ensuring that program changes adhere to established standards.
D. ensuring that the output received from system processing is complete.
Selected Answer: C
Question #: 45
Topic #: 1
On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?
A. Send a certificate that can be verified by a certification authority with the public key.
B. Encrypt the message containing the sender’s public key, using the recipient’s public key.
C. Send the public key to the recipient prior to establishing the connection.
D. Encrypt the message containing the sender’s public key, using a private-key cryptosystem.
Selected Answer: A
Question #: 42
Topic #: 1
Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
A. Implementation methodology
B. Test results
C. Purchasing guidelines and policies
D. Results of live processing
Selected Answer: D
Question #: 39
Topic #: 1
An IS auditor notes that the previous year’s disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
A. Hardware change management policy
B. An up-to-date RACI chart
C. Vendor memo indicating problem correction
D. Service level agreement (SLA)
Selected Answer: D
Question #: 37
Topic #: 1
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor’s GREATEST concern?
A. Mobile devices are not encrypted.
B. Users are not required to sign updated acceptable use agreements.
C. The business continuity plan (BCP) was not updated.
D. Users have not been trained on the new system.
Selected Answer: D
Question #: 33
Topic #: 1
A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?
A. Rotation of log monitoring and analysis responsibilities
B. Additional management reviews and reconciliations
C. Mandatory vacations
D. Third-party assessments
Selected Answer: B
Question #: 32
Topic #: 1
In a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
A. application programmer.
B. quality assurance (QA) personnel.
C. computer operator.
D. systems programmer.
Selected Answer: A
Question #: 31
Topic #: 1
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider
MOST critical?
A. The quality of the data is not monitored.
B. The transfer protocol does not require authentication.
C. Imported data is not disposed frequently.
D. The transfer protocol is not encrypted.
Selected Answer: B
Question #: 28
Topic #: 1
An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor’s GREATEST concern?
A. A gap analysis against regulatory requirements has not been conducted.
B. The third-party disclosed a policy-related issue of noncompliance.
C. The organization has not reviewed the third party’s policies and procedures.
D. The organization has not communicated regulatory requirements to the third party.
Selected Answer: B
Question #: 27
Topic #: 1
Which of the following would be MOST useful to an IS auditor assessing the effectiveness of IT resource planning?
A. Budget execution status
B. A capacity analysis of IT operations
C. A succession plan for key IT personnel
D. A list of new applications to be implemented
Selected Answer: B
Question #: 21
Topic #: 1
Which of the following is the PRIMARY role of the IS auditor in an organization’s information classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
Selected Answer: B
Question #: 17
Topic #: 1
After an employee termination, a network account was removed, but the application account remained active. To keep this issue from recurring, which of the following is the BEST recommendation?
A. Integrate application accounts with network single sign-on.
B. Perform periodic access reviews.
C. Retrain system administration staff.
D. Leverage shared accounts for the application.
Selected Answer: B
Question #: 13
Topic #: 1
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor’s time would be to review and evaluate:
A. cost-benefit analysis.
B. acceptance testing.
C. application test cases.
D. project plans.
Selected Answer: C
Question #: 12
Topic #: 1
An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. The triggering of remote data wipe capabilities
C. Awareness training for mobile device users
D. Complex password policy for mobile devices
Selected Answer: A
Question #: 6
Topic #: 1
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern is that:
A. a clear business case has been established.
B. the new hardware meets established security standards.
C. a full, visible audit trail will be included.
D. the implementation plan meets user requirements.
Selected Answer: A
Question #: 5
Topic #: 1
Which of the following issues associated with a data center’s closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed.
B. CCTV records are deleted after one year.
C. CCTV footage is not recorded 24 x 7.
D. CCTV cameras are not installed in break rooms.
Selected Answer: A
Question #: 2
Topic #: 1
Which of the following would be MOST useful when analyzing computer performance?
A. Tuning of system software to optimize resource usage
B. Operations report of user dissatisfaction with response time
C. Statistical metrics measuring capacity utilization
D. Report of off-peak utilization and response time
Selected Answer: C
Question #: 10
Topic #: 1
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
A. Pilot testing
B. System testing
C. Integration testing
D. Unit testing
Selected Answer: D
Question #: 113
Topic #: 1
Which of the following is the PRIMARY purpose of a post-implementation review?
A. To ensure project resources were optimized
B. To ensure project deliverables were provided on time
C. To determine whether expected benefits were realized from a project
D. To calculate a project’s actual cost against the projected cost
Selected Answer: C
Question #: 111
Topic #: 1
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
A. Rotating backup copies of transaction files offsite
B. Ensuring bisynchronous capabilities on all transmission lines
C. Maintaining system console logs in electronic format
D. Using a database management system (DBMS) to dynamically back-out partially processed transactions
Selected Answer: D
Question #: 110
Topic #: 1
Which of the following is a social engineering attack method?
A. A hacker walks around an office building using scanning tools to search for a wireless network to gain access.
B. An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.
C. An unauthorized person attempts to gain access to secure premises by following an authorized person through a secure door.
D. An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.
Selected Answer: B
Question #: 109
Topic #: 1
An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related degree, and one has a business degree. Which of the following is MOST important to meet the IS audit standard for proficiency?
A. The standard is met as long as a supervisor reviews the new auditors’ work.
B. The standard is met as long as one member has a globally recognized audit certification.
C. Team member assignments must be based on individual competencies.
D. Technical co-sourcing must be used to help the new staff.
Selected Answer: C
Question #: 108
Topic #: 1
Which of the following is an IS auditor’s GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks.
Selected Answer: D
Question #: 106
Topic #: 1
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the
BEST way to prevent accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
D. Implement business rules to reject invalid data.
Selected Answer: D
Question #: 103
Topic #: 1
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
Selected Answer: A
Question #: 674
Topic #: 1
Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?
A. Restricting evidence access to professionally certified forensic investigators
B. Engaging an independent third party to perform the forensic investigation
C. Performing investigative procedures on the original hard drives rather than images of the hard drives
D. Documenting evidence handling by personnel throughout the forensic investigation
Selected Answer: D
Question #: 101
Topic #: 1
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done
FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk.
Selected Answer: D
Question #: 99
Topic #: 1
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?
A. Provide notification to employees about possible email monitoring.
B. Develop an information classification scheme.
C. Develop an acceptable use policy for end-user computing (EUC).
D. Require all employees to sign nondisclosure agreements (NDAs).
Selected Answer: B
Question #: 96
Topic #: 1
Which of the following is the BEST control to mitigate attacks that redirect Internet traffic to an unauthorized website?
A. Utilize a network-based firewall.
B. Conduct regular user security awareness training.
C. Enforce a strong password policy meeting complexity requirements.
D. Perform domain name system (DNS) server security hardening.
Selected Answer: D
Question #: 95
Topic #: 1
An IS auditor observes that a bank’s web page address is prefixed “https://”. The auditor would be correct to conclude that:
A. the bank has established a virtual private network (VPN).
B. transactions are encrypted.
C. the bank has a restricted Internet protocol (IP) address.
D. the customer is connected to the bank’s intranet.
Selected Answer: B
Question #: 94
Topic #: 1
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management’s decision. Which of the following should be the IS auditor’s NEXT course of action?
A. Present the issue to executive management.
B. Report the disagreement to the board.
C. Accept management’s decision and continue the follow-up.
D. Report the issue to IS audit management.
Selected Answer: D
Question #: 93
Topic #: 1
Cross-site scripting (XSS) attacks are BEST prevented through:
A. secure coding practices.
B. use of common industry frameworks.
C. a three-tier web architecture.
D. application firewall policy settings.
Selected Answer: A
Question #: 92
Topic #: 1
Which of the following BEST facilitates the legal process in the event of an incident?
A. Right to perform e-discovery
B. Preserving the chain of custody
C. Results of a root cause analysis
D. Advice from legal counsel
Selected Answer: B
Question #: 90
Topic #: 1
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)?
A. Implementing the remediation plan
B. Developing the remediation plan
C. Developing the CSA questionnaire
D. Partially completing the CSA
Selected Answer: C
Question #: 89
Topic #: 1
Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization?
A. Create the DLP policies and templates.
B. Conduct a threat analysis against sensitive data usage.
C. Conduct a data inventory and classification exercise.
D. Identify approved data workflows across the enterprise.
Selected Answer: C
Question #: 88
Topic #: 1
Providing security certification for a new system should include which of the following prior to the system’s implementation?
A. End-user authorization to use the system in production
B. Testing of the system within the production environment
C. An evaluation of the configuration management practices
D. External audit sign-off on financial controls
Selected Answer: C
Question #: 85
Topic #: 1
Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?
A. Knowledge of the IT staff regarding data protection requirements
B. Complete and accurate list of information assets that have been deployed
C. Segregation of duties between staff ordering and staff receiving information assets
D. Availability and testing of onsite backup generators
Selected Answer: B
Question #: 84
Topic #: 1
An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered
MOST critical?
A. The attack could not be traced back to the originating person.
B. The attack was not automatically blocked by the intrusion detection system (IDS).
C. Appropriate response documentation was not maintained.
D. The security weakness facilitating the attack was not identified.
Selected Answer: D
Question #: 83
Topic #: 1
An IS auditor suspects an organization’s computer may have been used to commit a crime. Which of the following is the auditor’s BEST course of action?
A. Contact the incident response team to conduct an investigation.
B. Advise management of the crime after the investigation.
C. Examine the computer to search for evidence supporting the suspicions.
D. Notify local law enforcement of the potential crime before further investigation.
Selected Answer: A
Question #: 82
Topic #: 1
Which of the following metrics is the BEST indicator of the performance of a web application?
A. Server thread count
B. Server uptime
C. HTTP server error rate
D. Average response time
Selected Answer: D
Question #: 81
Topic #: 1
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
A. Reviewing vacation patterns
B. Interviewing senior IT management
C. Mapping IT processes to roles
D. Reviewing user activity logs
Selected Answer: C
Question #: 1136
Topic #: 1
An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data. Which of the following is the PRIMARY advantage of this approach?
A. Professionalism
B. Audit efficiency
C. Audit transparency
D. Data confidentiality
Selected Answer: B
Question #: 1412
Topic #: 1
A network review is being undertaken to evaluate security risks. Which of the following would be of MOST concern if identified during the review?
A. Router access to the Internet from the internal network
B. Direct network access from PCs to the Internet
C. Firewall access to the internal network from the Internet
D. Remote access to the internal network from internal PCs
Selected Answer: C
Question #: 78
Topic #: 1
Which of the following BEST protects an organization’s proprietary code during a joint-development activity involving a third party?
A. Privacy agreement
B. Statement of work (SOW)
C. Nondisclosure agreement (NDA)
D. Service level agreement (SLA)
Selected Answer: C
Question #: 238
Topic #: 1
An organization allows employees to use personally owned mobile devices to access customers’ personal information. Which of the following is MOST important for an IS auditor to verify?
A. Employees have signed off on an acceptable use policy.
B. Devices have adequate storage and backup capabilities.
C. Mobile devices are compatible with company infrastructure.
D. Mobile device security policies have been implemented.
Selected Answer: D
Question #: 76
Topic #: 1
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor’s NEXT course of action?
A. Note the exception in a new report as the item was not addressed by management.
B. Interview management to determine why the finding was not addressed.
C. Recommend alternative solutions to address the repeat finding.
D. Conduct a risk assessment of the repeat finding.
Selected Answer: B
Question #: 72
Topic #: 1
An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework?
A. Recent third-party IS audit reports
B. Current and previous internal IS audit reports
C. IT performance benchmarking reports with competitors
D. Self-assessment reports of IT capability and maturity
Selected Answer: A
Question #: 70
Topic #: 1
What is the MAIN reason to use incremental backups?
A. To increase backup resiliency and redundancy
B. To reduce costs associates with backups
C. To improve key availability metrics
D. To minimize the backup time and resources
Selected Answer: D
Question #: 68
Topic #: 1
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management?
A. Adherence to best practice and industry approved methodologies
B. Frequency of meetings where the business discusses the IT portfolio
C. Assignment of responsibility for each project to an IT team member
D. Controls to minimize risk and maximize value for the IT portfolio
Selected Answer: D
Question #: 67
Topic #: 1
The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables:
A. the integration of financial and audit tests.
B. auditors to test without impacting production data.
C. a cost-effective approach to application controls audit.
D. auditors to investigate fraudulent transactions.
Selected Answer: B
Question #: 63
Topic #: 1
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
A. Ensure the intrusion prevention system (IPS) is effective.
B. Verify the disaster recovery plan (DRP) has been tested.
C. Assess the security risks to the business.
D. Confirm the incident response team understands the issue.
Selected Answer: C
Question #: 61
Topic #: 1
Which of the following is the BEST performance indicator for the effectiveness of an incident management program?
A. Incident alert meantime
B. Number of incidents reported
C. Average time between incidents
D. Incident resolution meantime
Selected Answer: D
Question #: 60
Topic #: 1
What would be an IS auditor’s BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
A. Ensure the open issues are retained in the audit results.
B. Recommend compensating controls for open issues.
C. Evaluate the residual risk due to open issues.
D. Terminate the follow-up because open issues are not resolved.
Selected Answer: C
Question #: 57
Topic #: 1
A manager identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor in this scenario?
A. Hacktivists
B. Deleted log data
C. Terminated staff
D. Unauthorized access
Selected Answer: C
Question #: 16
Topic #: 1
The GREATEST benefit of using a prototyping approach in software development is that it helps to:
A. improve efficiency of quality assurance (QA) testing.
B. conceptualize and clarify requirements.
C. decrease the time allocated for user testing and review.
D. minimize scope changes to the system.
Selected Answer: B
Question #: 142
Topic #: 1
When removing a financial application system from production, which of the following is MOST important?
A. Media used by the retired system has been sanitized.
B. Software license agreements are retained.
C. End-user requests for changes are recorded and tracked.
D. Data retained for regulatory purposes can be retrieved.
Selected Answer: D
Question #: 137
Topic #: 1
An organization experienced a domain name system (DNS) attack caused by default user accounts not being removed from one of the servers. Which of the following would have been the BEST way to mitigate the risk of this DNS attack?
A. Require all employees to attend training for secure configuration management.
B. Have a third party configure the virtual servers.
C. Configure the servers from an approved standard configuration.
D. Configure the intrusion prevention system (IPS) to identify DNS attacks.
Selected Answer: C
Question #: 54
Topic #: 1
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
A. A separate copy of the spreadsheet is routinely backed up.
B. Access to the spreadsheet is given only to those who require access.
C. There is a reconciliation process between the spreadsheet and the finance system.
D. The spreadsheet is locked down to avoid inadvertent changes.
Selected Answer: B
Question #: 51
Topic #: 1
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
A. Failover power
B. Clustering
C. Parallel testing
D. Redundant pathways
Selected Answer: B
Question #: 50
Topic #: 1
An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because central servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?
A. Comparing all servers included in the current central log repository with the listing used for the prior-year audit
B. Inspecting a sample of alerts generated from the central log repository
C. Comparing a list of all servers from the directory server against a list of all servers present in the central log repository
D. Inspecting a sample of alert settings configured in the central log repository
Selected Answer: C
Question #: 43
Topic #: 1
Which of the following is an advantage of using agile software development methodology over the waterfall methodology?
A. Quicker end user acceptance
B. Clearly defined business expectations
C. Quicker deliverables
D. Less funding required overall
Selected Answer: C
Question #: 836
Topic #: 1
An IS auditor notes that a mortgage origination team receives customer loan applications via a shared repository. Which of the following findings presents the GREATEST privacy risk for this process?
A. Shared repository lacks dual access controls
B. Customer data is not updated in the origination system
C. Loan documentation is not purged from the system
D. Duplicate loan applications are not flagged for attention
Selected Answer: B
Question #: 29
Topic #: 1
Which of the following is an audit reviewer’s PRIMARY role with regard to evidence?
A. Ensuring appropriate statistical sampling methods were used
B. Ensuring evidence is labeled to show it was obtained from an approved source
C. Ensuring unauthorized individuals do not tamper with evidence after it has been captured
D. Ensuring evidence is sufficient to support audit conclusions
Selected Answer: D
Question #: 26
Topic #: 1
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
A. Message encryption
B. Steganography
C. Certificate authority (CA)
D. Message digest
Selected Answer: D
Question #: 790
Topic #: 1
Which of the following techniques provides the BEST assurance of server availability over time?
A. Analyzing logs in the server administration console
B. Reviewing reported downtime from users
C. Evaluating downtime based on planned outages
D. Manually pinging the server on a daily basis
Selected Answer: C
Question #: 1387
Topic #: 1
Which of the following findings related to an organization’s information security policy should be of GREATEST concern to an IS auditor?
A. The policy has not been communicated to all staff members and training has not been scheduled.
B. The policy has not addressed requirements for regular penetration testing.
C. The policy has not defined organizational roles and responsibilities for information security.
D. The policy is not developed in accordance with a globally accepted information security standard.
Selected Answer: C
Question #: 25
Topic #: 1
Which of the following MOST effectively minimizes downtime during system conversions?
A. Phased approach
B. Parallel run
C. Direct cutover
D. Pilot study
Selected Answer: B
Question #: 23
Topic #: 1
Which of the following is the MOST important reason for IS auditors to perform post-implementation reviews for critical IT projects?
A. To determine whether vendors should be paid for project deliverables
B. To provide the audit committee with an assessment of project team performance
C. To provide guidance on the financial return on investment (ROI) of projects
D. To determine whether the organization’s objectives were met as expected
Selected Answer: D
Question #: 20
Topic #: 1
An emergency power-off switch should:
A. not be in the computer room.
B. not be identified
C. be protected.
D. be illuminated.
Selected Answer: C
Question #: 15
Topic #: 1
During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same areas simultaneously, which of the following is the BEST approach to optimize resources?
A. Leverage the work performed by external audit for the internal audit testing.
B. Ensure both the internal and external auditors perform the work simultaneously.
C. Roll forward the general controls audit to the subsequent audit year.
D. Request that the external audit team leverage the internal audit work.
Selected Answer: A
Question #: 14
Topic #: 1
Upon completion of audit work, an IS auditor should:
A. provide a report to the auditee stating the initial findings.
B. provide a report to senior management prior to discussion with the auditee.
C. distribute a summary of general findings to the members of the auditing team.
D. review the working papers with the auditee.
Selected Answer: A
Question #: 11
Topic #: 1
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
A. Conceal data devices and information labels.
B. Issue an access card to the vendor.
C. Monitor and restrict vendor activities.
D. Restrict use of portable and wireless devices.
Selected Answer: C
Question #: 9
Topic #: 1
Which of the following should be the FIRST step in managing the impact of a recently discovered zero-day attack?
A. Estimating potential damage
B. Identifying vulnerable assets
C. Evaluating the likelihood of attack
D. Assessing the impact of vulnerabilities
Selected Answer: B
Question #: 3
Topic #: 1
Which of the following is the GREATEST risk if two users have concurrent access to the same database record?
A. Entity integrity
B. Availability integrity
C. Referential integrity
D. Data integrity
Selected Answer: D
Question #: 314
Topic #: 1
During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?
A. Add testing of third-party access controls to the scope of the audit.
B. Plan to test these controls in another audit.
C. Determine whether the risk has been identified in the planning documents.
D. Escalate the deficiency to audit management.
Selected Answer: C
