CISA Topic 6
Question #: 436
Topic #: 1
Which of the following demonstrates the use of data analytics for a loan origination process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing system.
B. Validating whether reconciliations between the two systems are performed and discrepancies are investigated.
C. Comparing a population of loans input in the origination system to loans booked on the servicing system.
D. Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure.
Selected Answer: C
Question #: 964
Topic #: 1
Which of the following should be identified FIRST during the risk assessment process?
A. Vulnerability
B. Existing controls
C. Legal requirements
D. Information assets
Selected Answer: D
Question #: 962
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization’s release management processes?
A. Release management policies have not been updated in the past two years.
B. Identify assets to be protected.
C. Evaluate controls in place.
D. Identify potential threats.
Selected Answer: C
Question #: 959
Topic #: 1
Which of the following is the PRIMARY reason an IS auditor would recommend offsite backups although critical data is already on a redundant array of inexpensive disks (RAID)?
A. The array cannot recover from a natural disaster.
B. The array relies on proper maintenance.
C. The array cannot offer protection against disk corruption.
D. Disks of the array cannot be hot-swapped for quick recovery.
Selected Answer: A
Question #: 909
Topic #: 1
Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s capacity management planning?
A. Many of the resource requirements are based on estimates
B. The organization is increasingly dependent on the use of cloud providers
C. Some planning areas are not well developed
D. Current resource utilization is not monitored
Selected Answer: D
Question #: 889
Topic #: 1
When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the:
A. scope and methodology meet audit requirements
B. service provider is independently certified and accredited
C. report was released within the last 12 months
D. report confirms that service levels were not violated
Selected Answer: A
Question #: 858
Topic #: 1
During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor’s GREATEST concern with this situation?
A. Incomplete requirements
B. Inadequate deliverables
C. Unclear benefits
D. Unrealistic milestones
Selected Answer: A
Question #: 227
Topic #: 1
An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization’s objectives?
A. Periodic audits of controls by an independent auditor
B. Adequacy of the service provider’s insurance
C. Assessment of the personnel training processes of the provider
D. Review of performance against service level agreements (SLAs)
Selected Answer: A
Question #: 219
Topic #: 1
During the implementation of an enterprise resource planning (ERP) system, an IS auditor is reviewing the results of user acceptance testing (UAT). The auditor’s
PRIMARY focus should be to determine if:
A. application interfaces have been satisfactorily tested.
B. all errors found in the testing process have been corrected.
C. the business process owner has signed off on the results.
D. system integration testing was performed.
Selected Answer: C
Question #: 1352
Topic #: 1
An IS auditor has been asked to review an organization’s IT resource management practices. Which of the following findings should be of GREATEST concern?
A. An existing vacancy for an IT administrator
B. The lack of a confidentiality agreement for IT management
C. Insufficient IT training
D. An undocumented IT strategy
Selected Answer: D
Question #: 1324
Topic #: 1
Halfway through an enterprise-wide project to implement business solutions, an IS auditor is called in to do a project risk evaluation. The results from this audit are to be communicated directly to the project steering committee. What should the auditor do FIRST?
A. Assess the project organization and actual cost incurred.
B. Interview the project manager about the project scope and current status.
C. Review the organization’s project management framework.
D. Perform a risk assessment of the project based on best practices.
Selected Answer: C
Question #: 1033
Topic #: 1
Before the release of a new application into an organization’s production environment, which of the following should be in place to ensure that proper testing has occurred and rollback plans are in place?
A. Independent third-party approval
B. Standardized change requests
C. Secure code review
D. Change approval board
Selected Answer: B
Question #: 966
Topic #: 1
What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?
A. To keep the risk register updated
B. To eliminate unnecessary risk
C. To determine whether risk is changing
D. To align resources with the greatest risk
Selected Answer: D
Question #: 798
Topic #: 1
Which of the following is the BEST indication of effective IT investment management?
A. IT investments are mapped to specific business objectives.
B. The IT investment budget is significantly below industry benchmarks.
C. IT investments are implemented and monitored following a system development life cycle (SDLC).
D. Key performance indicators (KPIs) are defined for each business requiring IT investment.
Selected Answer: A
Question #: 655
Topic #: 1
What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?
A. Validate the overall effectiveness of the internal control.
B. Determine the resources required to make the control effective.
C. Verify the impact of the control no longer being effective.
D. Ascertain the existence of other compensating controls.
Selected Answer: C
Question #: 788
Topic #: 1
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor’s NEXT course of action?
A. Report the security posture of the organization.
B. Determine the risk of not replacing the firewall.
C. Report the mitigating controls.
D. Determine the value of the firewall.
Selected Answer: B
Question #: 800
Topic #: 1
Which of the following should be an IS auditor’s GREATEST concern when an international organization intends to roll out a global data privacy policy?
A. Requirements may become unreasonable.
B. Local management may not accept the policy.
C. Local regulations may contradict the policy.
D. The policy may conflict with existing application requirements.
Selected Answer: C
Question #: 789
Topic #: 1
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor’s GREATEST concern?
A. The replacement is occurring near year-end reporting.
B. Data migration is not part of the contracted activities.
C. Testing was performed by the third-party consultant.
D. The user department will manage access rights.
Selected Answer: A
Question #: 787
Topic #: 1
From an IS auditor’s perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
A. Inability to determine the cost of deployed software
B. Inability to close unused ports on critical servers
C. Inability to identify unused licenses within the organization
D. Inability to deploy updated security patches
Selected Answer: D
Question #: 350
Topic #: 1
When conducting a post-implementation review of a new software application, an IS auditor should be MOST concerned with an increasing number of:
A. change requests approved to add new services.
B. updates required for the end-user operations manual.
C. operational errors impacting service delivery.
D. help desk calls requesting future enhancements.
Selected Answer: C
Question #: 310
Topic #: 1
An information systems security officer’s PRIMARY responsibility for business process applications is to:
A. create role-based rules for each business process.
B. approve the organization’s security policy.
C. ensure access rules agree with policies.
D. authorize secured emergency access.
Selected Answer: C
Question #: 818
Topic #: 1
A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
A. Attribute sampling
B. Quota sampling
C. Variable sampling
D. Haphazard sampling
Selected Answer: A
Question #: 803
Topic #: 1
Which of the following would BEST indicate the effectiveness of a security awareness training program?
A. Employee satisfaction with training
B. Reduced unintentional violations
C. Results of third-party social engineering tests
D. Increased number of employees completing training
Selected Answer: C
Question #: 996
Topic #: 1
Which of the following is BEST supported by enforcing data definition standards within a database?
A. Data confidentiality
B. Data security
C. Data formatting
D. Data retention
Selected Answer: C
Question #: 699
Topic #: 1
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
A. To document lessons learned to improve future project delivery
B. To align project objectives with business needs
C. To determine whether project objectives in the business case have been achieved
D. To ensure key stakeholder sign-off has been obtained
Selected Answer: C
Question #: 258
Topic #: 1
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?
A. Re-perform the calculation with audit software.
B. Review the source code related to the calculation.
C. Review sign-off documentation.
D. Inspect user acceptance test (UAT) results.
Selected Answer: B
Question #: 958
Topic #: 1
Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of an organization’s social media practices?
A. Some employees have not received adequate training in the use of social media.
B. The organization does not have a social media policy.
C. Employees are using corporate devices to access mainstream social media websites.
D. Employees are using corporate branding on personal social media postings.
Selected Answer: B
Question #: 1058
Topic #: 1
Which of the following would be MOST important to include in an IS audit report?
A. Observations not reported as findings due to inadequate evidence
B. The roadmap for addressing the various risk areas
C. Specific technology solutions for each audit observation
D. The level of unmitigated risk along with business impact
Selected Answer: B
Question #: 638
Topic #: 1
Which of the following provides the BEST evidence that a third-party service provider’s information security controls are effective?
A. Documentation of the service provider’s security configuration controls
B. An audit report of the controls by the service provider’s external auditor
C. An interview with the service provider’s information security officer
D. A review of the service provider’s policies and procedures
Selected Answer: B
Question #: 576
Topic #: 1
Which of the following should be reviewed FIRST when assessing the effectiveness of an organization’s network security procedures and controls?
A. Malware defenses
B. Inventory of authorized devices
C. Data recovery capability
D. Vulnerability remediation
Selected Answer: B
Question #: 1331
Topic #: 1
A security administrator is called in the middle of the night by the on-call programmer. A number of programs have failed, and the programmer has asked for access to the live system. What is the BEST course of action?
A. Review activity logs the following day and investigate any suspicious activity.
B. Give the programmer read-only access to investigate the problem.
C. Require that a change request be completed and approved.
D. Give the programmer an emergency ID for temporary access and review the activity.
Selected Answer: D
Question #: 976
Topic #: 1
Which of the following BEST enables an organization to control which software can be installed on a user’s computer?
A. Access list
B. Capabilities list
C. Baseline list
D. Blocked list
Selected Answer: C
Question #: 929
Topic #: 1
An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor’s BEST course of action?
A. Ensure a gap analysis is conducted
B. Ensure regulatory reporting is completed
C. Ensure the risk register is updated
D. Ensure risk acceptance is documented
Selected Answer: D
Question #: 913
Topic #: 1
The GREATEST limitation of a network-based intrusion detection system (IDS) is that it:
A. provides only for active rather than passive IDS monitoring
B. does not monitor for denial of service (DoS) attacks
C. consumes excessive network resources for detection
D. does not detect attacks originating on the server hosting the IDS
Selected Answer: D
Question #: 1041
Topic #: 1
Which of the following is MOST important to define within a disaster recovery plan (DRP)?
A. Roles and responsibilities for recovery team members
B. Test results for backup data restoration
C. A comprehensive list of disaster recovery scenarios and priorities
D. Business continuity plan (BCP)
Selected Answer: A
Question #: 1036
Topic #: 1
Which of the following is the PRIMARY objective of cyber resiliency?
A. To efficiently and effectively recover from an incident with limited operational impact
B. To prevent potential attacks or disruptions in operations
C. To limit the severity of security breaches and maintain continuous operations
D. To resume normal operations after service disruptions
Selected Answer: A
Question #: 1096
Topic #: 1
An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system. Which of the following stakeholders is MOST important to involve in this review?
A. Quality assurance (QA) manager
B. Business department executive
C. Information security manager
D. Business process owner
Selected Answer: D
Question #: 1091
Topic #: 1
Which of the following is MOST important to include in a data retention policy to reduce legal liabilities associated with information life cycle management?
A. Ensuring that unnecessary data is not stored.
B. Reducing the cost of data storage through media sanitization.
C. Ensuring that personal information is destroyed.
D. Requiring that data be securely wiped so it cannot be restored for legal discovery.
Selected Answer: A
Question #: 1081
Topic #: 1
During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor’s BEST course of action?
A. Report the deviation by the control owner in the audit report.
B. Cancel the follow-up audit and reschedule for the next audit period.
C. Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.
D. Request justification from management for not implementing the recommended control.
Selected Answer: C
Question #: 1062
Topic #: 1
One advantage of monetary unit sampling is the fact that
A. large-value population items are segregated and audited separately.
B. it can easily be applied manually when computer resources are not available.
C. it increases the likelihood of selecting material items from the population.
D. results are stated in terms of the frequency of items in error.
Selected Answer: C
Question #: 1195
Topic #: 1
An organization has just created a new data classification scheme and needs to define how it will operate within the organization. What should be the NEXT step?
A. Create a list of all data owners and custodians.
B. Create a set of standards and procedures.
C. Hire a specialized auditor to assess the implementation.
D. Conduct workshops for each business unit.
Selected Answer: B
Question #: 1192
Topic #: 1
An organization’s security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
A. To collect digital evidence of cyberattacks
B. To provide training to security managers
C. To attract attackers in order to study their behavior
D. To test the intrusion detection system (IDS)
Selected Answer: C
Question #: 1187
Topic #: 1
Which of the following is MOST important to ensuring the IT governance function can fulfill its responsibilities?
A. IT governance has created a roadmap for realizing business gains.
B. IT governance takes leadership on control cost reduction.
C. IT governance ensures that IT strategies are openly shared across the organization.
D. IT governance remains independent from production processes.
Selected Answer: C
Question #: 1182
Topic #: 1
As part of the architecture of virtualized environments, in a bare metal or native virtualization the hypervisor runs without:
A. any applications on the guest operating system.
B. a guest operating system.
C. any applications on the host operating system.
D. a host operating system.
Selected Answer: D
Question #: 1173
Topic #: 1
Which of the following BEST enables an IS auditor to understand the shared control requirements between multiple cloud service providers and the customer organization?
A. Roles and responsibilities of the IT professionals working under a shared responsibility model
B. An industry-accepted cloud security framework for which all parties have obtained certification
C. Logs produced by a cloud access security broker (CASB) monitoring the multi-cloud solution
D. A risk and controls matrix that documents a clear set of actions for each party
Selected Answer: D
Question #: 1170
Topic #: 1
Which of the following is the PRIMARY responsibility of an internal IS auditor regarding IT controls?
A. Providing independent assurance to the public over IT controls implemented by the organization
B. Continuously monitoring IT control operations and reporting any abnormal or exceptional cases
C. Designing and deploying IT controls as part of normal operations
D. Validating IT control effectiveness after implementation across the organization
Selected Answer: D
Question #: 664
Topic #: 1
During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor’s BEST action?
A. Explain to IT management that the new control will be evaluated during follow-up.
B. Add comments about the action taken by IT management in the report.
C. Change the conclusion based on evidence provided by IT management.
D. Re-perform the audit before changing the conclusion.
Selected Answer: D
Question #: 1288
Topic #: 1
Which of the following is MOST important for the effective implementation of an intrusion detection system (IDS)?
A. Providing logs for monitoring and reporting
B. Configuring the security policy in line with best practice
C. Setting alarms for late night traffic
D. Auto-installing updates
Selected Answer: B
Question #: 1263
Topic #: 1
Where should photoelectric smoke detectors be installed to improve fire detection at an offsite data processing facility?
A. Entry points
B. Air vents
C. Server cages
D. Exit points
Selected Answer: C
Question #: 1252
Topic #: 1
Which of the following would be of GREATEST concern to an IS auditor conducting an audit of an organization’s network security with the focus of preventing system breaches?
A. Computer names are available to the Internet.
B. The data loss prevention (DLP) system does not monitor malicious incoming traffic.
C. Help desk personnel are able to remote into other external systems.
D. The guest wireless system does not have content filtering.
Selected Answer: B
Question #: 1243
Topic #: 1
Which of the following is MOST important to include in a business case for an IT-enabled investment?
A. Business impact analysis (BIA)
B. Security requirements
C. Risk assessment
D. Cost-benefit analysis
Selected Answer: D
Question #: 1238
Topic #: 1
For effective IT governance, it is MOST important to have an independent reporting line for which of the following IT functions?
A. Risk management
B. Infrastructure
C. Operations
D. Security
Selected Answer: A
Question #: 1235
Topic #: 1
An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
A. Request a plan of action to be established as a follow-up item.
B. Interview IT management to clarify the current procedure.
C. Review the organization’s patch management policy.
D. Report this finding to senior management.
Selected Answer: C
Question #: 1214
Topic #: 1
Which of the following provides the BEST evidence that IT portfolio management is aligned with organizational strategies?
A. IT steering committee minutes that include approval for prioritization of IT projects
B. Project sponsor sign-off on all project documents from beginning to end
C. Project sponsor sign-off on IT project proposals and milestones
D. Finance committee minutes that include approval for the annual IT budget
Selected Answer: A
Question #: 1210
Topic #: 1
Which of the following is the PRIMARY objective when encrypting a database?
A. Preserving the ability to query data
B. Protecting data from unauthorized changes
C. Preserving the ability to access data securely
D. Protecting data from unauthorized viewing
Selected Answer: D
Question #: 1203
Topic #: 1
Effective separation of duties in an online environment can BEST be achieved by utilizing:
A. appropriate supervision.
B. access authorization tables.
C. transaction logging.
D. written procedure manuals.
Selected Answer: B
Question #: 1348
Topic #: 1
Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization’s goals and strategic objectives?
A. Enterprise architecture (EA)
B. Audit recommendations
C. Risk assessment report
D. Business impact analysis (BIA)
Selected Answer: A
Question #: 1336
Topic #: 1
Which of the following is the GREATEST risk when using application programming interfaces (APIS) in a third-party hosted virtual environment?
A. Data exfiltration
B. Lack of accountability
C. Inability to test third-party APIs
D. Lack of redundancy
Selected Answer: A
Question #: 1365
Topic #: 1
The objectives of business process reengineering (BPR) should PRIMARILY include:
A. incremental changes in productivity.
B. organizational structure changes.
C. system improvements.
D. performance efficiencies.
Selected Answer: D
Question #: 432
Topic #: 1
Which of the following is found in an audit charter?
A. The authority given to the audit function
B. The process of developing the annual audit plan
C. Audit objectives and scope
D. Required training for audit staff
Selected Answer: D
Question #: 817
Topic #: 1
At the end of each business day, a business-critical application generates a report of financial transactions greater than a certain value, and an employee then checks these transactions for errors. What type of control is in place?
A. Deterrent
B. Preventive
C. Corrective
D. Detective
Selected Answer: C
Question #: 607
Topic #: 1
An IS auditor is performing a follow-up audit for findings identified in an organization’s user provisioning process. Which of the following is the MOST appropriate population to sample from when testing for remediation?
A. All users provisioned after management resolved the audit issue
B. All users who have followed user provisioning processes provided by management
C. All users provisioned after the final audit report was issued
D. All users provisioned after the finding was originally identified
Selected Answer: C
Question #: 747
Topic #: 1
An IS auditor is reviewing an organization’s primary router access control list. Which of the following should result in a finding?
A. There are conflicting permit and deny rules for the IT group.
B. There is only one rule per group with access privileges.
C. Individual permissions are overriding group permissions.
D. The network security group can change network address translation (NAT).
Selected Answer: A
Question #: 743
Topic #: 1
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
A. Allowing employees to store large emails on flash drives
B. Automatically deleting emails older than one year
C. Moving emails to a virtual email vault after 30 days
D. Limiting the size of file attachments being sent via email
Selected Answer: C
Question #: 739
Topic #: 1
During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the associated risk?
A. Lack of governance and oversight for IT infrastructure and applications
B. Increased need for user awareness training
C. The use of the cloud negatively impacting IT availability
D. Increased vulnerability due to anytime, anywhere accessibility
Selected Answer: D
Question #: 663
Topic #: 1
Which of the following is the MAIN purpose of an information security management system?
A. To enhance the impact of reports used to monitor information security incidents
B. To reduce the frequency and impact of information security incidents
C. To identify and eliminate the root causes of information security incidents
D. To keep information security policies and procedures up-to-date
Selected Answer: B
Question #: 1146
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization’s configuration and release management process?
A. The organization does not use an industry-recognized methodology.
B. Changes and change approvals are not documented.
C. There is no centralized configuration management database (CMDB).
D. All changes require middle and senior management approval.
Selected Answer: B
Question #: 1092
Topic #: 1
An IS auditor is performing an integrated audit covering payment processing activities using point-of-sale (POS) systems. Which of the following findings related to personal identification numbers (PINs) should be of GREATEST concern?
A. Cardholder PINs are encrypted and stored on the local POS terminal.
B. Cardholders are not required to enter their PINs.
C. Cardholders may select any 4-digit PIN without restrictions.
D. Cardholder PINs are not encrypted on the central computer.
Selected Answer: D
Question #: 1077
Topic #: 1
Which of the following should be of concern to an IS auditor reviewing an organization’s network to ensure attack vectors from the Internet are minimized?
A. The organization employs different types of firewalls in the demilitarized zone (DMZ).
B. The organization’s email server is in the demilitarized zone (DMZ).
C. A data loss prevention (DLP) system is behind the organization’s firewalls.
D. A router is Internet-facing at the network perimeter.
Selected Answer: D
Question #: 1075
Topic #: 1
Which of the following provides the MOST protection against emerging threats?
A. Real-time updating of antivirus software
B. Signature-based intrusion detection system (IDS)
C. Demilitarized zone (DMZ)
D. Heuristic intrusion detection system (IDS)
Selected Answer: D
Question #: 1065
Topic #: 1
Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?
A. To comply with legal and regulatory requirements
B. To prevent confidential data loss
C. To provide options to individuals regarding use of their data
D. To identify data at rest and data in transit for encryption
Selected Answer: A
Question #: 1038
Topic #: 1
An IS auditor assessing an organization’s information systems needs to understand management’s approach regarding controls. Which documentation should the auditor review FIRST?
A. Policies
B. Standards
C. Guidelines
D. Procedures
Selected Answer: 가
Question #: 1008
Topic #: 1
Which of the following controls provides the MOST protection against ransomware attacks?
A. Education and awareness training
B. Tested and reliable backups
C. A tested incident response plan
D. Signature based anti-malware tools
Selected Answer: A
Question #: 953
Topic #: 1
When auditing an organization’s software acquisition process, the BEST way for an IS auditor to understand the software benefits to the organization would be to review the:
A. alignment with IT strategy
B. business case
C. feasibility study
D. request for proposal (RFP)
Selected Answer: B
Question #: 955
Topic #: 1
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit. This evidence indicates that procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by this oversight?
A. Operational
B. Audit
C. Financial
D. Inherent
Selected Answer: B
Question #: 941
Topic #: 1
An organization has developed processes to recover critical files in the event of a ransomware attack. Which type of control do these processes represent?
A. Corrective
B. Detective
C. Preventive
D. Compensating
Selected Answer: B
Question #: 844
Topic #: 1
An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization’s wider security threat and vulnerability management program. Which of the following would BEST enable the organization to work toward improvement in this area?
A. Outsourcing the threat and vulnerability management function to a third party
B. Maintaining a catalog of vulnerabilities that may impact mission-critical systems
C. Using a capability maturity model to identify a path to an optimized program
D. Implementing security logging to enhance threat and vulnerability management
Selected Answer: C
Question #: 77
Topic #: 1
The PRIMARY focus of a post-implementation review is to verify that:
A. enterprise architecture (EA) has been complied with.
B. user requirements have been met.
C. acceptance testing has been properly executed.
D. user access controls have been adequately designed.
Selected Answer: B
Question #: 690
Topic #: 1
Which of the following is the MOST effective way for an organization to protect against data loss?
A. Conduct periodic security awareness training.
B. Limit employee Internet access.
C. Review firewall logs for anomalies.
D. Implement data classification procedures.
Selected Answer: D
Question #: 693
Topic #: 1
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor’s BEST recommendation for the organization?
A. Perform an analysis to determine the business risk.
B. Develop a maintenance plan to support the application using the existing code.
C. Bring the escrow version up to date.
D. Analyze a new application that meets the current requirements.
Selected Answer: A
Question #: 641
Topic #: 1
Which of the following is the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)?
A. Verify that the organization has adequate levels of cyber insurance.
B. Review the validity of external Internet Protocol (IP) addresses accessing the network.
C. Verify that the organization is using correlated data for security monitoring.
D. Assess the skill set with in the security function.
Selected Answer: D
Question #: 680
Topic #: 1
What is the BEST method to determine if IT resource spending is aligned with planned project spending?
A. Return on investment (ROI) analysts
B. Critical path analysis
C. Earned value analysis (EVA)
D. Gantt chart
Selected Answer: 다
Question #: 634
Topic #: 1
An IS auditor finds that while an organization’s IT strategy is heavily focused on research and development, the majority of projects in the IT portfolio focus on operations and maintenance. Which of the following is the BEST recommendation?
A. Review priorities in the IT portfolio.
B. Change the IT strategy to focus on operational excellence.
C. Align the IT portfolio with the IT strategy.
D. Align the IT strategy with business objectives.
Selected Answer: C
Question #: 629
Topic #: 1
An IS auditor is evaluating an organization’s IT strategy and plans. Which of the following would be of GREATEST concern?
A. IT is not engaged in business strategic planning.
B. The business strategy meeting minutes are not distributed.
C. There is inadequate documentation of IT strategic planning.
D. There is not a defined IT security policy.
Selected Answer: A
Question #: 950
Topic #: 1
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor’s BEST course of action?
A. Recommend the utilization of software licensing monitoring tools.
B. Recommend the purchase of additional software license keys.
C. Validate user need for shared software licenses.
D. Verify whether the licensing agreement allows shared use.
Selected Answer: C
Question #: 573
Topic #: 1
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor’s NEXT course of action?
A. Inform senior management of the change in approach.
B. Conduct a risk analysis incorporating the change.
C. Report results of the follow-up to the audit committee.
D. Evaluate the appropriateness of the remedial action taken.
Selected Answer: D
Question #: 567
Topic #: 1
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
A. based on industry standards.
B. well understood by all employees.
C. updated frequently.
D. developed by process owners.
Selected Answer: B
Question #: 559
Topic #: 1
Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
A. To operate third-party hosted applications
B. To install and manage operating systems
C. To establish a network and security architecture
D. To develop and integrate its applications
Selected Answer: D
Question #: 557
Topic #: 1
Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?
A. To align IS audit activities with business objectives
B. To help management prioritize related risk mitigation activities
C. To determine the effectiveness of management’s responses to risk
D. To obtain agreement with management on action plan status
Selected Answer: C
Question #: 551
Topic #: 1
Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?
A. There is no documented data model.
B. Available data is incomplete.
C. Data fields are used for multiple purposes.
D. Data is from the previous reporting period.
Selected Answer: B
Question #: 525
Topic #: 1
Which of the following is necessary for effective risk management in IT governance?
A. Local managers are solely responsible for risk evaluation.
B. Risk management strategy is approved by the audit committee.
C. Risk evaluation is embedded in management processes.
D. IT risk management is separate from corporate risk management.
Selected Answer: C
Question #: 620
Topic #: 1
An IS auditor is reviewing logical access controls for an organization’s financial business application. Which of the following findings should be of GREATEST concern to the auditor?
A. Management does not review application user activity logs.
B. Password length is set to eight characters.
C. User accounts are shared between users.
D. Users are not required to change their passwords on a regular basis.
Selected Answer: C
Question #: 618
Topic #: 1
An IS auditor is planning an audit of an organization’s accounts payable processes. Which of the following controls is MOST important to assess in the audit?
A. Segregation of duties between issuing purchase orders and making payments
B. Management review and approval of purchase orders
C. Management review and approval of authorization tiers
D. Segregation of duties between receiving invoices and setting authorization limits
Selected Answer: A
Question #: 616
Topic #: 1
Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?
A. Standardize file naming conventions.
B. Utilize automated version control.
C. Embed details within source code.
D. Document details on a change register.
Selected Answer: B
Question #: 615
Topic #: 1
Which of the following are BEST suited for continuous auditing?
A. Low-value transactions
B. Irregular transactions
C. Real-time transactions
D. Manual transactions
Selected Answer: C
Question #: 614
Topic #: 1
Which of the following is the PRIMARY benefit of continuous auditing?
A. It facilitates the use of robotic automation processes.
B. It allows reduced sample sizes for testing.
C. It enables timely detection of anomalies.
D. It deters fraudulent transactions.
Selected Answer: C
Question #: 610
Topic #: 1
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
A. Regular monitoring of user access logs
B. Security awareness training
C. Annual sign-off of acceptable use policy
D. Formalized disciplinary action
Selected Answer: B
Question #: 608
Topic #: 1
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
A. Two-factor authentication control
B. System-enforced dual control
C. Independent reconciliation
D. Re-keying of wire dollar amounts
Selected Answer: B
Question #: 606
Topic #: 1
An IS auditor is reviewing the business requirements for the deployment of a new website. Which of the following cryptographic systems would provide the BEST evidence of secure communications on the Internet?
A. Transport Layer Security (TLS)
B. Wi-Fi Protected Access 2 (WPA2)
C. IP Security (IPSEC)
D. Secure Shell (SSH)
Selected Answer: A
Question #: 605
Topic #: 1
Which of the following would provide the BEST evidence of an IT strategy committee’s effectiveness?
A. The minutes from the IT strategy committee meetings
B. The IT strategy committee charter
C. Synchronization of IT activities with corporate objectives
D. Business unit satisfaction survey results
Selected Answer: C
Question #: 604
Topic #: 1
An IS auditor should ensure that an application’s audit trail:
A. has adequate security.
B. is accessible online.
C. does not impact operational efficiency.
D. logs all database records.
Selected Answer: A
Question #: 603
Topic #: 1
An IS auditor is reviewing a data conversion project. Which of the following is the auditor’s BEST recommendation prior to go-live?
A. Automate the test scripts.
B. Conduct a mock conversion test.
C. Review test procedures and scenarios.
D. Establish a configuration baseline.
Selected Answer: B
Question #: 602
Topic #: 1
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
A. Access control requirements
B. Hardware configurations
C. Help desk availability
D. Perimeter network security diagram
Selected Answer: A
Question #: 599
Topic #: 1
An IS auditor is asked to provide feedback on the systems options analysis for a new project. The BEST course of action for the IS auditor would be to:
A. request at least one other alternative.
B. comment on the criteria used to assess the alternatives.
C. retain comments as findings for the audit report.
D. identify the best alternative.
Selected Answer: B
Question #: 598
Topic #: 1
Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?
A. Email attachments
B. Data sent to vendors
C. New system applications
D. End-user computing (EUC) systems
Selected Answer: D
Question #: 597
Topic #: 1
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
A. Double-posting of a single journal entry
B. Unauthorized alteration of account attributes
C. Inability to support new business transactions
D. Inaccuracy of financial reporting
Selected Answer: D
Question #: 592
Topic #: 1
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
A. Capacity management plan
B. Stress testing results
C. Training plans
D. Database conversion results
Selected Answer: B
Question #: 473
Topic #: 1
Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
A. Improved disaster recovery
B. Stronger data security
C. Better utilization of resources
D. Increased application performance
Selected Answer: C
Question #: 420
Topic #: 1
Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?
A. Lack of defined criteria for EUC applications
B. Lack of awareness training for EUC users
C. Insufficient processes to track ownership of each EUC application
D. Insufficient processes to test for version control
Selected Answer: A
Question #: 376
Topic #: 1
Which of the following is the MOST important consideration when investigating a security breach of an e-commerce application?
A. Skill set of the response team
B. Chain of custody
C. Notifications to law enforcement
D. Procedures to analyze evidence
Selected Answer: B
Question #: 438
Topic #: 1
Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?
A. To assess evidence for management reporting
B. To validate the correctness of reported findings
C. To validate remediation efforts
D. To assess the risk of the audit environment
Selected Answer: C
Question #: 413
Topic #: 1
Which of the following approaches would BEST ensure that data protection controls are embedded into software being developed?
A. Utilizing a data protection template for user acceptance testing (UAT)
B. Implementing a quality assurance (QA) process during the development phase
C. Deriving data protection requirements from key stakeholders
D. Tracking data protection requirements throughout the SDLC
Selected Answer: D
Question #: 1188
Topic #: 1
Which of the following would be an auditor’s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
A. Spreadsheets are accessible by all members of the finance department.
B. Undocumented code formats data and transmits directly to the database.
C. There is not a complete inventory of spreadsheets, and file naming is inconsistent.
D. The department data protection policy has not been reviewed or updated for two years.
Selected Answer: B
Question #: 1186
Topic #: 1
Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?
A. Comparison to historical order pattern
B. Hash totals
C. Online review of description
D. Self-checking digit
Selected Answer: D
Question #: 1184
Topic #: 1
Which of the following is the BEST indication that a software development project is on track to meet its completion deadline?
A. Issues identified during user acceptance testing (UAT) have been addressed prior to the original implementation date.
B. Technical specifications and development requirements have been agreed upon and formally recorded.
C. Project plan due dates have been documented for each phase of the software development life cycle.
D. The planned software go-live date has been communicated in advance to end users and stakeholders.
Selected Answer: C
Question #: 1183
Topic #: 1
An e-commerce company wants to ensure customers can update payment information securely through their phones. On which servers should Transport Layer Security (TLS) certificates be installed?
A. Proxy servers
B. Web servers
C. Database servers
D. Application servers
Selected Answer: B
Question #: 1180
Topic #: 1
Which of the following BEST protects evidence in a forensic investigation?
A. Protecting the hardware of the affected system
B. Powering down the affected system
C. Imaging the affected system
D. Rebooting the affected system
Selected Answer: C
Question #: 1178
Topic #: 1
An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?
A. Install vendor patches.
B. Review security log incidents.
C. Implement security awareness training.
D. Review hardware vendor contracts.
Selected Answer: A
Question #: 1177
Topic #: 1
A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal audit function to test its internal controls annually. Which of the following is the MOST significant benefit of this approach?
A. Line management is more motivated to avoid control exceptions.
B. Business owners can focus more on their core roles.
C. Risks are detected earlier.
D. Compliance costs are reduced.
Selected Answer: C
Question #: 1175
Topic #: 1
Which of the following is an IS auditor’s BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?
A. Implement Simple Object Access Protocol (SOAP).
B. Encrypt the extensible markup language (XML) file.
C. Mask the API endpoints.
D. Implement Transport Layer Security (TLS).
Selected Answer: D
Question #: 1172
Topic #: 1
A firewall between internal network segments improves security and reduces risk by:
A. inspecting all traffic flowing between network segments and applying security policies.
B. ensuring all connecting systems have appropriate security controls enabled.
C. monitoring and reporting on sessions between network participants.
D. logging all packets passing through network segments.
Selected Answer: A
Question #: 1171
Topic #: 1
Which of the following should an IS auditor be MOST concerned with when reviewing the IT asset disposal process?
A. Data stored on the asset
B. Certificate of destruction
C. Monetary value of the asset
D. Data migration to the new asset
Selected Answer: A
Question #: 1169
Topic #: 1
Which of the following provides the BEST evidence of effective IT portfolio management?
A. Programs in the IT portfolio are prioritized by each business function.
B. The IT portfolio is updated on the basis of current industry benchmarks.
C. The IT portfolio is updated as business strategy changes.
D. IT portfolio updates are communicated when approved.
Selected Answer: C
Question #: 1167
Topic #: 1
Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?
A. Establish the timing of testing.
B. Identify milestones.
C. Determine the test reporting.
D. Establish the rules of engagement.
Selected Answer: D
Question #: 1164
Topic #: 1
During a database management evaluation, an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts. Which of the following is the auditor’s BEST course of action?
A. Postpone the audit until adequate security and password management practices are established.
B. Document the finding and explain the risk of having administrator accounts with inappropriate security settings.
C. Identify accounts that have had excessive failed login attempts and request they be disabled.
D. Request the IT manager to change administrator security parameters and update the finding.
Selected Answer: B
Question #: 1161
Topic #: 1
Which of the following is the PRIMARY reason to perform a risk assessment?
A. To determine the current risk profile
B. To ensure alignment with the business impact analysis (BIA)
C. To help allocated budget for risk mitigation controls
D. To achieve compliance with regulatory requirements
Selected Answer: A
Question #: 1160
Topic #: 1
A configuration management audit identified that predefined automated procedures are used when deploying and configuring application infrastructure in a cloud-based environment. Which of the following is MOST important for the IS auditor to review?
A. Contracts of vendors responsible for maintaining provisioning tools
B. Number of administrators with access to cloud management consoles
C. Processes for making changes to cloud environment specifications
D. Storage location of configuration management documentation
Selected Answer: C
Question #: 1159
Topic #: 1
Which of the following risks is BEST mitigated by implementing an automated three-way match?
A. Inaccurate customer records.
B. Invalid payment processing.
C. Inaccurate customer discounts.
D. Purchase order delays
Selected Answer: B
Question #: 1158
Topic #: 1
An IS auditor has found that despite an increase in phishing attacks over the past two years, there has been a significant decrease in the success rate. Which of the following is the MOST likely reason for this decline?
A. Implementation of a security awareness program
B. Enhanced training for incident responders
C. Implementation of an intrusion detection system (IDS)
D. Development of an incident response plan
Selected Answer: A
Question #: 1150
Topic #: 1
An organization is considering using production data for testing a new application’s functionality. Which of the following data protection techniques would BEST ensure that personal data cannot be inadvertently recovered in test environments while also reducing the need for strict confidentiality of the data?
A. Data normalization
B. Data encryption
C. Data minimization
D. Data anonymization
Selected Answer: D
Question #: 1149
Topic #: 1
An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?
A. Data ownership assignments
B. Regulatory compliance requirements
C. Customer notification procedures
D. Encryption capabilities
Selected Answer: B
Question #: 1148
Topic #: 1
An organization is planning to hire a third party to develop software. What is the MOST appropriate way for the organization to ensure access to code if the software development company goes out of business?
A. Establish a software escrow agreement.
B. Request a copy of the software.
C. Establish a service level agreement (SLA).
D. Request software licenses.
Selected Answer: A
Question #: 1147
Topic #: 1
A web proxy server for corporate connections to external resources reduces organizational risk by:
A. load balancing traffic to optimize data pathways.
B. providing multi-factor authentication for additional security.
C. anonymizing users through changed IP addresses.
D. providing faster response than direct access.
Selected Answer: B
Question #: 1144
Topic #: 1
An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?
A. Remove and restore the affected systems.
B. Verify that the compromised systems are fully functional.
C. Focus on limiting the damage.
D. Document the incident.
Selected Answer: C
Question #: 1143
Topic #: 1
Which of the following should be restricted from a network administrator’s privileges in an adequately segregated IT environment?
A. Hardening network ports
B. Monitoring network traffic
C. Changing existing configurations for applications
D. Ensuring transmission protocols are functioning correctly
Selected Answer: C
Question #: 1141
Topic #: 1
The following findings are the result of an IS auditor’s post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?
A. The project’s 10% budget overrun was not reported to senior management.
B. A lessons-learned session was never conducted.
C. Measurable benefits were not defined.
D. Monthly dashboards did not always contain deliverables.
Selected Answer: C
Question #: 1140
Topic #: 1
An IT balanced scorecard is BEST used for which of the following purposes?
A. Monitoring strategic performance
B. Evaluating IT’s financial position
C. Measuring risk in IT processes
D. Evaluating business processes
Selected Answer: A
Question #: 1139
Topic #: 1
Which of the following is the MOST cost-effective way to determine the effectiveness of a business continuity plan (BCP)?
A. Stress test
B. Tabletop exercise
C. Full operational test
D. Post-implementation review
Selected Answer: B
Question #: 1138
Topic #: 1
Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?
A. Data classification
B. Vendor cloud certification
C. Data storage costs
D. Service level agreements (SLAs)
Selected Answer: A
Question #: 1137
Topic #: 1
An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?
A. Monitoring access rights on a regular basis
B. Referencing a standard user-access matrix
C. Correcting the segregation of duties conflicts
D. Granting user access using a role-based model
Selected Answer: D
Question #: 1134
Topic #: 1
Which of the following types of testing BEST ensures business requirements are met prior to software release?
A. Load balance testing
B. User acceptance testing (UAT)
C. End-to-end testing
D. Functional testing
Selected Answer: B
Question #: 1133
Topic #: 1
Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor’s MOST appropriate course of action?
A. Report to audit management that the actions taken have not effectively addressed the original risk.
B. Make an additional recommendation on how to remediate the finding.
C. Perform testing or other audit procedures to confirm the status of the original risk.
D. Recommend external verification of management’s preferred actions.
Selected Answer: C
Question #: 1131
Topic #: 1
When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:
A. end users are trained in the replication process.
B. the source database is backed up on both sites.
C. user rights are identical on both databases.
D. database conflicts are managed during replication.
Selected Answer: D
Question #: 1130
Topic #: 1
Which of the following is MOST important to consider when reviewing an organization’s defined data backup and restoration procedures?
A. Mean time to restore (MTTR)
B. Mean time between failures (MTBF)
C. Recovery point objective (RPO)
D. Business continuity plan (BCP)
Selected Answer: C
Question #: 1129
Topic #: 1
Which of the following provides the BEST assurance of data integrity after file transfers?
A. Cheek digits
B. Monetary unit sampling
C. Reasonableness check
D. Hash values
Selected Answer: D
Question #: 1128
Topic #: 1
Which of the following would aid an IS auditor reviewing the integrity of program changes migrated into production?
A. Configuration management system
B. Database schema
C. Tape management system
D. Operating system log data
Selected Answer: A
