CISA Topic 5
Question #: 309
Topic #: 1
When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained. Which of the following IS the auditor’s BEST course of action?
A. Reevaluate internal controls
B. Re-perform past audits to ensure independence
C. Inform senior management
D. Inform audit management
Selected Answer: A
Question #: 308
Topic #: 1
A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
A. Utilize new system development tools to improve productivity.
B. Deliver only the core functionality on the initial target date.
C. Implement overtime pay and bonuses for all development staff.
D. Recruit IS staff to expedite system development.
Selected Answer: D
Question #: 304
Topic #: 1
An organization is running servers with critical business applications that are in an area subject to frequent but brief power outages. Knowledge of which of the following would allow the organization’s management to monitor the ongoing adequacy of the uninterruptible power supply (UPS)?
A. Duration and interval of the power outages
B. Business impact of server downtime
C. Number of servers supported by the UPS
D. Mean time to recover servers after failure
Selected Answer: A
Question #: 303
Topic #: 1
An organization considers implementing a system that uses a technology that is not in line with the organization’s IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?
A. The system makes use of state-of-the-art technology.
B. The system has a reduced cost of ownership.
C. The organization has staff familiar with the technology.
D. The business benefits are achieved even with extra costs.
Selected Answer: D
Question #: 457
Topic #: 1
Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization’s privacy policy?
A. Globally accepted privacy best practices
B. Historical privacy breaches and related root causes
C. Benchmark studies of similar organizations
D. Local privacy standards and regulations
Selected Answer: D
Question #: 428
Topic #: 1
Which of the following is MOST important to consider when assessing the scope of privacy concerns for an IT project?
A. Business requirements and data flows
B. Applicable laws and regulations
C. Data ownership
D. End user access rights
Selected Answer: B
Question #: 127
Topic #: 1
An employee has accidentally posted confidential data to the company’s social media page. Which of the following is the BEST control to prevent this from recurring?
A. Establish two-factor access control for social media accounts.
B. Implement a moderator approval process.
C. Require all updates to be made by the marketing director.
D. Perform periodic audits of social media updates.
Selected Answer: B
Question #: 119
Topic #: 1
Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?
A. Create tactical and strategic IS plans.
B. Make provisions in the budgets for potential upgrades.
C. Invest in current technology.
D. Create a technology watch team that evaluates emerging trends.
Selected Answer: C
Question #: 272
Topic #: 1
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects. Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
A. Peer organization staffing benchmarks
B. Human resources (HR) sourcing strategy
C. Budgeted forecast for the next financial year
D. Records of actual time spent on projects
Selected Answer: C
Question #: 267
Topic #: 1
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
A. deleted data cannot easily be retrieved.
B. backup copies of files were not deleted as well.
C. deleting all files separately is not as efficient as formatting the hard disk.
D. deleting the files logically does not overwrite the files’ physical data.
Selected Answer: D
Question #: 266
Topic #: 1
When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:
A. legitimate packets blocked by the system have increased.
B. false positives have been reported.
C. detected events have increased.
D. actual attacks have not been identified.
Selected Answer: D
Question #: 265
Topic #: 1
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
A. Post-implementation review objectives
B. Business case
C. Rollback strategy
D. Test cases
Selected Answer: C
Question #: 261
Topic #: 1
An organization has replaced all of the storage devices at its primary data center with new, higher capacity units. The replaced devices have been installed at the disaster recovery site to replace older units. An IS auditor’s PRIMARY concern would be whether:
A. the recovery site devices can handle the storage requirements.
B. the procurement was in accordance with corporate policies and procedures.
C. the relocation plan has been communicated to all concerned parties.
D. a hardware maintenance contract is in place for both old and new storage devices.
Selected Answer: A
Question #: 260
Topic #: 1
During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been included.
B. Report the missing regulatory updates to the chief information officer (CIO).
C. Discuss potential regulatory issues with the legal department.
D. Exclude recent regulatory changes from the audit scope.
Selected Answer: A
Question #: 242
Topic #: 1
Using swipe cards to limit employee access to restricted areas requires implementing which additional control?
A. Physical sign-in of all employees for access to restricted areas
B. Initial escort of all new hires by a current employee
C. Periodic review of access profiles by management
D. Employee-access criteria determined on the basis of IS experience
Selected Answer: C
Question #: 241
Topic #: 1
Which type of attack poses the GREATEST risk to an organization’s most sensitive data?
A. Spear phishing attack
B. Insider attack
C. Password attack
D. Eavesdropping attack
Selected Answer: B
Question #: 206
Topic #: 1
A checksum is classified as which type of control?
A. Preventive control
B. Detective control
C. Administrative control
D. Corrective control
Selected Answer: B
Question #: 202
Topic #: 1
An organization has implemented a quarterly job schedule to update database tables so prices are adjusted in line with a price index. These changes do not go through the regular change management process. Which of the following is the MOST important control to have in place?
A. An overarching approval is obtained from the change advisory board.
B. User acceptance testing (UAT) is performed after the production run.
C. Each production run is approved by an authorized individual.
D. Exception reports are generated to identify anomalies.
Selected Answer: A
Question #: 195
Topic #: 1
An audit of environmental controls at a data center could include a review of the:
A. local alarms on emergency exits.
B. logs recording visitors to the data center.
C. list of employees authorized to enter the data center.
D. ceiling space to ensure that there are no wet pipes.
Selected Answer: D
Question #: 192
Topic #: 1
An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?
A. Configure users on the mobile device management (MDM) solution.
B. Create inventory records of personal devices.
C. Implement an acceptable use policy.
D. Conduct security awareness training.
Selected Answer: C
Question #: 191
Topic #: 1
During an audit of an organization’s financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?
A. Increase the compliance testing of the application controls.
B. Place greater reliance on the application controls.
C. Increase the substantive testing of the financial balances.
D. Place greater reliance on the framework of control.
Selected Answer: C
Question #: 116
Topic #: 1
An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?
A. Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees
B. Monitoring employees’ social networking usage
C. Establishing strong access controls on confidential data
D. Providing education and guidelines to employees on use of social networking sites
Selected Answer: D
Question #: 450
Topic #: 1
Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
A. Server crashes
B. Customer service complaints
C. Penetration testing
D. Automated monitoring of logs
Selected Answer: D
Question #: 1373
Topic #: 1
When utilizing attribute sampling, which of the following would cause the sample size to increase?
A. Tolerable error rate decrease
B. Expected error rate decrease
C. Population size decrease
D. Acceptable risk level increase
Selected Answer: A
Question #: 1319
Topic #: 1
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
A. increased.
B. reduced.
C. eliminated.
D. unchanged.
Selected Answer: B
Question #: 1316
Topic #: 1
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?
A. Identify business risks associated with the observations.
B. Validate the audit observations.
C. Assist the management with control enhancements.
D. Record the proposed course of corrective action.
Selected Answer: B
Question #: 79
Topic #: 1
During which process is regression testing MOST commonly used?
A. Unit testing
B. System modification
C. Stress testing
D. Program development
Selected Answer: B
Question #: 1196
Topic #: 1
An IS auditor is providing input to an RFP to acquire a financial application system. Which of the following is MOST important for the auditor to recommend?
A. The application should meet the organization’s requirements.
B. Vendor employee background checks should be conducted regularly.
C. Audit trails should be included in the design.
D. Potential suppliers should have experience in the relevant area.
Selected Answer: A
Question #: 1066
Topic #: 1
An IS auditor conducts a review of a third-party vendor’s reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?
A. Some KPIs are not documented.
B. KPIs are not clearly defined.
C. KPIs have never been updated.
D. KPI data is not being analyzed.
Selected Answer: D
Question #: 1165
Topic #: 1
Which of the following is the PRIMARY purpose of performing a parallel run of a new system?
A. To verify the new system provides required business functionality
B. To identify any errors in the program and file interfaces immediately
C. To compare the key performance indicators (KPIs) of the new and old systems
D. To verify the new system produces the expected results
Selected Answer: D
Question #: 1101
Topic #: 1
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger, and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
A. Network performance testing
B. User acceptance testing (UAT)
C. Unit testing
D. Regression testing
Selected Answer: D
Question #: 1082
Topic #: 1
Which of the following is MOST important for an IS auditor to verify when reviewing a management information system (MIS)?
A. Backup frequency
B. Data quality
C. Data access
D. System performance
Selected Answer: B
Question #: 1022
Topic #: 1
An IS auditor is reviewing results from the testing of an organization’s disaster recovery plan (DRP). Which of the following findings should be of GREATEST concern?
A. The testing was done after implementing a business application.
B. The backups at the DR site are not encrypted.
C. The testing was done during critical business hours.
D. The backups at the DR site are unreadable.
Selected Answer: D
Question #: 588
Topic #: 1
An IS auditor notes that application super-user activity was not recorded in system logs. What is the auditor’s BEST course of action?
A. Investigate the reason for the lack of logging.
B. Report the issue to the audit manager.
C. Recommend activation of super-user activity logging.
D. Recommend a least-privilege access model.
Selected Answer: A
Question #: 1104
Topic #: 1
An IS auditor observes that a large number of departed employees have not been removed from the accounts payable system. Which of the following is MOST important to determine in order to assess the risk?
A. The ability of departed employees to actually access the system
B. The frequency of user access reviews performed by management
C. The process for terminating access of departed employees
D. The frequency of intrusion attempts associated with the accounts payable
Selected Answer: C
Question #: 1039
Topic #: 1
Which of the following is MOST useful for matching records of incoming and outgoing personnel to identify tailgating in physical security logs?
A. Discovery sampling methodology
B. Continuous auditing
C. Data analytics tools
D. Reconciliation with HR records
Selected Answer: C
Question #: 147
Topic #: 1
The PRIMARY advantage of object-oriented technology is enhanced:
A. grouping of objects into methods for data access.
B. management of sequential program execution for data access.
C. management of a restricted variety of data types for a data object.
D. efficiency due to the re-use of elements of logic.
Selected Answer: D
Question #: 146
Topic #: 1
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
A. Developing a risk-based plan considering each entity’s business processes
B. Conducting an audit of newly introduced IT policies and procedures
C. Revising IS audit plans to focus on IT changes introduced after the split
D. Increasing the frequency of risk-based IS audits for each business entity
Selected Answer: A
Question #: 134
Topic #: 1
Which of the following is MOST effective in detecting an intrusion attempt?
A. Using packet filter software
B. Using smart cards with one-time passwords
C. Installing biometrics-based authentication
D. Analyzing system logs
Selected Answer: D
Question #: 124
Topic #: 1
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
A. To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value
B. To evaluate the cost-benefit of tools implemented to monitor control performance
C. To enable conclusions about the performance of the processes and target variances for follow-up analysis
D. To assess the functionality of a software deliverable based on business processes
Selected Answer: C
Question #: 1204
Topic #: 1
Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?
A. Automated reconciliations
B. Exception reporting
C. Manual checks
D. Continuous auditing
Selected Answer: D
Question #: 1209
Topic #: 1
An IS auditor reviewing the physical access section of a security plan for a data center should expect to find that:
A. entry points requiring different rules of access have been identified.
B. access to environmental controls is well labeled.
C. the data center has mantraps on entrances and exits.
D. the access devices are connected to a remote management system.
Selected Answer: C
Question #: 1237
Topic #: 1
Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
A. IT administrators have access to the production and development environment.
B. Some user acceptance testing (UAT) was completed by members of the IT team.
C. Post-implementation testing is not conducted for all system releases.
D. Access to change testing strategy and results is not restricted to staff outside the IT team.
Selected Answer: C
Question #: 1246
Topic #: 1
Which of the following is the PRIMARY way in which data analytics tools increase audit quality and execution efficiencies?
A. Enabling the evaluation of data within IT systems to allow full population testing
B. Facilitating access to confidential client data for analysis
C. Providing a narrowed risk focus for more targeted testing procedures
D. Detecting certain types of fraud in order to predict future fraud scenarios
Selected Answer: A
Question #: 1157
Topic #: 1
While conducting an IT operations audit, an internal IS auditor discovers there are backup media missing that potentially contain unencrypted data. Which of the following should be the IS auditor’s NEXT step?
A. Review the backup media policy and procedures.
B. Notify legal and regulatory authorities of the lost media.
C. Write a report regarding the missing media.
D. Determine what data is on the missing media.
Selected Answer: D
Question #: 1152
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?
A. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.
B. Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs).
C. Preventive maintenance has not been approved by the information system owner.
D. Preventive maintenance costs exceed the business’s allocated budget.
Selected Answer: B
Question #: 1145
Topic #: 1
Which of the following is the BEST source of information for examining the classification of new data?
A. Current level of protection
B. Input by data custodians
C. Security policy requirements
D. Risk assessment results
Selected Answer: D
Question #: 1142
Topic #: 1
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
A. Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date.
B. Review a sample of PCRs for proper approval throughout the program change process.
C. Trace a sample of complete PCR forms to the log of all program changes.
D. Trace a sample of program changes from the log to completed PCR forms.
Selected Answer: D
Question #: 1135
Topic #: 1
Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?
A. Monitoring tools are configured to alert in case of downtime.
B. A comprehensive security review is performed every quarter.
C. Data for different tenants is segregated by database schema
D. Tenants are required to implement data classification policies.
Selected Answer: D
Question #: 1103
Topic #: 1
Which type of device sits on the perimeter of a corporate or home network, where it obtains a public IP address and then generates private IP addresses internally?
A. Gateway
B. Switch
C. Intrusion prevention system (IPS)
D. Router
Selected Answer: D
Question #: 1073
Topic #: 1
Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
A. Data security requirements are not considered.
B. Additional training is required for end users.
C. The system is not supported by the IT department.
D. Corporate procurement standards are not followed.
Selected Answer: A
Question #: 1040
Topic #: 1
An IS auditor assesses an organization’s backup management practices for optimization potential. Which of the following features of a regular backup tape reorganization job BEST enables the organization to realize cost savings?
A. Refreshed data written on tapes
B. Rotation of backup tapes
C. Decommissioning of old tapes
D. Defragmentation of data on tapes
Selected Answer: B
Question #: 1026
Topic #: 1
Which of the following should be an IS auditor’s PRIMARY consideration when evaluating the development and design of a privacy program?
A. Policies and procedures consistent with privacy guidelines
B. Industry practice and regulatory compliance guidance
C. Information security and incident management practices
D. Privacy training and awareness program for employees
Selected Answer: A
Question #: 1017
Topic #: 1
Which of the following should be the role of internal audit in an organization’s move to the cloud?
A. Identifying and mitigating risk to an acceptable level
B. Identifying impacts to organizational budgets and resources
C. Implementing security controls for data prior to migration
D. Serving as a trusted partner and advisor
Selected Answer: B
Question #: 1013
Topic #: 1
Which of the following would a digital signature MOST likely prevent?
A. Disclosure
B. Repudiation
C. Corruption
D. Unauthorized change
Selected Answer: B
Question #: 1011
Topic #: 1
Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?
A. Including project team members who can provide security expertise
B. Reverting to traditional waterfall software development life cycle (SDLC) techniques
C. Documenting security control requirements and obtaining internal audit sign off
D. Requiring the project to go through accreditation before release into production
Selected Answer: A
Question #: 1060
Topic #: 1
Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?
A. Interviewing business management
B. Using a continuous auditing module
C. Confirming accounts
D. Reviewing program documentation
Selected Answer: B
Question #: 1046
Topic #: 1
Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?
A. Consider stakeholder concerns when defining the EA.
B. Conduct EA reviews as part of the change advisory board.
C. Perform mandatory post-implementation reviews of IT implementations.
D. Document the security view as part of the EA.
Selected Answer: C
Question #: 981
Topic #: 1
Which of the following BEST indicates that an organization’s risk management practices contribute to the effectiveness of internal IS audits?
A. The audit team participates in risk scenario development workshops.
B. The audit department utilizes the corporate risk register.
C. The audit department uses the existing risk analysis templates.
D. The audit department follows the same reporting format used by the IT risk function.
Selected Answer: B
Question #: 934
Topic #: 1
An IS auditor finds that a system receives identical information from two different upstream sources, even though redundancy is not required. Which of the following would BEST enable the organization to avoid this type of inefficiency?
A. Enterprise architecture (EA)
B. Normalized relational databases
C. Centralized data warehouse
D. Cyber architecture review
Selected Answer: A
Question #: 917
Topic #: 1
Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?
A. A combination of questionnaires, workshops, and interviews is used.
B. Outsourced business processes are excluded from the scope of the BIA.
C. Resource dependencies for critical processes are not determined.
D. Recovery objectives are identified without conducting risk assessments.
Selected Answer: D
Question #: 874
Topic #: 1
Which of the following is a threat to IS auditor independence?
A. Internal auditors recommend appropriate controls for systems in development
B. Internal auditors attend IT steering committee meetings.
C. Internal auditors design remediation plans to address control gaps identified by internal audit
D. Internal auditors share the audit plan and control test plans with management prior to audit commencement.
Selected Answer: C
Question #: 1034
Topic #: 1
Which of the following BEST describes the role of the IS auditor in a control self-assessment (CSA)?
A. Implementer
B. Approver
C. Reviewer
D. Facilitator
Selected Answer: D
Question #: 849
Topic #: 1
A sample for testing must include the 80 largest client balances and a random sample of the rest. What should the IS auditor recommend?
A. Query the database
B. Use generalized audit software
C. Develop an integrated test facility (ITF)
D. Leverage a random number generator
Selected Answer: B
Question #: 952
Topic #: 1
Which of the following is the MOST effective way to assess the controls over the hardware maintenance process?
A. Review the hardware maintenance logs to confirm all recorded dates are within one year
B. Compare the hardware maintenance log with the recommended maintenance schedule
C. Validate that management tracks the mean time between failures (MTBFs)
D. Identify the required maintenance procedures and ensure the maintenance policy is in alignment
Selected Answer: D
Question #: 797
Topic #: 1
Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization’s information cannot be accessed?
A. Re-partitioning
B. Degaussing
C. Formatting
D. Data wiping
Selected Answer: D
Question #: 900
Topic #: 1
Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?
A. Deviation detection
B. Cluster sampling
C. Random sampling
D. Classification
Selected Answer: B
Question #: 890
Topic #: 1
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization’s job scheduling practices?
A. Job dependencies are undefined
B. Job processing procedures are missing
C. Most jobs are run manually
D. Jobs are executed during working hours
Selected Answer: C
Question #: 877
Topic #: 1
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?
A. Employees do not receive immediate notification of results.
B. Only new employees are required to attend the program.
C. The timing for program updates has not been determined.
D. Metrics have not been established to assess training results.
Selected Answer: B
Question #: 870
Topic #: 1
An IS auditor is reviewing an organization’s incident management processes and procedures. Which of the following observations should be the auditor’s GREATEST concern?
A. Ineffective incident classification
B. Ineffective post-incident review
C. Ineffective incident prioritization
D. Ineffective incident detection
Selected Answer: D
Question #: 866
Topic #: 1
An organization is planning to implement a work-from-home policy that allows users to work remotely as needed. Which of the following is the BEST solution for ensuring secure remote access to corporate resources?
A. Virtual desktop
B. Virtual private network (VPN)
C. Multi-factor authentication
D. Additional firewall rules
Selected Answer: B
Question #: 854
Topic #: 1
A disaster recovery plan (DRP) should include steps for:
A. negotiating contracts with disaster planning consultants
B. identifying application control requirements
C. obtaining replacement supplies
D. assessing and quantifying risk
Selected Answer: C
Question #: 852
Topic #: 1
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.
Which of the following is the IS auditor’s BEST recommendation?
A. Automate the transfer of data between systems as much as feasible.
B. Enable automatic encryption, decryption, and electronic signing of data files.
C. Have coders perform manual reconciliation of data between systems.
D. Implement software to perform automatic reconciliations of data between systems.
Selected Answer: D
Question #: 820
Topic #: 1
Which of the following methods would BEST ensure that IT strategy is in line with business strategy?
A. Break-even point analysis
B. Business impact analysis (BIA)
C. Critical path analysis
D. IT value analysis
Selected Answer: D
Question #: 814
Topic #: 1
The MOST critical security weakness of a packet level firewall is that it can be circumvented by:
A. deciphering the signature information of the packets
B. using a dictionary attack of encrypted passwords
C. intercepting packets and viewing passwords sent in clear text
D. changing the source address on incoming packets
Selected Answer: D
Question #: 526
Topic #: 1
Which of the following observations noted during a review of the organization’s social media practices should be of MOST concern to the IS auditor?
A. Not all employees using social media have attended the security awareness program.
B. The organization does not require approval for social media posts.
C. The organization does not have a documented social media policy.
D. More than one employee is authorized to publish on social media on behalf of the organization.
Selected Answer: C
Question #: 509
Topic #: 1
Which of the following security risks can be reduced by a properly configured network firewall?
A. SQL injection attacks
B. Phishing attacks
C. Denial of service (DoS) attacks
D. Insider attacks
Selected Answer: B
Question #: 482
Topic #: 1
Which of the following findings would be of GREATEST concern when auditing an organization’s end-user computing (EUC)?
A. Reduced oversight by the IT department
B. Inability to monitor EUC audit logs and activities
C. Errors flowed through to financial statements
D. Inconsistency of patching processes being followed
Selected Answer: B
Question #: 578
Topic #: 1
An IS auditor reviewing a project to acquire an IT-based solution learns the risk associated with project failure has been assessed as high. What is the auditor’s
BEST course of action?
A. Reassess project costs to ensure they are within the organization’s risk tolerance.
B. Review benefits realization against the business case.
C. Inform management about potential losses due to project failure.
D. Review the risk monitoring process during project execution.
Selected Answer: D
Question #: 752
Topic #: 1
An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?
A. Administrative security can be provided for the client.
B. System administration can be better managed.
C. The security of the desktop PC is enhanced.
D. Desktop application software will never have to be upgraded.
Selected Answer: D
Question #: 471
Topic #: 1
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
A. Data flow diagram
B. Systems flowchart
C. Entity-relationship diagram
D. Process flowchart
Selected Answer: D
Question #: 640
Topic #: 1
Capacity management enables organizations to:
A. establish the capacity of network communication links.
B. forecast technology trends.
C. identify the extent to which components need to be upgraded.
D. determine business transaction volumes.
Selected Answer: D
Question #: 591
Topic #: 1
An IS auditor performing a review of a newly purchased software program notes that an escrow agreement has been executed for acquiring the source code.
What is MOST important for the IS auditor to verify?
A. The source code is being held by an independent third party.
B. Product acceptance testing has been completed.
C. The vendor is financially viable.
D. The source code is being updated for each change.
Selected Answer: D
Question #: 453
Topic #: 1
Which of the following responsibilities of an organization’s quality assurance (QA) function should raise concern for an IS auditor?
A. Ensuring the test work supports observations
B. Implementing solutions to correct defects
C. Updating development methodology
D. Ensuring standards are adhered to within the development process
Selected Answer: B
Question #: 451
Topic #: 1
Which of the following is the BEST indicator for measuring performance of the IT help desk function?
A. Percentage of problems raised from incidents
B. Number of reopened tickets
C. Number of incidents reported
D. Mean time to categorize tickets
Selected Answer: B
Question #: 446
Topic #: 1
Which of the following applications has the MOST inherent risk and should be prioritized during audit planning?
A. An internally developed application
B. An onsite application that is unsupported
C. A decommissioned legacy application
D. An outsourced accounting application
Selected Answer: A
Question #: 276
Topic #: 1
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization’s level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?
A. Identifying data security threats in the affected jurisdiction
B. Reviewing data classification procedures associated with the affected jurisdiction
C. Identifying business processes associated with personal data exchange with the affected jurisdiction
D. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction
Selected Answer: C
Question #: 1226
Topic #: 1
Concerned about a major data security breach, the chief executive officer (CEO) has asked for a detailed audit of the network security function. A recent reorganization has left the IS audit department with limited technical experience. The BEST course of action for the IS audit manager is to:
A. assign the most senior IS auditors to the network security audit.
B. accept the audit request but postpone the audit until network training can be obtained.
C. contract with an external organization to perform the audit.
D. give the audit high priority in next year’s audit plan.
Selected Answer: C
Question #: 414
Topic #: 1
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
A. Specify implementation dates for the recommendations.
B. Ensure that the facts presented in the report are correct.
C. Communicate the recommendations to senior management.
D. Request input in determining corrective action.
Selected Answer: C
Question #: 384
Topic #: 1
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
A. Temperature sensors
B. Humidity sensors
C. Water sensors
D. Air pressure sensors
Selected Answer: C
Question #: 459
Topic #: 1
Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?
A. Short key length
B. Use of asymmetric encryption
C. Use of symmetric encryption
D. Random key generation
Selected Answer: A
Question #: 326
Topic #: 1
While reviewing an organization’s business continuity plan (BCP), an IS auditor observes that a recently developed application is not included. The IS auditor should:
A. ensure that the criticality of the application is determined.
B. include in the audit findings that the BCP is incomplete.
C. recommend that the application be incorporated in the BCP.
D. ignore the observation as the application is not mission critical.
Selected Answer: A
Question #: 1456
Topic #: 1
Which of the following is MOST helpful to a data owner when classifying the organization’s data?
A. Risk assessment results
B. Existing protection levels
C. Data retention policy
D. Corporate privacy statement
Selected Answer: C
Question #: 1044
Topic #: 1
A confidential file was sent to a legal entity, and hashing was used on the file. Which type of control has been applied?
A. Detective
B. Compensating
C. Corrective
D. Preventive
Selected Answer: A
Question #: 1087
Topic #: 1
A bank uses a system that requires monetary amounts found on check images to be input twice by two separate individuals. The system then identifies any mismatches between the first and second input. Which type of control has the bank implemented?
A. Detective
B. Corrective
C. Compensating
D. Deterrent
Selected Answer: A
Question #: 292
Topic #: 1
IT disaster recovery time objectives (RTOs) should be based on the:
A. maximum tolerable downtime (MTD).
B. nature of the outage.
C. maximum tolerable loss of data.
D. business-defined criticality of the systems.
Selected Answer: A
Question #: 444
Topic #: 1
Which of the following would BEST prevent the potential leakage of sensitive corporate data from personal mobile devices accessing corporate applications?
A. Limiting access and capabilities when connecting to the Internet
B. Creating a separate secure partition on the devices
C. Monitoring employee connections to the corporate network
D. Requiring employees to sign acknowledgment of an acceptable use policy
Selected Answer: B
Question #: 419
Topic #: 1
Which of the following is MOST helpful in preventing a systems failure from occurring when an application is replaced using the abrupt changeover technique?
A. Comprehensive testing
B. Comprehensive documentation
C. Threat and risk assessment
D. Change management
Selected Answer: A
Question #: 416
Topic #: 1
Which of the following is MOST critical for the effective implementation of IT governance?
A. Supportive corporate culture
B. Strong risk management practices
C. Documented policies
D. Internal auditor commitment
Selected Answer: A
Question #: 412
Topic #: 1
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization’s incident management processes?
A. Prioritization criteria are not defined.
B. Service management standards are not followed.
C. Expected time to resolve incidents is not specified.
D. Metrics are not reported to senior management.
Selected Answer: A
Question #: 456
Topic #: 1
Which of the following concerns is BEST addressed by securing production source libraries?
A. Changes are applied to the wrong version of production source libraries.
B. Programs are not approved before production source libraries are updated.
C. Unauthorized changes can be moved into production.
D. Production source and object libraries may not be synchronized
Selected Answer: C
Question #: 307
Topic #: 1
A legacy application is running on an operating system that is no longer supported by the vendor. If the organization continues to use the current application, which of the following should be the IS auditor’s GREATEST concern?
A. Potential exploitation of zero-day vulnerabilities in the system
B. Inability to update the legacy application database
C. Increased cost of maintaining the system
D. Inability to use the operating system due to potential license issues
Selected Answer: A
Question #: 357
Topic #: 1
Which of the following is an IS auditor’s BEST recommendation to help an organization increase the efficiency of computing resources?
A. Hardware upgrades
B. Real-time backups
C. Virtualization
D. Overclocking the central processing unit (CPU)
Selected Answer: C
Question #: 343
Topic #: 1
When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?
A. Rollback procedures
B. Control requirements
C. User acceptance test (UAT) results
D. Functional requirements documentation
Selected Answer: C
Question #: 222
Topic #: 1
When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?
A. An information security governance audit was not conducted with in the past year.
B. Information security policies are updated annually.
C. The data center manager has final sign-off on security projects.
D. The information security department has difficulty filling vacancies.
Selected Answer: C
Question #: 221
Topic #: 1
When conducting a requirements analysis for a project, the BEST approach would be to:
A. conduct a control self-assessment (CSA).
B. test operational deliverables.
C. prototype the requirements.
D. consult key stakeholders.
Selected Answer: B
Question #: 1179
Topic #: 1
A request for proposal (RFP) for the acquisition of computer hardware should include:
A. support and maintenance requirements.
B. detailed specification of the current hardware infrastructure.
C. the requirement that the supplier allow a right of audit.
D. maximum cost restriction
Selected Answer: A
Question #: 1176
Topic #: 1
Which of the following should be used to evaluate an IT development project before an investment is committed?
A. Feasibility study
B. Function point analysis
C. Rapid application development
D. Earned value analysis (EVA)
Selected Answer: A
Question #: 331
Topic #: 1
Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system for key financial reports. What is the GREATEST risk to the organization in this situation?
A. The key financial reports may no longer be produced.
B. Financial reports may be delayed.
C. Undetected fraud may occur.
D. Decisions may be made based on incorrect information.
Selected Answer: C
Question #: 311
Topic #: 1
Coding standards provide which of the following?
A. Access control tables
B. Data flow diagrams
C. Field naming conventions
D. Program documentation
Selected Answer: D
Question #: 305
Topic #: 1
An organization implemented a cybersecurity policy last year. Which of the following is the GREATEST indicator that the policy may need to be revised?
A. A significant increase in authorized connections to third parties
B. A significant increase in cybersecurity audit findings
C. A significant increase in external attack attempts
D. A significant increase in approved exceptions
Selected Answer: C
Question #: 1245
Topic #: 1
During recent post-implementation reviews, an IS auditor has noted that several deployed applications are not being used by the business. The MOST likely cause would be the lack of:
A. change management.
B. IT portfolio management.
C. IT resource management.
D. system support documentation.
Selected Answer: B
Question #: 700
Topic #: 1
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
A. Frequency of business process capability maturity assessments
B. Percentage of enterprise risk assessments that include IT-related risk
C. Percentage of staff satisfied with their IT-related roles
D. Level of stakeholder satisfaction with the scope of planned IT projects
Selected Answer: D
Question #: 1213
Topic #: 1
Which of the following would be an IS auditor’s GREATEST concern when reviewing the organization’s business continuity plan (BCP)?
A. The recovery plan does not contain the process and application dependencies.
B. The duration of tabletop exercises is longer than the recovery point objective (RPO).
C. The recovery point objective (RPO) and recovery time objective (RTO) are not the same.
D. The duration of tabletop exercises is longer than the recovery time objective (RTO).
Selected Answer: A
Question #: 1385
Topic #: 1
Which of the following will invalidate the authenticity of digital evidence in a forensic investigation?
A. The investigator installed forensic software on the original drive that contained the evidence.
B. The evidence was collected from analysis of a copy of the disk data.
C. A software write blocker was used in the collection of the evidence.
D. The investigator collected the evidence while the machine was still powered on.
Selected Answer: A
Question #: 445
Topic #: 1
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
A. The review was performed by an external provider.
B. Management approved the PIR report.
C. Project outcomes have been realized.
D. Lessons learned were implemented.
Selected Answer: D
Question #: 365
Topic #: 1
Which of the following is the MOST appropriate role for an IS auditor assigned as a team member for a software development project?
A. Implementing controls within the software
B. Developing user acceptance testing (UAT) scripts
C. Performing a mid-term evaluation of the project management process
D. Monitoring assessed risk for the project
Selected Answer: D
Question #: 360
Topic #: 1
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
A. Developing and communicating test procedure best practices to audit teams
B. Centralizing procedures and implementing change control
C. Developing and implementing an audit data repository
D. Decentralizing procedures and implementing periodic peer review
Selected Answer: B
Question #: 1494
Topic #: 1
Which of the following BEST demonstrates alignment of the IT department with the corporate mission?
A. Annual board meetings
B. Biweekly reporting to senior management
C. Quarterly steering committee meetings
D. Analysis of IT department functionality
Selected Answer: A
Question #: 1416
Topic #: 1
An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of the following is the auditor’s BEST recommendation?
A. Implement a survey to determine future incident response training needs.
B. Introduce problem management into incident response.
C. Incorporate a security information and event management (SIEM) system into incident response.
D. Harden IT system and application components based on best practices.
Selected Answer: A
Question #: 1397
Topic #: 1
An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?
A. Document and track all IT decisions in a project management tool.
B. Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.
C. Schedule a follow-up audit in the next year to confirm whether IT processes have matured.
D. Discontinue all current IT projects until formal approval is obtained and documented.
Selected Answer: D
Question #: 718
Topic #: 1
Which of the following is MOST important for an IS auditor to consider when performing the risk assessment prior to an audit engagement?
A. Industry standards and best practices
B. The amount of time since the previous audit
C. The results of the previous audit
D. The design of controls
Selected Answer: D
Question #: 600
Topic #: 1
An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services. Which of the following would BEST enable the organization to resolve this issue?
A. Service level management
B. Incident management
C. Problem management
D. Change management
Selected Answer: C
Question #: 673
Topic #: 1
Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?
A. Ad hoc monitoring of firewall activity
B. Use of stateful firewalls with default configuration
C. Potential back doors to the firewall software
D. Misconfiguration of the firewall rules
Selected Answer: D
Question #: 622
Topic #: 1
An IS auditor is reviewing an organization’s information asset management process. Which of the following would be of GREATEST concern to the auditor?
A. Process ownership has not been established.
B. Identification of asset value is not included in the process.
C. The process does not require specifying the physical locations of assets.
D. The process does not include asset review.
Selected Answer: A
Question #: 617
Topic #: 1
Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
A. Issues resulting from an unsecured application automatically uploading transactions to the general ledger
B. Unauthorized salary or benefit changes to the payroll system generated by authorized users
C. Potentially fraudulent invoice payments originating within the accounts payable department
D. Completion of inappropriate cross-border transmission of personally identifiable information (PII)
Selected Answer: B
Question #: 1132
Topic #: 1
In which phase of the audit life cycle process are audit observations initially discussed with the client?
A. Follow-up phase
B. Planning phase
C. Execution phase
D. Reporting phase
Selected Answer: C
Question #: 612
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?
A. Metrics are not aligned with industry benchmarks.
B. Metrics were defined without stakeholder review.
C. Key performance indicators (KPIs) were met in only one month.
D. Performance reporting includes too many technical terms.
Selected Answer: B
Question #: 611
Topic #: 1
In order to be useful, a key performance indicator (KPI) MUST:
A. be approved by management.
B. be changed frequently to reflect organizational strategy.
C. have a target value.
D. be measurable in percentages
Selected Answer: B
Question #: 596
Topic #: 1
An IS auditor assessing the controls within a newly implemented call center would FIRST:
A. gather information from the customers regarding response times and quality of service.
B. test the technical infrastructure at the call center.
C. review the manual and automated controls in the call center.
D. evaluate the operational risk associated with the call center.
Selected Answer: D
Question #: 590
Topic #: 1
An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank’s customers.
Which of the following controls is MOST important for the auditor to confirm it in place?
A. The default configurations have been changed.
B. All tables in the database are normalized.
C. The service port used by the database server has been changed.
D. The default administration account is used after changing the account password.
Selected Answer: A
Question #: 583
Topic #: 1
An IS auditor is asked to review a large organization’s change management process. Which of the following practices presents the GREATEST risk?
A. Transaction data changes can be made by a senior developer.
B. Change management tickets do not contain specific documentation.
C. A system administrator performs code migration on planned downtime.
D. Emergency code changes are promoted without user acceptance testing (UAT).
Selected Answer: A
Question #: 580
Topic #: 1
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor’s BEST recommendation would be to:
A. recruit more monitoring personnel.
B. establish criteria for reviewing alerts.
C. reduce the firewall rules.
D. fine tune the intrusion detection system (IDS).
Selected Answer: D
Question #: 1377
Topic #: 1
Which of the following is the MOST efficient control that helps to ensure complete data transfer through an interface?
A. Use transmission encryption for data transfer between systems.
B. Use protocols that allow full duplex communication between source and destination systems.
C. Compare data hash values between the source and destination systems.
D. Conduct code reviews of data transfer encoders and decoders in source and destination systems.
Selected Answer: D
Question #: 1364
Topic #: 1
Which of the following issues identified during a formal review of an organization’s information security policies presents the GREATEST potential risk to the organization?
A. The policies have not been reviewed by the risk management committee.
B. The policies are not based on industry best practices for information security.
C. The policies are not aligned with the information security risk appetite.
D. The policies are not available to key risk stakeholders.
Selected Answer: D
Question #: 1361
Topic #: 1
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
A. Enterprise architecture (EA)
B. Business impact analysis (BIA)
C. Business objectives
D. Recent incident trends
Selected Answer: A
Question #: 1320
Topic #: 1
Which of the following management actions would BEST enable an IS auditor to make the most efficient use of analytics software during an audit?
A. Reviewing audit findings to determine accuracy and relevance
B. Deploying analytics tools that use natural language processing
C. Providing access to data that is complete and accurate
D. Granting the auditor access to anonymized customer data
Selected Answer: C
Question #: 466
Topic #: 1
Which of the following would be MOST useful to an IS auditor confirming that an IS department meets its service level agreements (SLAs)?
A. System utilization reports
B. Capacity planning tools
C. System downtime reports
D. IS strategic plan
Selected Answer: C
Question #: 1090
Topic #: 1
Which of the following is the ULTIMATE objective of performing a phishing simulation test?
A. To improve the level of security awareness
B. To remove the need to install spam filtering
C. To reduce the likelihood of cyber incidents
D. To identify the occurrence of cyber events
Selected Answer: C
Question #: 644
Topic #: 1
An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?
A. The exact definition of the service levels and their measurement
B. The regular performance-reporting documentation
C. The alerting and measurement process on the application servers
D. The actual availability of the servers as part of a substantive test
Selected Answer: A
Question #: 984
Topic #: 1
The use of control totals satisfies which of the following control objectives?
A. Processing integrity
B. Transaction integrity
C. Distribution control
D. System recoverability
Selected Answer: A
Question #: 158
Topic #: 1
A computer forensic audit is MOST relevant in which of the following situations?
A. Inadequate controls in the IT environment
B. Mismatches in transaction data
C. Data loss due to hacking of servers
D. Missing server patches
Selected Answer: C
Question #: 956
Topic #: 1
Which of the following is MOST effective for controlling visitor access to a data center?
A. Visitors sign in at the front desk upon arrival
B. Pre-approval of entry requests
C. Visitors are escorted by an authorized employee
D. Closed-circuit television (CCTV) is used to monitor the facilities
Selected Answer: B
Question #: 1248
Topic #: 1
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?
A. Information security officer
B. Data architect
C. Database administrator (DBA)
D. Information owner
Selected Answer: B
Question #: 1501
Topic #: 1
An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP). Which of the following is the auditor’s BEST course of action?
A. Raise an audit issue for the lack of simulated testing.
B. Review the effectiveness of the business response.
C. Interview staff members to obtain commentary on the BCP’s effectiveness.
D. Confirm the BCP has been recently updated.
Selected Answer: A
Question #: 207
Topic #: 1
During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor’s BEST course of action?
A. Adjust the annual risk assessment accordingly.
B. Require the auditee to address the recommendations in full.
C. Evaluate senior management’s acceptance of the risk.
D. Update the audit program based on management’s acceptance of risk.
Selected Answer: C
Question #: 240
Topic #: 1
Prior to the migration of acquired software into production, it is MOST important that the IS auditor review the:
A. user acceptance test (UAT) report.
B. vendor testing report.
C. system documentation.
D. source code escrow agreement.
Selected Answer: A
Question #: 209
Topic #: 1
When implementing a new IT maturity model, which of the following should occur FIRST?
A. Determine the model elements to be evaluated.
B. Benchmark with industry peers.
C. Define the target IT maturity level.
D. Develop performance metrics.
Selected Answer: A
Question #: 277
Topic #: 1
When responding to an ongoing denial of service (DoS) attack, an organization’s FIRST course of action should be to:
A. minimize impact.
B. investigate damage.
C. analyze the attack path.
D. restore service.
Selected Answer: A
Question #: 273
Topic #: 1
A bank’s web-hosting provider has just completed an internal IT security audit and provides only a summary of the findings to the bank’s auditor. Which of the following should be the bank’s GREATEST concern?
A. The audit scope may not have addressed critical areas.
B. The audit procedures are not provided to the bank.
C. The bank’s auditors are not independent of the service provider.
D. The audit may be duplicative of the bank’s internal audit procedures
Selected Answer: A
