ISACA CISA Exam Questions Simulate Actual CISA Exam

Category:

Comments:

0 Comments

Post Date:

March 18, 2023

CISA exam dumps questions are designed to simulate the actual exam. This means that you will get a feel for the types of questions you can expect to see on the exam, as well as the format and difficulty level. In addition, CISA Certification CISA dumps are often accompanied by detailed explanations and answers. This means that if you get a question wrong, you can learn from your mistake and understand why the correct answer is the right one. Test free online CISA exam dumps below.

Page 1 of 41

1. Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

A. Project charter

B. Project plan

C. Project issue log

D. Project business case

2. An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule.

What should the auditor do NEXT?

Interview IT management to clarify the current procedure.

Report this finding to senior management.

Review the organization's patch management policy.

Request a plan of action to be established as a follow-up item.

3. An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities.

Which of the following is the BEST recommendation by the IS auditor?

A. Improve the change management process

B. Establish security metrics.

C. Perform a penetration test

D. Perform a configuration review

4. The decision to accept an IT control risk related to data quality should be the responsibility of the:

information security team.

IS audit manager.

chief information officer (CIO).

business owner.

5. which of the following is a core functionality of a configuration and release management system?

Managing privileged access to databases servers and infrastructure

Identifying vulnerabilities in configuration settings

Deploying a configuration change to the sandbox environment

Identifying other configuration items that will be impacted by a given change

6. A company has implemented an IT segregation of duties policy.

In a role-based environment, which of the following roles may be assigned to an application developer?

IT operator

System administration

Emergency support

Database administration

7. Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Denial of service (DOS)

SQL injection

Phishing attacks

Rootkits

8. Several unattended laptops containing sensitive customer data were stolen from personnel offices Which of the following would be an IS auditor's BEST recommendation to protect data in case of recurrence?

Encrypt the disk drive.

Require two-factor authentication

Enhance physical security

Require the use of cable locks

9. An organization establishes capacity utilization thresholds and monitors for instances when thresholds are exceeded.

Which of the following is BEST supported by this activity?

Integrity

Availability

Confidentiality

Nonrepudiation

10. During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.

Which of the following should the IS auditor identity as the associated risk?

A. The use of the cloud negatively impacting IT availably

B. Increased need for user awareness training

C. Increased vulnerability due to anytime, anywhere accessibility

D. Lack of governance and oversight for IT infrastructure and applications

Page 2 of 41

11. A checksum is classified as which type of control?

Corrective control

Administrative control

Detective control

Preventive control

12. Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Version control software

Audit hooks

Utility software

Audit analytics tool

13. Users are complaining that a newly released enterprise resource planning (ERP) system is functioning too slowly.

Which of the following tests during the quality assurance (QA) phase would have identified this concern?

Stress

Parallel

Regression

Interface

14. Which of the following testing methods is MOST appropriate for assessing whether system integrity has been maintained after changes have been made?

Regression testing

Unit testing

Integration testing

Acceptance testing

15. Which of the following is MOST useful when planning to audit an organization's compliance with cybersecurity regulations in foreign countries?

Prioritize the audit to focus on the country presenting the greatest amount of operational risk.

Follow the cybersecurity regulations of the country with the most stringent requirements.

Develop a template that standardizes the reporting of findings from each country's audit team

Map the different regulatory requirements to the organization's IT governance framework

16. As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:

a host operating system.

a guest operating system.

any applications on the guest operating system.

any applications on the host operating system.

17. Which of the following is the MOST important regulatory consideration for an organization determining whether to use its customer data to train AI algorithms?

Documentation of AI algorithm accuracy during the training process

Ethical and optimal utilization of data computing resources

Collection of data and obtaining data subject consent

Continuous monitoring of AI algorithm performance

18. Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Performing a cyber resilience test

Performing a full interruption test

Performing a tabletop test

Performing a parallel test

19. What should be the PRIMARY focus during a review of a business process improvement project?

Business project plan

Continuous monitoring plans

The cost of new controls

Business impact

20. Cross-site scripting (XSS) attacks are BEST prevented through:

application firewall policy settings.

a three-tier web architecture.

secure coding practices.

use of common industry frameworks.

Page 3 of 41

21. An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system.

Which of the following would be the GREATEST concern?

Single sign-on is not enabled

Audit logging is not enabled

Security baseline is not consistently applied

Complex passwords are not required

22. In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly.

Which of the following is the BEST recommendation to address this problem?

Revisit the IT strategic plan.

Implement project portfolio management.

Implement an integrated resource management system.

Implement a comprehensive project scorecard.

23. Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?

Access to change testing strategy and results is not restricted to staff outside the IT team.

Some user acceptance testing (IJAT) was completed by members of the IT team.

IT administrators have access to the production and development environment

Post-implementation testing is not conducted for all system releases.

24. Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

Configure each authentication server as belonging to a cluster of authentication servers.

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

Configure each authentication server and ensure that the disks of each server form part of a duplex.

25. Which of the following should be an IS auditor's GREATEST concern when assessing an IT service configuration database?

The database is read-accessible for all users.

The database is write-accessible for all users.

The database is not encrypted at rest.

The database is executable for all users.

26. During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report.

Which of the following is the auditor's BEST course of action?

Request that the IT manager be removed from the remaining meetings and future audits.

Modify the finding to include the IT manager's comments and inform the audit manager of the changes.

Remove the finding from the report and continue presenting the remaining findings.

Provide the evidence which supports the finding and keep the finding in the report.

27. Which of the following is MOST important to ensure when developing an effective security awareness program?

Training personnel are information security professionals.

Outcome metrics for the program are established.

Security threat scenarios are included in the program content.

Phishing exercises are conducted post-training

28. Which of the following is the MOST important responsibility of data owners when implementing a data classification process?

Reviewing emergency changes to data

Authorizing application code changes

Determining appropriate user access levels

Implementing access rules over database tables

29. Which of the following would be MOST effective in detecting the presence of an unauthorized wireless access point on an internal network?

Continuous network monitoring

Periodic network vulnerability assessments

Review of electronic access logs

Physical security reviews

30. An organization is planning to implement a control self-assessment (CSA) program for selected business processes.

Which of the following should be the role of the internal audit team for this program?

Perform testing to validate the accuracy of management's self-assessment.

Advise management on the self-assessment process.

Design testing procedures for management to assess process controls effectively.

De-scope business processes to be covered by CSAs from future audit plans.

Page 4 of 41

31. Which of the following is MOST important for an IS auditor to verify when reviewing the planned use of Benford's law as a data analytics technique to detect fraud in a set of credit card transactions?

The transactions are in double integer format.

The transaction amounts are selected randomly without restriction.

The transaction analysis is limited to transactions within standard deviation.

The transactions are all in the same currency.

32. Which of the following is the PRIMARY reason to involve IS auditors in the software acquisition process?

To help ensure hardware and operating system requirements are considered

To help ensure proposed contracts and service level agreements (SLAs) address key elements

To help ensure the project management process complies with policies and procedures

To help ensure adequate controls to address common threats and risks are considered

33. An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?

System event correlation report

Database log

Change log

Security incident and event management (SIEM) report

34. Which of the following would be the BEST criteria for monitoring an IT vendor's service levels?

Service auditor's report

Performance metrics

Surprise visit to vendor

Interview with vendor

35. A white box testing method is applicable with which of the following testing processes?

Integration testing

Parallel testing

Sociability testing

User acceptance testing (UAT)

36. Who is accountable for an organization's enterprise risk management (ERM) program?

Board of directors

Steering committee

Chief risk officer (CRO)

Executive management

37. Which of the following is an example of a preventative control in an accounts payable system?

The system only allows payments to vendors who are included In the system's master vendor list.

Backups of the system and its data are performed on a nightly basis and tested periodically.

The system produces daily payment summary reports that staff use to compare against invoice totals.

Policies and procedures are clearly communicated to all members of the accounts payable department

38. When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary.

What should the auditor do NEXT?

Report that the changes make it impractical to determine whether the risks have been addressed.

Accept management's assertion and report that the risks have been addressed.

Determine whether the changes have introduced new risks that need to be addressed.

Review the changes and determine whether the risks have been addressed.

39. Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

Using passwords to allow authorized users to send documents to the printer

Requiring a key code to be entered on the printer to produce hard copy

Encrypting the data stream between the user's computer and the printer

Producing a header page with classification level for printed documents

40. Which of the following is the MOST efficient control to reduce the risk associated with a systems administrator having network administrator responsibilities?

The administrator must obtain temporary access to make critical changes.

The administrator will need to request additional approval for critical changes.

The administrator must sign a due diligence agreement.

The administrator will be subject to unannounced audits.

Page 5 of 41

41. Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment.

What type of control has been recommended?

Detective control

Preventive control

Directive control

Corrective control

42. During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations.

What is the auditor's BEST course of action?

Notify the chair of the audit committee.

Notify the audit manager.

Retest the control.

Close the audit finding.

43. An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Project management

Risk assessment results

IT governance framework

Portfolio management

44. An organization is permanently transitioning from onsite to fully remote business operations. When should the existing business impact analysis (BIA) be reviewed?

During the next scheduled review

At least one year after the transition

As soon as the decision about the transition is announced

As soon as the new operating model is in place

45. A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting.

What would be MOST important to consider before including this audit in the program?

Whether system delays result in more frequent use of manual processing

Whether the system's performance poses a significant risk to the organization

Whether stakeholders are committed to assisting with the audit

Whether internal auditors have the required skills to perform the audit

46. In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

Planning phase

Execution phase

Follow-up phase

Selection phase

47. Which of the following BEST enables the timely identification of risk exposure?

External audit review

Internal audit review

Control self-assessment (CSA)

Stress testing

48. Which of the following is an example of shadow IT?

An employee using a cloud based order management tool without approval from IT

An employee using a company provided laptop to access personal banking information

An employee using personal email to communicate with clients without approval from IT

An employee using a company-provided tablet to access social media during work hours

49. Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?

The person who tests source code also approves changes.

The person who administers servers is also part of the infrastructure management team.

The person who creates new user accounts also modifies user access levels.

The person who edits source code also has write access to production.

50. Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Background checks

User awareness training

Transaction log review

Mandatory holidays

Page 6 of 41

51. What is the BEST control to address SQL injection vulnerabilities?

Unicode translation

Secure Sockets Layer (SSL) encryption

Input validation

Digital signatures

52. Which of the following practices associated with capacity planning provides the GREATEST assurance that future incidents related to existing server performance will be prevented?

Reviewing results from simulated high-demand stress test scenarios

Performing a root cause analysis for past performance incidents

Anticipating current service level agreements (SLAs) will remain unchanged

Duplicating existing disk drive systems to improve redundancy and data storage

53. To mitigate the risk of exposing data through application programming interface (API) queries.

Which of the following design considerations is MOST important?

Data retention

Data minimization

Data quality

Data integrity

54. Which of the following would be MOST useful when analyzing computer performance?

Statistical metrics measuring capacity utilization

Operations report of user dissatisfaction with response time

Tuning of system software to optimize resource usage

Report of off-peak utilization and response time

55. An organization is considering allowing users to connect personal devices to the corporate network.

Which of the following should be done FIRST?

Conduct security awareness training.

Implement an acceptable use policy

Create inventory records of personal devices

Configure users on the mobile device management (MDM) solution

56. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall

and:

the Internet.

the demilitarized zone (DMZ).

the organization's web server.

the organization's network.

57. An IS auditor learns that an in-house system development life cycle (SDLC) project has not met user specifications.

The auditor should FIRST examine requirements from which of the following phases?

Configuration phase

User training phase

Quality assurance (QA) phase

Development phase

58. Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

Attempt to submit new account applications with invalid dates of birth.

Review the business requirements document for date of birth field requirements.

Review new account applications submitted in the past month for invalid dates of birth.

Evaluate configuration settings for the date of birth field requirements

59. How is nonrepudiation supported within a public key infrastructure (PKI) environment?

Through the use of elliptical curve cryptography on transmitted messages

Through the use of a certificate issued by a certificate authority (CA)

Through the use of private keys to decrypt data received by a user

Through the use of enterprise key management systems

60. Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Perform a business impact analysis (BIA).

Determine which databases will be in scope.

Identify the most critical database controls.

Evaluate the types of databases being used

Page 7 of 41

61. Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Have an independent party review the source calculations

Execute copies of EUC programs out of a secure library

implement complex password controls

Verify EUC results through manual calculations

62. Which of the following is the MOST effective way to ensure adequate system resources are available for high-priority activities?

System virtualization

Job scheduling

Zero Trust

Code optimization

63. An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Network penetration tests are not performed

The network firewall policy has not been approved by the information security officer.

Network firewall rules have not been documented.

The network device inventory is incomplete.

64. Which of the following is MOST critical to the success of an information security program?

Alignment of information security with IT objectives

Management’s commitment to information security

Integration of business and information security

User accountability for information security

65. Which of the following would be a result of utilizing a top-down maturity model process?

A means of benchmarking the effectiveness of similar processes with peers

A means of comparing the effectiveness of other processes within the enterprise

Identification of older, more established processes to ensure timely review

Identification of processes with the most improvement opportunities

66. Capacity management enables organizations to:

forecast technology trends

establish the capacity of network communication links

identify the extent to which components need to be upgraded

determine business transaction volumes.

67. The IS quality assurance (OA) group is responsible for:

ensuring that program changes adhere to established standards.

designing procedures to protect data against accidental disclosure.

ensuring that the output received from system processing is complete.

monitoring the execution of computer processing tasks.

68. An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure.

What type of cloud computing environment would BEST meet the organization's objective?

Platform as a Service (PaaS)

Software as a Service (SaaS)

Database as a Service (DBaaS)

Infrastructure as a Service (laaS)

69. An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged.

The IS auditor's FIRST action should be to:

recommend that the option to directly modify the database be removed immediately.

recommend that the system require two persons to be involved in modifying the database.

determine whether the log of changes to the tables is backed up.

determine whether the audit trail is secured and reviewed.

70. Which of the following is the MOST important responsibility of user departments associated with program changes?

Providing unit test data

Analyzing change requests

Updating documentation lo reflect latest changes

Approving changes before implementation

Page 8 of 41

71. Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?

The architecture review board is chaired by the CIO

IT application owners have sole responsibility for architecture approval

The EA program governs projects that are not IT-related

Information security requirements are reviewed by the EA program

72. Audit frameworks can assist the IS audit function by:

providing details on how to execute the audit program.

outlining the specific steps needed to complete audits.

providing direction and information regarding the performance of audits.

defining the authority and responsibility of the IS audit function.

73. Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?

A data dictionary of the transferred data

A technical design document for the interface configuration

The most recent audit report from the credit agency

The approved business case for the API

74. Which of the following should an IS auditor do FIRST when auditing a robotics process automation (RPA) implementation?

Evaluate the overall solution architecture.

Analyze the sequence of activities performed by the robot.

Understand the business processes automated by the robot.

Identity the credentials used by the robot and where they are stored.

75. Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

Patches are deployed from multiple deployment servers.

There is no process in place to scan the network to identify missing patches.

Patches for medium- and low-risk vulnerabilities are omitted.

There is no process in place to quarantine servers that have not been patched.

76. When testing the accuracy of transaction data, which of the following situations BEST justifies the use of a smaller sample size?

A. The IS audit staff has a high level of experience.

B. It is expected that the population is error-free.

C. Proper segregation of duties is in place.

D. The data can be directly changed by users.

77. An organization has recently moved to an agile model for deploying custom code to its in-house accounting software system.

When reviewing the procedures in place for production code deployment, which of the following is the MOST significant security concern to address?

Software vulnerability scanning is done on an ad hoc basis.

Change control does not include testing and approval from quality assurance (QA).

Production code deployment is not automated.

Current DevSecOps processes have not been independently verified.

78. An organization has decided to reengineer business processes to improve the performance of overall IT service delivery.

Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?

Disable operational logging to enhance the processing speed and save storage.

Adopt a service delivery model based on insights from peer organizations.

Delegate business decisions to the chief risk officer (CRO).

Eliminate certain reports and key performance indicators (KPIs)

79. Which of the following is the MOST important success factor for implementing a data loss prevention (DLP) tool?

Implementing the tool in monitor mode to avoid unnecessary blocking of communication

Defining and configuring policies and tool rule sets to monitor sensitive data movement

Testing the tool in a test environment before moving to the production environment

Assigning responsibilities for maintaining the tool to applicable data owners and stakeholders

80. Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?

User requirements

User acceptance testing (UAT) plans

Deployment plans

Architectural design

Page 9 of 41

81. An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues.

What is the MOST likely cause?

Database clustering

Data caching

Reindexing of the database table

Load balancing

82. An organization has partnered with a third party to transport backup drives to an offsite storage facility.

Which of the following is MOST important before sending the drives?

Creating a chain of custody to accompany the drive in transit

Ensuring data protection is aligned with the data classification policy

Encrypting the drive with strong protection standards

Ensuring the drive is placed in a tamper-evident mechanism

83. To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?

Recipient's public key

Sender's private key

Sender's public key

Recipient's private key

84. Following an IT audit, management has decided to accept the risk highlighted in the audit report.

Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?

A communication plan exists for informing parties impacted by the risk.

Potential impact and likelihood are adequately documented.

Identified risk is reported into the organization's risk committee.

Established criteria exist for accepting and approving risk.

85. Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Audit charter

IT steering committee

Information security policy

Audit best practices

86. Which of the following would be of GREATEST concern to an IS auditor reviewing the resiliency of an organizational network that has two internet connections?

Network capacity testing has not been performed.

The business continuity plan (BCP) has not been tested in the past six months.

Non-critical applications are also connected to both connections.

Both connections are from the same provider.

87. An IS auditor has been asked to review the integrity of data transfer between two business-critical systems that have not been tested since implementation.

Which of the following would provide the MOST useful information to plan an audit?

Quality assurance (QA) testing

System change logs

IT testing policies and procedures

Previous system interface testing records

88. Which of the following provides the MOST protection against emerging threats?

Demilitarized zone (DMZ)

Heuristic intrusion detection system (IDS)

Real-time updating of antivirus software

Signature-based intrusion detection system (IDS)

89. In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Configure data quality alerts to check variances between the data warehouse and the source system

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

Include the data warehouse in the impact analysis (or any changes m the source system

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

90. Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Password attack

Eavesdropping attack

Insider attack

Spear phishing attack

Page 10 of 41

91. Which of the following is the GREATEST concern related to an organization's data classification processes?

Users responsible for managing records are unaware of the data classification processes.

Systems used to manage the data classification processes are not synchronized.

The data classification processes have not been updated in the last year.

The data classification processes are not aligned with industry standards.

92. Which of the following BEST demonstrates alignment of the IT department with the corporate mission?

Analysis of IT department functionality

Biweekly reporting to senior management

Annual board meetings

Quarterly steering committee meetings

93. Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

Document the security view as part of the EA

Consider stakeholder concerns when defining the EA

Perform mandatory post-implementation reviews of IT implementations

Conduct EA reviews as part of the change advisory board

94. During a pre-deployment assessment, what is the BEST indication that a business case will lead to the achievement of business objectives?

The business case reflects stakeholder requirements.

The business case is based on a proven methodology.

The business case passed a quality review by an independent party.

The business case identifies specific plans for cost allocation.

95. When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

The information security department has difficulty filling vacancies

An information security governance audit was not conducted within the past year

The data center manager has final sign-off on security projects

Information security policies are updated annually

96. An organization wants to classify database tables according to its data classification scheme From an IS auditor's perspective the tables should be classified based on the:

specific functional contents of each single table.

frequency of updates to the table.

descriptions of column names in the table.

number of end users with access to the table.

97. An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance.

Which of the Mowing is the BEST recommendation?

Align the IT strategy will business objectives

Review priorities in the IT portfolio

Change the IT strategy to focus on operational excellence.

Align the IT portfolio with the IT strategy.

98. Which of the following issues identified during a formal review of an organization's information security policies presents the GREATEST potential risk to the organization?

The policies are not available to key risk stakeholders.

The policies have not been reviewed by the risk management committee.

The policies are not aligned with the information security risk appetite.

The policies are not based on industry best practices for information security.

99. Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the organization?

Integrating data requirements into the system development life cycle (SDLC)

Appointing data stewards to provide effective data governance

Classifying data quality issues by the severity of their impact to the organization

Facilitating effective communication between management and developers

100. Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

Ensure sufficient audit resources are allocated,

Communicate audit results organization-wide.

Ensure ownership is assigned.

Test corrective actions upon completion.

Page 11 of 41

101. An IS auditor is reviewing the release management process for an in-house software development solution.

In which environment Is the software version MOST likely to be the same as production?

Staging

Testing

Integration

Development

102. The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Technology risk

Detection risk

Control risk

Inherent risk

103. Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

Map data classification controls to data sets.

Control access to extract, transform, and load (ETL) tools.

Conduct a data discovery exercise across all business applications.

Implement classification labels in metadata during data creation.

104. Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

To optimize system resources

To follow system hardening standards

To optimize asset management workflows

To ensure proper change control

105. Which of the following constitutes an effective detective control in a distributed processing environment?

A log of privileged account use is reviewed.

A disaster recovery plan (DRP)4% in place for the entire system.

User IDs are suspended after three incorrect passwords have been entered.

Users are required to request additional access via an electronic mail system.

106. A small IT department has embraced DevOps, which allows members of this group to deploy code to production and maintain some development access to automate releases.

Which of the following is the MOST effective control?

Enforce approval prior to deployment by a member of the team who has not taken part in the development.

The DevOps team provides an annual policy acknowledgment that they did not develop and deploy the same code.

Annual training reinforces the need to maintain segregation between developers and deployers of code

The IT compliance manager performs weekly reviews to ensure the same person did not develop and deploy code.

107. A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include.

In the vendor contract to ensure continuity?

Continuous 24/7 support must be available.

The vendor must have a documented disaster recovery plan (DRP) in place.

Source code for the software must be placed in escrow.

The vendor must train the organization's staff to manage the new software

108. A manager Identifies active privileged accounts belonging to staff who have left the organization.

Which of the following is the threat actor In this scenario?

Terminated staff

Unauthorized access

Deleted log data

Hacktivists

109. Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall

security for an organization's corporate network?

The production configuration does not conform to corporate policy.

Responsibility for the firewall administration rests with two different divisions.

Industry hardening guidance has not been considered.

The firewall configuration file is extremely long and complex.

110. An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget.

Which of the following is the GREATEST risk to communicate to senior management?

Noncompliance with project methodology

Inability to achieve expected benefits

Increased staff turnover

Project abandonment

Page 12 of 41

111. Which of the following types of firewalls provides the GREATEST degree of control against hacker intrusion?

Packet filtering router

Circuit gateway

Application-level gateway

Screening router.

112. An IS auditor is providing input to an RFP to acquire a financial application system.

Which of the following is MOST important for the auditor to recommend?

The application should meet the organization's requirements.

Audit trails should be included in the design.

Potential suppliers should have experience in the relevant area.

Vendor employee background checks should be conducted regularly.

113. Which of the following is the BEST metric to measure the quality of software developed in an organization?

Amount of successfully migrated software changes

Reduction in the help desk budget

Number of defects discovered in production

Increase in quality assurance (QA) activities

114. Which of the following responses to risk associated with separation of duties would incur the LOWEST initial cost?

Risk mitigation

Risk acceptance

Risk transference

Risk reduction

115. An organization is planning to implement a control self-assessment (CSA) program tor selected business processes.

Which of the following should be the role of the internal audit team for this program?

De-scope business processes to be covered by CSAs from future audit plans.

Design testing procedures for management to assess process controls effectively.

Perform testing to validate the accuracy of management's self-assessment.

Advise management on the self-assessment process.

116. Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

Documentation of exit routines

System initialization logs

Change control log

Security system parameters

117. Which of the following BEST protects evidence in a forensic investigation?

imaging the affected system

Powering down the affected system

Protecting the hardware of the affected system

Rebooting the affected system

118. Which of the following is MOST important during software license audits?

Judgmental sampling

Substantive testing

Compliance testing

Stop-or-go sampling

119. Which of the following is the BEST way to prevent social engineering incidents?

Ensure user workstations are running the most recent version of antivirus software.

Maintain an onboarding and annual security awareness program.

Include security responsibilities in job descriptions and require signed acknowledgment.

Enforce strict email security gateway controls.

120. Which of the following applications has the MOST inherent risk and should be prioritized during

audit planning?

A decommissioned legacy application

An onsite application that is unsupported

An outsourced accounting application

An internally developed application

Page 13 of 41

121. Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?

Reprioritize further testing of the anomalies and refocus on issues with higher risk

Update the audit plan to include the information collected during the audit

Ask auditees to promptly remediate the anomalies

Document the anomalies in audit workpapers

122. A data breach has occurred due lo malware.

Which of the following should be the FIRST course of action?

Notify the cyber insurance company.

Shut down the affected systems.

Quarantine the impacted systems.

Notify customers of the breach.

123. Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?

Inability to quickly modify and deploy a solution

Lack of portability for users

Loss of time due to manual processes

Calculation errors in spreadsheets

124. The operations team of an organization has reported an IS security attack.

Which of the following should be the FIRST step for the security incident response team?

Report results to management

Document lessons learned

Perform a damage assessment

Prioritize resources for corrective action

125. An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant.

Which of the following is the auditor's BEST course of action?

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

Determine the types of technologies used at the plant and how they may affect the BC

Perform testing to determine the impact to the recovery time objective (R TO).

Assess the risk to operations from the closing of the plant.

126. Which of the following approaches BEST enables an IS auditor to detect security vulnerabilities within an application?

Threat modeling

Concept mapping

Prototyping

Threat intelligence

127. Which of the following is the BEST recommendation by an IS auditor to prevent unauthorized access to Internet of Things (loT) devices'?

loT devices should only be accessible from the host network.

loT devices should log and alert on access attempts.

IoT devices should require identification and authentication.

loT devices should monitor the use of device system accounts.

128. Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Increase involvement of senior management in I

Optimize investments in I

Create risk awareness across business units.

Monitor the effectiveness of I

129. Which of the following is MOST useful for determining the strategy for IT portfolio management?

IT metrics dashboards

IT roadmap

Capability maturity model

Life cycle cost-benefit analysis

130. Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?

A system interface tracking program is not enabled.

The data has not been encrypted.

Data is intercepted while in transit between systems.

The data from the originating system differs from the downloaded data.

Page 14 of 41

131. When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Observing the execution of a daily backup run

Evaluating the backup policies and procedures

Interviewing key personnel evolved In the backup process

Reviewing a sample of system-generated backup logs

132. Which of the following would provide the BEST evidence that a cloud provider's change management process is effective?

Minutes from regular change management meetings with the vendor

Written assurances from the vendor's CEO and CIO

The results of a third-party review provided by the vendor

A copy of change management policies provided by the vendor

133. A characteristic of a digital signature is that it

is under control of the receiver

is unique to the message

is validated when data are changed

has a reproducible hashing algorithm

134. During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data any Internet-connected web browser.

Which Of the following is the auditor’s BEST recommendation to prevent unauthorized access?

Implement an intrusion detection system (IDS),

Update security policies and procedures.

Implement multi-factor authentication.

Utilize strong anti-malware controls on all computing devices.

135. Which of the following documents should specify roles and responsibilities within an IT audit organization?

Organizational chart

Audit charier

Engagement letter

Annual audit plan

136. Which of the following criteria is MOST important for the successful delivery of benefits from an IT project?

Assessing the impact of changes to individuals and business units within the organization

Involving key stakeholders during the development and execution phases of the project

Ensuring that IT project managers have sign-off authority on the business case

Quantifying the size of the software development effort required by the project

137. An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version.

Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version

Close all unused ports on the outdated software system.

Segregate the outdated software system from the main network.

Monitor network traffic attempting to reach the outdated software system.

138. Which of the following is the MOST effective accuracy control for entry of a valid numeric part number?

Hash totals

Online review of description

Comparison to historical order pattern

Self-checking digit

139. Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Annual sign-off of acceptable use policy

Regular monitoring of user access logs

Security awareness training

Formalized disciplinary action

140. What is MOST important to verify during an external assessment of network vulnerability?

Update of security information event management (SIEM) rules

Regular review of the network security policy

Completeness of network asset inventory

Location of intrusion detection systems (IDS)

Page 15 of 41

141. Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?

The scanning will be performed during non-peak hours.

The scanning will be followed by penetration testing.

The scanning will be cost-effective.

The scanning will not degrade system performance.

142. Which of the following BEST enables an IS auditor to assess whether jobs were completed according to the job schedule?

Console log

Exception log

System schedule

Database schedule

143. Which of the following is MOST important when implementing a data classification program?

Understanding the data classification levels

Formalizing data ownership

Developing a privacy policy

Planning for secure storage capacity

144. Which of the following is the PRIMARY objective of implementing privacy-related controls within an organization?

To prevent confidential data loss

To comply with legal and regulatory requirements

To identify data at rest and data in transit for encryption

To provide options to individuals regarding use of their data

145. Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization's cloud service provider?

There is no change management process defined in the contract.

There are no procedures for incident escalation.

There is no dispute resolution process defined in the contract.

There is no right-to-audit clause defined in the contract.

146. Which of the following management decisions presents the GREATEST risk associated with data leakage?

There is no requirement for desktops to be encrypted

Staff are allowed to work remotely

Security awareness training is not provided to staff

Security policies have not been updated in the past year

147. When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

data analytics findings.

audit trails

acceptance lasting results

rollback plans

148. Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Segregation of duties between staff ordering and staff receiving information assets

Complete and accurate list of information assets that have been deployed

Availability and testing of onsite backup generators

Knowledge of the IT staff regarding data protection requirements

149. When protecting the confidentiality of information assets, the MOST effective control practice is the:

Awareness training of personnel on regulatory requirements

Utilization of a dual-factor authentication mechanism

Configuration of read-only access to all users

Enforcement of a need-to-know access control philosophy

150. An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:

review data against data classification standards.

outsource data cleansing to skilled service providers.

consolidate data stored across separate databases into a warehouse.

analyze the data against predefined specifications.

Page 16 of 41

151. Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

The system does not have a maintenance plan.

The system contains several minor defects.

The system deployment was delayed by three weeks.

The system was over budget by 15%.

152. An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house.

Which of the following findings should be the IS auditor's GREATEST concern?

The cost of outsourcing is lower than in-house development.

The vendor development team is located overseas.

A training plan for business users has not been developed.

The data model is not clearly documented.

153. Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

The job scheduler application has not been designed to display pop-up error messages.

Access to the job scheduler application has not been restricted to a maximum of two staff members

Operations shift turnover logs are not utilized to coordinate and control the processing environment

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

154. Which of the following is MOST important for an IS auditor to assess during a post-implementation review of a newly modified IT application developed in-house?

Sufficiency of implemented controls

Resource management plan

Updates required for end-user manuals

Rollback plans for changes

155. An organization saves confidential information in a file with password protection and the file is placed in a shared folder. An attacker has stolen this information by obtaining the password through social engineering.

Implementing which of the following would BEST enable the organization to prevent this type of incident in the future?

Multi-factor authentication (MFA)

Security awareness programs for employees

Access history log review by the business manager

File encryption along with password protection

156. In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

integrated test facility (ITF).

parallel simulation.

transaction tagging.

embedded audit modules.

157. A programmer has made unauthorized changes lo key fields in a payroll system report.

Which of the following control weaknesses would have contributed MOST to this problem?

The programmer did not involve the user in testing

The user requirements were not documented

The programmer has access to the production programs

Payroll files were not under the control of a librarian

158. Which of the following will BEST ensure that archived electronic information of permanent importance remains accessible over time?

Performing preventive maintenance on old hardware

Acquiring applications that emulate old software

Regularly migrating data to current technology

Periodically backing up archived data

159. An information systems security officer's PRIMARY responsibility for business process applications is to:

authorize secured emergency access

approve the organization's security policy

ensure access rules agree with policies

create role-based rules for each business process

160. An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's

BEST recommendation should be to:

reclassify the data to a lower level of confidentiality

require the business owner to conduct regular access reviews.

implement a strong password schema for users.

recommend corrective actions to be taken by the security administrator.

Page 17 of 41

161. Which of the following is the BEST approach to validate whether a streaming site can continue to provide service during a period of live streaming with an anticipated high volume of viewers?

Fuzzing

Usability test

Fault grading

Load test

162. Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's job scheduling practices?

Most jobs are run manually.

Jobs are executed during working hours.

Job dependencies are undefined.

Job processing procedures are missing.

163. Which of the following is the BEST way to prevent social engineering incidents?

Maintain an onboarding and annual security awareness program.

Ensure user workstations are running the most recent version of antivirus software.

Include security responsibilities in job descriptions and require signed acknowledgment.

Enforce strict email security gateway controls

164. Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Readily available resources such as domains and risk and control methodologies

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

Wide acceptance by different business and support units with IT governance objectives

165. An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

incident management.

quality assurance (QA).

change management.

project management.

166. An IS auditor is assigned to perform a post-implementation review of an application system.

Which of the following would impair the auditor's independence?

The auditor implemented a specific control during the development of the system.

The auditor provided advice concerning best practices.

The auditor participated as a member of the project team without operational responsibilities

The auditor designed an embedded audit module exclusively for audit

167. During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement.

What should the auditor do NEXT?

Verify whether IT management monitors the effectiveness of the environment.

Verify whether a right-to-audit clause exists.

Verify whether a third-party security attestation exists.

Verify whether service level agreements (SLAs) are defined and monitored.

168. An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes.

Which of the following recommendations would BEST help to reduce the risk of data leakage?

Requiring policy acknowledgment and nondisclosure agreements signed by employees

Providing education and guidelines to employees on use of social networking sites

Establishing strong access controls on confidential data

Monitoring employees' social networking usage

169. An IS auditor is conducting a review of a data center.

Which of the following observations could indicate an access control Issue?

Security cameras deployed outside main entrance

Antistatic mats deployed at the computer room entrance

Muddy footprints directly inside the emergency exit

Fencing around facility is two meters high

170. Backup procedures for an organization's critical data are considered to be which type of control?

Directive

Corrective

Detective

Compensating

Page 18 of 41

171. An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.

Which type of control has been added?

Corrective

Compensating

Preventive

Detective

172. Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Temperature sensors

Humidity sensors

Water sensors

Air pressure sensors

173. Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Lessons learned were implemented.

Management approved the PIR report.

The review was performed by an external provider.

Project outcomes have been realized.

174. Which of the following would be the BEST process for continuous auditing to a large financial Institution?

Testing encryption standards on the disaster recovery system

Validating access controls for real-time data systems

Performing parallel testing between systems

Validating performance of help desk metrics

175. Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.

Which of the following is MOST important for the organization to ensure?

The policy includes a strong risk-based approach.

The retention period allows for review during the year-end audit.

The total transaction amount has no impact on financial reporting.

The retention period complies with data owner responsibilities.

176. An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary.

What should be the auditor’s NEXT step?

Evaluate the extent of the parallel testing being performed

Recommend integration and stress testing be conducted by the systems implementation team

Conclude that parallel testing is sufficient and regression testing is not needed

Recommend regression testing be conducted by the systems implementation team

177. When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Incident monitoring togs

The ISP service level agreement

Reports of network traffic analysis

Network topology diagrams

178. An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance.

This would MOST likely increase the risk of a successful attack by.

phishing.

denial of service (DoS)

structured query language (SQL) injection

buffer overflow

179. Which of the following is the MOST important consideration when relying on the work of the prior auditor?

Qualifications of the prior auditor

Management agreement with recommendations

Duration of the prior audit

Number of findings identified by the prior auditor

180. In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

hire another person to perform migration to production.

implement continuous monitoring controls.

remove production access from the developers.

perform a user access review for the development team

Page 19 of 41

181. Which type of control has been established when an organization implements a security information and event management (SIEM) system?

Preventive

Detective

Directive

Corrective

182. Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

The policy aligns with corporate policies and practices.

The policy aligns with global best practices.

The policy aligns with business goals and objectives.

The policy aligns with local laws and regulations.

183. Which of the following BEST indicates that the effectiveness of an organization's security awareness program has improved?

A decrease in the number of information security audit findings

An increase in the number of staff who complete awareness training

An increase in the number of phishing emails reported by employees

A decrease in the number of malware outbreaks

184. Which of the following should be the PRIMARY consideration when incorporating user training and awareness into a data loss prevention (DLP) strategy?

Avoiding financial penalties and reputational risk

Ensuring data availability

Promoting secure data handling practices

Adhering to data governance policies

185. Retention periods and conditions for the destruction of personal data should be determined by the.

risk manager.

database administrator (DBA).

privacy manager.

business owner.

186. The BEST way for an IS auditor to validate that separation of duties has been implemented is to perform:

A review of personnel files.

An analysis of documented job descriptions.

A review of the organizational chart.

A walk-through of job functions.

187. Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Critical business applications

Business processes

Existing IT controls

Recent audit results

188. An organization produces control reports with a desktop application that accesses data in the central production database.

Which of the following would give an IS auditor concern about the reliability of these reports?

The reports are printed by the same person who reviews them.

The reports are available to all end users.

The report definitions file is not included in routine backups.

The report definitions can be modified by end users.

189. Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Review data classification levels based on industry best practice

Verify that current DLP software is installed on all computer systems.

Conduct interviews to identify possible data protection vulnerabilities.

Verify that confidential files cannot be transmitted to a personal USB device.

190. Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Message encryption

Certificate authority (CA)

Steganography

Message digest

Page 20 of 41

191. An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository.

Which of the following audit procedures would have MOST likely identified this exception?

Inspecting a sample of alerts generated from the central log repository

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

Inspecting a sample of alert settings configured in the central log repository

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

192. An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production.

Which of the following is the MOST significant risk from this situation?

Loss of application support

Lack of system integrity

Outdated system documentation

Developer access 1o production

193. Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?

A risk assessment was not conducted prior to completing the BI

System criticality information was only provided by the IT manager.

A questionnaire was used to gather information as opposed to in-person interviews.

The BIA was not signed off by executive management.

194. Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

Embed details within source code.

Standardize file naming conventions.

Utilize automated version control.

Document details on a change register.

195. Control self-assessments (CSAs) can be used to:

Determine the value of assets.

Establish baselines.

Evaluate strategic business goals.

Replace audits.

196. Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

Availability of IS audit resources

Remediation dates included in management responses

Peak activity periods for the business

Complexity of business processes identified in the audit

197. A current project to develop IT-based solutions will need additional funding to meet changes in business requirements. Who is BEST suited to obtain this additional funding?

Project sponsor

Project manager

IT strategy committee

Board of directors

198. A core system fails a week after a scheduled update, causing an outage that impacts service.

Which of the following is MOST important for incident management to focus on when addressing the issue?

Analyzing the root cause of the outage to ensure the incident will not reoccur

Restoring the system to operational state as quickly as possible

Ensuring all resolution steps are fully documented prior to returning the system to service

Rolling back the unsuccessful change to the previous state

199. Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Scalability

Maintainability

Nonrepudiation

Privacy

200. Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Data owners are not trained on the use of data conversion tools.

A post-implementation lessons-learned exercise was not conducted.

There is no system documentation available for review.

System deployment is routinely performed by contractors.

Page 21 of 41

201. During the discussion of a draft audit report IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective.

Which of the following is the auditor's BEST action?

Explain to IT management that the new control will be evaluated during follow-up

Add comments about the action taken by IT management in the report

Change the conclusion based on evidence provided by IT management

Re-perform the audit before changing the conclusion

202. In an annual audit cycle, the audit of an organization's IT department resulted in many findings.

Which of the following would be the MOST important consideration when planning the next audit?

Postponing the review until all of the findings have been rectified

Limiting the review to the deficient areas

Verifying that all recommendations have been implemented

Following up on the status of all recommendations

203. Which of the following is found in an audit charter?

The process of developing the annual audit plan

The authority given to the audit function

Required training for audit staff

Audit objectives and scope

204. Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

A control self-assessment (CSA)

Results of control testing

Interviews with management

A control matrix

205. An incident response team has been notified of a virus outbreak in a network subnet.

Which of the following should be the NEXT step?

Verify that the compromised systems are fully functional

Focus on limiting the damage

Document the incident

Remove and restore the affected systems

206. A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country.

Which of the following would be MOST helpful in making this

assessment?

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

Identifying data security threats in the affected jurisdiction

Reviewing data classification procedures associated with the affected jurisdiction

Identifying business processes associated with personal data exchange with the affected jurisdiction

207. The use of which of the following would BEST enhance a process improvement program?

Model-based design notations

Balanced scorecard

Capability maturity models

Project management methodologies

208. An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process.

Which of the following is the MOST appropriate population to sample from

when testing for remediation?

All users provisioned after the final audit report was issued

All users who have followed user provisioning processes provided by management

All users provisioned after management resolved the audit issue

All users provisioned after the finding was originally identified

209. Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?

To provide efficiencies for alignment with incident response test scenarios

To determine process improvement options for the incident response plan

To gather documentation for responding to security audit inquiries

To confirm that technology is in place to support the incident response plan

210. An IS auditor is reviewing a data conversion project Which of the following is the auditor's BEST recommendation prior to go-live?

Review test procedures and scenarios

Conduct a mock conversion test

Establish a configuration baseline

Automate the test scripts

Page 22 of 41

211. The charging method that effectively encourages the MOST efficient use of IS resources is:

specific charges that can be tied back to specific usage.

total utilization to achieve full operating capacity.

residual income in excess of actual incurred costs.

allocations based on the ability to absorb charges.

212. Which of the following security risks can be reduced by a property configured network firewall?

SQL injection attacks

Denial of service (DoS) attacks

Phishing attacks

Insider attacks

213. The PRIMARY goal of capacity management is to:

minimize data storage needs across the organization.

provide necessary IT resources to meet business requirements.

minimize system idle time to optimize cost.

ensure that IT teams have sufficient personnel.

214. Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Implement network access control.

Implement outbound firewall rules.

Perform network reviews.

Review access control lists.

215. Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

Password/PIN protection

Device tracking software

Device encryption

Periodic backup

216. One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

basis for allocating indirect costs.

cost of replacing equipment.

estimated cost of ownership.

basis for allocating financial resources.

217. Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

The information security policy has not been approved by the chief audit executive (CAE).

The information security policy does not include mobile device provisions

The information security policy is not frequently reviewed

The information security policy has not been approved by the policy owner

218. An organization has both an IT strategy committee and an IT steering committee.

When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the committee:

assessed the contribution of IT to the business.

acquired and assigned appropriate resources for projects.

compared the risk and return of IT investments.

reviewed the achievement of the strategic IT objective.

219. An IS auditor is asked to review an organization's technology relationships, interfaces, and data.

Which of the following enterprise architecture (EA) areas is MOST appropriate this review? (Choose Correct answer and give explanation from CISA Certification - Information Systems Auditor official book)

Reference architecture

Infrastructure architecture

Information security architecture

Application architecture

220. Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

Classifies documents to correctly reflect the level of sensitivity of information they contain

Defines the conditions under which documents containing sensitive information may be transmitted

Classifies documents in accordance with industry standards and best practices

Ensures documents are handled in accordance With the sensitivity of information they contain

Page 23 of 41

221. When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Ensuring the scope of penetration testing is restricted to the test environment

Obtaining management's consent to the testing scope in writing

Notifying the IT security department regarding the testing scope

Agreeing on systems to be excluded from the testing scope with the IT department

222. During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Require the auditee to address the recommendations in full.

Adjust the annual risk assessment accordingly.

Evaluate senior management's acceptance of the risk.

Update the audit program based on management's acceptance of risk.

223. Which of the following would minimize the risk of losing transactions as a result of a disaster?

Sending a copy of the transaction logs to offsite storage on a daily basis

Storing a copy of the transaction logs onsite in a fireproof vault

Encrypting a copy of the transaction logs and store on a local server

Signing a copy of the transaction logs and store on a local server

224. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the organization's network.

the demilitarized zone (DMZ).

the Internet.

the organization's web server.

225. Which of the following should be of GREATEST concern for an IS auditor when reviewing user account policies?

There is no policy to revoke an employee's system access upon termination.

There is no policy in place for ongoing security awareness training.

There is no policy requiring employees to sign nondisclosure agreements (NDAs).

There is no policy to revoke previous access rights when employees change roles.

226. During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk.

Which of the following is the BEST course of action in this situation?

Outsource low-risk audits to external audit service providers.

Conduct limited-scope audits of low-risk business entities.

Validate the low-risk entity ratings and apply professional judgment.

Challenge the risk rating and include the low-risk entities in the plan.

227. Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Identifying relevant roles for an enterprise IT governance framework

Making decisions regarding risk response and monitoring of residual risk

Verifying that legal, regulatory, and contractual requirements are being met

Providing independent and objective feedback to facilitate improvement of IT processes

228. An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware.

Which of the following BEST ensures data integrity is preserved during the migration?

Reconciling sample data to most recent backups

Obfuscating confidential data

Encrypting the data

Comparing checksums

229. Which of the following is the BEST sampling method to use when relatively few errors are expected to be found in a population?

Variable sampling

Judgmental sampling

Stop-or-go sampling

Discovery sampling

230. Which of the following is the MOST effective way to evaluate the physical security of a data center?

Review data center access logs.

Interview data center stakeholders.

Review camera footage from the data center.

Perform a data center tour.

Page 24 of 41

231. Which of the following is an example of a preventive control for physical access?

Keeping log entries for all visitors to the building

Implementing a fingerprint-based access control system for the building

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

Implementing a centralized logging server to record instances of staff logging into workstations

232. Which of the following biometric access controls has the HIGHEST rate of false negatives?

Iris recognition

Fingerprint scanning

Face recognition

Retina scanning

233. An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

A. security parameters are set in accordance with the manufacturer s standards.

B. a detailed business case was formally approved prior to the purchase.

C. security parameters are set in accordance with the organization's policies.

D. the procurement project invited lenders from at least three different suppliers.

234. Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?

Estimated cost and time

Level of risk reduction

Expected business value

Available resources

235. Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Degaussing

Random character overwrite

Physical destruction

Low-level formatting

236. A system performance dashboard indicates several application servers are reaching the defined

threshold for maximum CPU allocation.

Which of the following would be the IS auditor's BEST recommendation for the IT department?

Increase the defined processing threshold to reflect capacity consumption during normal operations.

Notify end users of potential disruptions caused by degradation of servers.

Terminate both ingress and egress connections of these servers to avoid overload.

Validate the processing capacity of these servers is adequate to complete computing tasks.

237. Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?

Tracking devices used for spare parts

Creating the device policy

vIssuing devices to employees

Approving the issuing of devices

238. Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

Testing at a secondary site using offsite data backups

Performing a quarterly tabletop exercise

Reviewing recovery time and recovery point objectives

Reviewing documented backup and recovery procedures

239. An IS auditor is evaluating an organization's IT strategy and plans.

Which of the following would be of GREATEST concern?

There is not a defined IT security policy.

The business strategy meeting minutes are not distributed.

IT is not engaged in business strategic planning.

There is inadequate documentation of IT strategic planning.

240. An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

violation reports may not be reviewed in a timely manner.

a significant number of false positive violations may be reported.

violations may not be categorized according to the organization's risk profile.

violation reports may not be retained according to the organization's risk profile.

Page 25 of 41

241. Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Require employees to waive privacy rights related to data on BYOD devices.

Require multi-factor authentication on BYOD devices,

Specify employee responsibilities for reporting lost or stolen BYOD devices.

Allow only registered BYOD devices to access the network.

242. An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

the implementation plan meets user requirements.

a full, visible audit trail will be Included.

a dear business case has been established.

the new hardware meets established security standards

243. An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating.

Which of the following is the BEST recommendation? (Choose Correct

answer and give explanation from CISA Certification - Information Systems Auditor official book)

Biometrics

Procedures for escorting visitors

Airlock entrance

Intruder alarms

244. Which of the following is the MOST important reason for an IS auditor to examine the results of a post-incident review performed after a security incident?

To evaluate the effectiveness of continuous improvement efforts

To compare incident response metrics with industry benchmarks

To re-analyze the incident to identify any hidden backdoors planted by the attacker

To evaluate the effectiveness of the network firewall against future security breaches

245. Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

Ensuring unauthorized individuals do not tamper with evidence after it has been captured

Ensuring evidence is sufficient to support audit conclusions

Ensuring appropriate statistical sampling methods were used

Ensuring evidence is labeled to show it was obtained from an approved source

246. Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported.

Which of the following is the IS auditor's BEST recommendation?

Ensure corrected program code is compiled in a dedicated server.

Ensure change management reports are independently reviewed.

Ensure programmers cannot access code after the completion of program edits.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

247. Which of the following is the MOST appropriate control to ensure integrity of online orders?

Data Encryption Standard (DES)

Digital signature

Public key encryption

Multi-factor authentication

248. An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

A significant increase in authorized connections to third parties

A significant increase in cybersecurity audit findings

A significant increase in approved exceptions

A significant increase in external attack attempts

249. An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology.

What is the MOST important criterion for the makeup of this committee?

Senior management representation

Ability to meet the time commitment required

Agile project management experience

ERP implementation experience

250. An organization used robotic process automation (RPA) technology to develop software bots that extract data from various sources for input into a legacy financial application.

Which of the following should be of GREATEST concern to an IS auditor when reviewing the software bot job scheduling and production process automation?

Minor overrides were not authorized by the business

Software bots were incapable of learning from training data

Software bots were programmed to record all user interactions, including mouse tracking

Unauthorized modifications were made to the scripts to improve performance

Page 26 of 41

251. Which of the following is the MOST important consideration to facilitate prosecution of a perpetrator after a cybercrime?

An active intrusion detection system (IDS)

Professional collection of unaltered evidence

Reporting to the internal legal department

Immediate law enforcement involvement

252. During an audit of a financial application, it was determined that many terminated users' accounts were not disabled.

Which of the following should be the IS auditor's NEXT step?

Perform substantive testing of terminated users' access rights.

Perform a review of terminated users' account activity

Communicate risks to the application owner.

Conclude that IT general controls ate ineffective.

253. A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system.

Which of the following is the IS auditor's BEST recommendation?

Enable automatic encryption, decryption, and electronic signing of data files.

Automate the transfer of data between systems as much as is feasible.

Have coders perform manual reconciliation of data between systems.

Implement software to perform automatic reconciliations of data between systems.

254. What should an IS auditor do FIRST when a follow-up audit reveals some management action plans have not been initiated?

Confirm whether the identified risks are still valid.

Provide a report to the audit committee.

Escalate the lack of plan completion to executive management.

Request an additional action plan review to confirm the findings.

255. When auditing the adequacy of a cooling system for a data center, which of the following is MOST important for the IS auditor to review?

Environmental performance metrics

Geographical location of the data center

Disaster recovery plan (DRP) testing results

Facilities maintenance records

256. What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

Earned value analysis (EVA)

Return on investment (ROI) analysis

Gantt chart

Critical path analysis

257. Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping associated with an application programming interface (API) integration implementation?

Encrypt the extensible markup language (XML) file.

Implement Transport Layer Security (TLS).

Mask the API endpoints.

Implement Simple Object Access Protocol (SOAP).

258. The GREATEST concern for an IS auditor reviewing vulnerability assessments by the auditee would be if the assessments are:

Conducted once per year just before system audits are scheduled.

Conducted by the internal technical team instead of external experts.

Performed for critical systems, not for the entire infrastructure.

Performed using open-source testing tools.

259. Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

Voice recovery

Alternative routing

Long-haul network diversity

Last-mile circuit protection

260. When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?

Significantly higher turnover

Lack of customer satisfaction surveys

Aging staff

Increase in the frequency of software upgrades

Page 27 of 41

261. An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data.

Which of the following is the PRIMARY advantage of this approach?

Audit transparency

Data confidentiality

Professionalism

Audit efficiency

262. After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit.

Which of the following risks is MOST affected by this oversight?

Inherent

Operational

Audit

Financial

263. Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?

The project risk exceeds the organization's risk appetite.

Executing the project will require additional investments.

Expected business value is expressed in qualitative terms.

The organization will be the first to offer the proposed services.

264. A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.

Which of the following is MOST effective in detecting such an intrusion?

Using smart cards with one-time passwords

Periodically reviewing log files

Configuring the router as a firewall

Installing biometrics-based authentication

265. Which of the following controls BEST provides confidentiality and nonrepudiation for an online business looking for digital payment data security?

Data Encryption Standard (DES)

Advanced Encryption Standard (AES)

Public Key Infrastructure (PKI)

Virtual Private Network (VPN)

266. An IS auditor is evaluating the progress of a web-based customer service application development project.

Which of the following would be MOST helpful for this evaluation?

Backlog consumption reports

Critical path analysis reports

Developer status reports

Change management logs

267. During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.

Which of the following should the IS auditor identify as the associated risk?

Increased vulnerability due to anytime, anywhere accessibility

Increased need for user awareness training

The use of the cloud negatively impacting IT availability

Lack of governance and oversight for IT infrastructure and applications

268. An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area.

Which of the following is the GREATEST concern?

Cameras are not monitored 24/7.

There are no notices indicating recording IS in progress.

The retention period for video recordings is undefined

There are no backups of the videos.

269. Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

The change management process was not formally documented

Backups of the old system and data are not available online

Unauthorized data modifications occurred during conversion,

Data conversion was performed using manual processes

270. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

perform a business impact analysis (BIA).

issue an intermediate report to management.

evaluate the impact on current disaster recovery capability.

conduct additional compliance testing.

Page 28 of 41

271. A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department.

The auditor should FIRST report this suspicion to:

audit management.

the police.

the audit committee.

auditee line management.

272. An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.

Which of the following would be the BEST way to prevent accepting bad data?

Obtain error codes indicating failed data feeds.

Purchase data cleansing tools from a reputable vendor.

Appoint data quality champions across the organization.

Implement business rules to reject invalid data.

273. Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Aligning the framework to industry best practices

Establishing committees to support and oversee framework activities

Involving appropriate business representation within the framework

Documenting IT-related policies and procedures

274. Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

Conduct a business impact analysis (BIA)

Perform penetration testing

identify project delays

Verify user access controls

275. When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

a risk management process.

an information security framework.

past information security incidents.

industry best practices.

276. Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

The data center is patrolled by a security guard.

Access to the data center is monitored by video cameras.

ID badges must be displayed before access is granted

Access to the data center is controlled by a mantrap.

277. Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Inaccurate business impact analysis (BIA)

Inadequate IT change management practices

Lack of a benchmark analysis

Inadequate IT portfolio management

278. Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Requirements may become unreasonable.

Local regulations may contradict the policy.

The policy may conflict with existing application requirements.

Local management may not accept the policy.

279. An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version.

Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version.

Close all unused ports on the outdated software system.

Monitor network traffic attempting to reach the outdated software system.

Segregate the outdated software system from the main network.

280. Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Business interruption due to remediation

IT budgeting constraints

Availability of responsible IT personnel

Risk rating of original findings

Page 29 of 41

281. Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Ensure compliance with the data classification policy.

Protect the plan from unauthorized alteration.

Comply with business continuity best practice.

Reduce the risk of data leakage that could lead to an attack.

282. Which of the following is MOST important for an IS auditor to consider when performing the risk

assessment poor to an audit engagement?

The design of controls

Industry standards and best practices

The results of the previous audit

The amount of time since the previous audit

283. An IS auditor finds ad hoc vulnerability scanning is in place with no clear alignment to the organization's wider security threat and vulnerability management program.

Which of the following would BEST enable the organization to work toward improvement in this area?

Implementing security logging to enhance threat and vulnerability management

Maintaining a catalog of vulnerabilities that may impact mission-critical systems

Using a capability maturity model to identify a path to an optimized program

Outsourcing the threat and vulnerability management function to a third party

284. An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

285. An IS audit reveals that an organization is not proactively addressing known vulnerabilities.

Which of the following should the IS auditor recommend the organization do FIRST?

Verify the disaster recovery plan (DRP) has been tested.

Ensure the intrusion prevention system (IPS) is effective.

Assess the security risks to the business.

Confirm the incident response team understands the issue.

286. An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias.

Which of the following is MOST important for the auditor’s test data set to include?

Applicants of all ages

Applicants from a range of geographic areas and income levels

Incomplete records and incorrectly formatted data

Duplicate records

287. Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Walk-through reviews

Substantive testing

Compliance testing

Design documentation reviews

288. What is the MOST effective way to detect installation of unauthorized software packages by employees?

Regular scanning of hard drives

Communicating the policy to employees

Logging of activity on the network

Maintaining current antivirus software

289. Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Penetration testing

Application security testing

Forensic audit

Server security audit

290. A new system development project is running late against a critical implementation deadline.

Which of the following is the MOST important activity?

Ensure that code has been reviewed.

Perform user acceptance testing (UAT).

Document last-minute enhancements.

Perform a pre-implementation audit.

Page 30 of 41

291. An IS auditor can BEST evaluate the business impact of system failures by:

assessing user satisfaction levels.

interviewing the security administrator.

analyzing equipment maintenance logs.

reviewing system-generated logs.

292. An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them.

If reporting to external authorities is required which of the following is the BEST action for the IS auditor to take?

Submit the report to appropriate regulators immediately.

Obtain approval from audit management to submit the report.

Obtain approval from auditee management to release the report.

Obtain approval from both audit and auditee management to release the report.

293. Which of the following is the MOST important control for virtualized environments?

Regular updates of policies for the operation of the virtualized environment

Hardening for the hypervisor and guest machines

Redundancy of hardware resources and network components

Monitoring utilization of resources at the guest operating system level

294. Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves

for care?

Infrastructure as a Service (laaS) provider

Software as a Service (SaaS) provider

Network segmentation

Dynamic localization

295. Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Utilize a network-based firewall.

Conduct regular user security awareness training.

Perform domain name system (DNS) server security hardening.

Enforce a strong password policy meeting complexity requirement.

296. The PRIMARY purpose of a configuration management system is to:

track software updates.

define baselines for software.

support the release procedure.

standardize change approval.

297. Which of the following business continuity activities prioritizes the recovery of critical functions?

Business continuity plan (BCP) testing

Business impact analysis (BIA)

Disaster recovery plan (DRP) testing

Risk assessment

298. Which of the following should an IS auditor recommend be done FIRST when an organization is planning to implement an IT compliance program?

Identify staff training needs related to compliance requirements.

Analyze historical compliance-related audit findings.

Research and purchase an industry-recognized IT compliance tool

Identify applicable laws, regulations, and standards.

299. To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Root cause

Responsible party

impact

Criteria

300. An organization has engaged a third party to implement an application to perform business-critical calculations.

Which of the following is the MOST important process to help ensure the application provides accurate calculations?

Key performance indicator (KPI) monitoring

Change management

Configuration management

Quality assurance (QA)

Page 31 of 41

301. Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?

It identifies legal obligations that may be incurred as a result of business service disruptions

It provides updates on the risk level of disasters that may occur

It delineates employee responsibilities that the organization must fulfill in a crisis

It helps prioritize the restoration of systems and applications

302. When auditing the security architecture of an online application, an IS auditor should FIRST review the:

firewall standards.

configuration of the firewall

firmware version of the firewall

location of the firewall within the network

303. An organization allows its employees lo use personal mobile devices for work.

Which of the following would BEST maintain information security without compromising employee privacy?

Installing security software on the devices

Partitioning the work environment from personal space on devices

Preventing users from adding applications

Restricting the use of devices for personal purposes during working hours

304. Management has decided to accept a risk in response to a draft audit recommendation.

Which of the following should be the IS auditor’s NEXT course of action?

Document management's acceptance in the audit report.

Escalate the acceptance to the board.

Ensure a follow-up audit is on next year's plan.

Escalate acceptance to the audit committee.

305. During a review, an IS auditor discovers that corporate users are able to access cloud-based applications and data from any Internet-connected web browser.

Which of the following is the auditor's BEST recommendation to help prevent unauthorized access?

Utilize strong anti-malware controls on all computing devices.

Update security policies and procedures.

Implement an intrusion detection system (IDS).

Implement multi-factor authentication.

306. An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated.

Which of the following should be of MOST concern?

Confidentiality of the user list

Timeliness of the user list review

Completeness of the user list

Availability of the user list

307. The use of which of the following is an inherent risk in the application container infrastructure?

Shared registries

Host operating system

Shared data

Shared kernel

308. Which of the following is MOST likely to be reduced when implementing optimal risk management strategies?

Sampling risk

Residual risk

Detection risk

Inherent risk

309. Upon completion of audit work, an IS auditor should:

provide a report to senior management prior to discussion with the auditee.

distribute a summary of general findings to the members of the auditing team.

provide a report to the auditee stating the initial findings.

review the working papers with the auditee.

310. Which of the following BEST enables an organization to improve the effectiveness of its incident response team?

Conducting periodic testing and incorporating lessons learned

Increasing the mean resolution time and publishing key performance indicator (KPI) metrics

Disseminating incident response procedures and requiring signed acknowledgment by team members

Ensuring all team members understand information systems technology

Page 32 of 41

311. Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Multiple connects to the database are used and slow the process_

User accounts may remain active after a termination.

Users may be able to circumvent application controls.

Application may not capture a complete audit trail.

312. An organization is concerned with meeting new regulations for protecting data confidentiality and asks an IS auditor to evaluate their procedures for transporting data.

Which of the following would BEST support the organization's objectives?

Cryptographic hashes

Virtual local area network (VLAN)

Encryption

Dedicated lines

313. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the organization's web server.

the demilitarized zone (DMZ).

the organization's network.

the Internet

314. Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Conduct periodic onsite assessments using agreed-upon criteria.

Conduct an unannounced vulnerability assessment of the vendor’s IT systems.

Periodically review the service level agreement (SLA) with the vendor.

Obtain evidence of the vendor's control self-assessment (CSA).

315. Which of the following concerns is BEST addressed by securing production source libraries?

Programs are not approved before production source libraries are updated.

Production source and object libraries may not be synchronized.

Changes are applied to the wrong version of production source libraries.

Unauthorized changes can be moved into production.

316. In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Onsite disk-based backup systems

Tape-based backup systems

Virtual tape library

Redundant array of independent disks (RAID)

317. Management has requested a post-implementation review of a newly implemented purchasing package to determine the extent that business requirements are being met.

Which of the following is MOST likely to be assessed?

Acceptance testing results

Results of live processing

Implementation methodology

Purchasing guidelines and policies

318. An organization's sensitive data is stored in a cloud computing environment and is encrypted.

Which of the following findings should be of GREATEST concern to an IS auditor?

The encryption keys are not kept under dual control.

The cloud vendor does not have multi-regional presence.

Symmetric keys are used for encryption.

Data encryption keys are accessible to the service provider.

319. An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Directive

Detective

Preventive

Compensating

320. Which of the following encryption methods offers the BEST wireless security?

Wi-Fi Protected Access 3 (WPA3)

Data Encryption Standard (DES)

Wired Equivalent Privacy (WEP)

Secure Sockets Layer (SSL)

Page 33 of 41

321. An IS auditor determines elevated administrator accounts for servers that are not properly checked out and then back in after each use.

Which of the following is the MOST appropriate sampling technique to determine the scope of the problem?

Haphazard sampling

Random sampling

Statistical sampling

Stratified sampling

322. Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Invoking the disaster recovery plan (DRP)

Backing up data frequently

Paying the ransom

Requiring password changes for administrative accounts

323. Which of the following is MOST critical to the success of an information security program?

User accountability for information security

Management's commitment to information security

Integration of business and information security

Alignment of information security with IT objectives

324. Which of the following BEST helps data loss prevention (DLP) tools detect movement of sensitive data m transit?

Network traffic logs

Deep packet inspection

Data inventory

Proprietary encryption

325. A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.

Which of the following is the senior auditor s MOST appropriate course of action?

Ask the auditee to retest

Approve the work papers as written

Have the finding reinstated

Refer the issue to the audit director

326. While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function.

In order to resolve the situation, the IS auditor's BEST course of action would be to:

re-prioritize the original issue as high risk and escalate to senior management.

schedule a follow-up audit in the next audit cycle.

postpone follow-up activities and escalate the alternative controls to senior audit management.

determine whether the alternative controls sufficiently mitigate the risk.

327. The BEST way to evaluate the effectiveness of a newly developed application is to:

perform a post-implementation review-

analyze load testing results.

perform a secure code review.

review acceptance testing results.

328. Which of the following is the MOST important activity in the data classification process?

Labeling the data appropriately

Identifying risk associated with the data

Determining accountability of data owners

Determining the adequacy of privacy controls

329. Which of the following findings from an IT governance review should be of GREATEST concern?

The IT budget is not monitored

All IT services are provided by third parties.

IT value analysis has not been completed.

IT supports two different operating systems.

330. The IS auditor has recommended that management test a new system before using it in production mode.

The BEST approach for management in developing a test plan is to use processing parameters that are:

randomly selected by a test generator.

provided by the vendor of the application.

randomly selected by the user.

simulated by production entities and customers.

Page 34 of 41

331. An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs.

Which of the following is the BEST reason to use a data analytics tool for this purpose?

It reduces the error rate.

It improves the reliability of the data.

It enables the auditor to work with 100% of the transactions.

It reduces the sample size required to perform the audit.

332. Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Write access to production program libraries

Write access to development data libraries

Execute access to production program libraries

Execute access to development program libraries

333. An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

Hardware configurations

Access control requirements

Help desk availability

Perimeter network security diagram

334. Which of the following is the PRIMARY benefit of effective implementation of appropriate data classification?

Ability to meet business requirements

Assurance that sensitive data is encrypted

Increased accuracy of sensitive data

Management of business risk to sensitive data

335. Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Data storage costs

Data classification

Vendor cloud certification

Service level agreements (SLAs)

336. An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality.

Which of the following is the MOST important consideration when making this decision?

Maximum tolerable downtime (MTD)

Recovery time objective (RTO)

Recovery point objective (RPO)

Mean time to repair (MTTR)

337. During which phase of the software development life cycle should an IS auditor be consulted to recommend security controls?

Design and development

Final acceptance testing

Implementation of software

Requirements definition

338. The waterfall life cycle model of software development is BEST suited for which of the following situations?

The protect requirements are wall understood.

The project is subject to time pressures.

The project intends to apply an object-oriented design approach.

The project will involve the use of new technology.

339. A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room.

Which of the following would be the MOST effective compensating control to recommend?

Installing security cameras at the doors

Changing to a biometric access control system

Implementing a monitored mantrap at entrance and exit points

Requiring two-factor authentication at entrance and exit points

340. Using swipe cards to limit employee access to restricted areas requires implementing which additional control?

Physical sign-in of all employees for access to restricted areas

Implementation of additional PIN pads

Periodic review of access profiles by management

Installation of closed-circuit television (CCTV)

Page 35 of 41

341. An IS auditor is reviewing database fields updated in real-time and displayed through other applications in multiple organizational functions.

When validating business approval for these various use cases, which of the following sources of information would be the BEST starting point?

Network map from the network administrator

Historical database change log records

List of integrations from the database administrator (DBA)

Business process flow from management

342. Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Audit cycle defined in the audit plan

Complexity of management's action plans

Recommendation from executive management

Residual risk from the findings of previous audits

343. Which of the following BEST indicates to an IS auditor that an organization handles emergency changes appropriately and transparently?

The application operations manual contains procedures to ensure emergency fixes do not compromise system integrity.

Special logon IDs are used to grant programmers permanent access to the production environment.

Change management controls are retroactively applied.

Emergency changes are applied to production libraries immediately.

344. Audit frameworks can assist the IS audit function by:

defining the authority and responsibility of the IS audit function.

providing direction and information regarding the performance of audits.

outlining the specific steps needed to complete audits.

providing details on how to execute the audit program.

345. An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied.

Which of the following should be of MOST concern to the auditor?

Log feeds are uploaded via batch process.

Completeness testing has not been performed on the log data.

The log data is not normalized.

Data encryption standards have not been considered.

346. An IS audit reveals that an organization operating in business continuity mode during a pandemic situation has not performed a simulation test of the business continuity plan (BCP).

Which of the following is the auditor's BEST course of action?

A. Confirm the BCP has been recently updated.

B. Review the effectiveness of the business response.

C. Raise an audit issue for the lack of simulated testing.

D. Interview staff members to obtain commentary on the BCP's effectiveness.

347. An IS auditor is assessing backup performance and observes that the system administrator manually initiates backups during unexpected peak usage.

Which of the following is the auditor's BEST course of action?

Review separation of duties documentation.

Verify the load balancer configuration.

Recommend using cloud-based backups.

Inspect logs to verify timely execution of backups.

348. An IS auditor finds that the process for removing access for terminated employees is not documented What is the MOST significant risk from this observation?

Procedures may not align with best practices

Human resources (HR) records may not match system access.

Unauthorized access cannot he identified.

Access rights may not be removed in a timely manner.

349. During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs.

Which of the following should be the IS auditor's PRIMARY recommendation?

Programmers should be allowed to implement emergency fixes only after obtaining verbal agreement from the application owner.

Emergency program changes should be subject to program migration and testing procedures before they are applied to operational systems.

Bypass user ID procedures should be put in place to ensure that the changes are subject to after-the-event approval and testing.

350. How would an IS auditor BEST determine the effectiveness of a security awareness program?

Review the results of social engineering tests.

Evaluate management survey results.

Interview employees to assess their security awareness.

Review security awareness training quiz results.

Page 36 of 41

351. Which of the following is MOST important when planning a network audit?

Determination of IP range in use

Analysis of traffic content

Isolation of rogue access points

Identification of existing nodes

352. While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level.

What is the MOST effective way for the organization to improve this situation?

Use automatic document classification based on content.

Have IT security staff conduct targeted training for data owners.

Publish the data classification policy on the corporate web portal.

Conduct awareness presentations and seminars for information classification policies.

353. Which of the following is the PRIMARY reason to perform a risk assessment?

To determine the current risk profile

To ensure alignment with the business impact analysis (BIA)

To achieve compliance with regulatory requirements

To help allocate budget for risk mitigation controls

354. Which of the following staff should an IS auditor interview FIRST to obtain a general overview of the various technologies used across different programs?

Technical architect

Enterprise architect

Program manager

Solution architect

355. Which of the following is the STRONGEST indication of a mature risk management program?

Risk assessment results are used for informed decision-making.

All attributes of risk are evaluated by the risk owner.

A metrics dashboard has been approved by senior management.

The risk register is regularly updated by risk practitioners.

356. Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met.

Which of the following is MOST likely to be assessed?

Purchasing guidelines and policies

Implementation methodology

Results of line processing

Test results

357. Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A. Cost of projects divided by total IT cost

B. Expected return divided by total project cost

C. Net present value (NPV) of the portfolio

D. Total cost of each project

358. When conducting an audit of an organization's use of AI in its customer service chatbots, an IS auditor should PRIMARILY focus on the:

Safeguarding of personal data processing by the AI system.

AI system's compliance with industry security standards.

Speed and accuracy of chatbot responses to customer queries.

AI system's ability to handle multiple customer queries at once.

359. Which of the following is the MOST important advantage of participating in beta testing of software products?

It increases an organization's ability to retain staff who prefer to work with new technology.

It improves vendor support and training.

It enhances security and confidentiality.

It enables an organization to gain familiarity with new products and their functionality.

360. An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose.

Which of the following is MOST important to review before implementing this initiative?

Regulatory compliance requirements

Data ownership assignments

Encryption capabilities

Customer notification procedures

Page 37 of 41

361. Which of the following provides the MOST useful information regarding an organization's risk appetite and tolerance?

Gap analysis

Audit reports

Risk profile

Risk register

362. Which of the following poses the GREATEST risk to the use of active RFID tags?

Session hijacking

Eavesdropping

Piggybacking

Phishing attacks

363. An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes.

Which of the following recommendations would BEST help to reduce the risk of data leakage?

Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by employees

Establishing strong access controls on confidential data

Providing education and guidelines to employees on use of social networking sites

Monitoring employees' social networking usage

364. When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

database conflicts are managed during replication.

end users are trained in the replication process.

the source database is backed up on both sites.

user rights are identical on both databases.

365. Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Staff members who failed the test did not receive follow-up education

Test results were not communicated to staff members.

Staff members were not notified about the test beforehand.

Security awareness training was not provided prior to the test.

366. An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated.

Which of the following should be the MAJOR concern with this situation?

Abuses by employees have not been reported.

Lessons learned have not been properly documented

vulnerabilities have not been properly addressed

Security incident policies are out of date.

367. During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

A. Business case development phase when stakeholders are identified

B. Application design phase process functionalities are finalized

C. User acceptance testing (UAT) phase when test scenarios are designed

D. Application coding phase when algorithms are developed to solve business problems

368. Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

Measuring user satisfaction with the quality of the training

Evaluating the results of a social engineering exercise

Reviewing security staff performance evaluations

Performing an analysis of the number of help desk calls

369. Data from a system of sensors located outside of a network is received by the open ports on a server.

Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Route the traffic from the sensor system through a proxy server.

Hash the data that is transmitted from the sensor system.

Implement network address translation on the sensor system.

Transmit the sensor data via a virtual private network (VPN) to the server.

370. An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints.

Which of the following is the GREATEST risk to the organization in this situation?

Systems may not be supported by the vendor.

Known security vulnerabilities may not be mitigated.

Different systems may not be compatible.

The systems may not meet user requirements.

Page 38 of 41

371. A third-party consultant is managing the replacement of an accounting system.

Which of the following should be the IS auditor's GREATEST concern?

Data migration is not part of the contracted activities.

The replacement is occurring near year-end reporting

The user department will manage access rights.

Testing was performed by the third-party consultant

372. Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Expected deliverables meeting project deadlines

Sign-off from the IT team

Ongoing participation by relevant stakeholders

Quality assurance (OA) review

373. Which of the following should be done FIRST when planning a penetration test?

Execute nondisclosure agreements (NDAs).

Determine reporting requirements for vulnerabilities.

Define the testing scope.

Obtain management consent for the testing.

374. Which of the following would be MOST important to include in an IS audit report?

Observations not reported as findings due to inadequate evidence

The roadmap for addressing the various risk areas

The level of unmitigated risk along with business impact

Specific technology solutions for each audit observation

375. An IS auditor reviewing a job scheduling tool notices performance and reliability problems.

Which of the following is MOST likely affecting the tool?

Administrator passwords do not meet organizational security and complexity requirements.

The number of support staff responsible for job scheduling has been reduced.

The scheduling tool was not classified as business-critical by the IT department.

Maintenance patches and the latest enhancement upgrades are missing.

376. When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the

feasibility study

business case

request for proposal (RFP)

alignment with IT strategy

377. A small organization is experiencing rapid growth and plans to create a new information security policy.

Which of the following is MOST relevant to creating the policy?

Business objectives

Business impact analysis (BIA)

Enterprise architecture (EA)

Recent incident trends

378. An internal audit department recently established a quality assurance (QA) program.

Which of the following activities Is MOST important to include as part of the QA program requirements?

Long-term Internal audit resource planning

Ongoing monitoring of the audit activities

Analysis of user satisfaction reports from business lines

Feedback from Internal audit staff

379. Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Findings from prior audits

Results of a risk assessment

An inventory of personal devices to be connected to the corporate network

Policies including BYOD acceptable user statements

380. Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Securing information assets in accordance with the classification assigned

Validating that assets are protected according to assigned classification

Ensuring classification levels align with regulatory guidelines

Defining classification levels for information assets within the organization

Page 39 of 41

381. An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.

What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?

Financial regulations affecting the organization

Data center physical access controls whore the application is hosted

Privacy regulations affecting the organization

Per-unit cost charged by the hosting services provider for storage

382. Which of the following provides the BEST assurance that vendor-supported software remains up to date?

Release and patch management

Licensing agreement and escrow

Software asset management

Version management

383. Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Reviewing vacation patterns

Reviewing user activity logs

Interviewing senior IT management

Mapping IT processes to roles

384. Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Lack of appropriate labelling

Lack of recent awareness training.

Lack of password protection

Lack of appropriate data classification

385. Which of the following audit procedures would provide the BEST assurance that an application program is functioning as designed?

Using a continuous auditing module

Interviewing business management

Confirming accounts

Reviewing program documentation

386. An IS auditor finds that a new network connection allows communication between the Internet and the internal enterprise resource planning (ERP) system.

Which of the following is the PRIMARY business impact to include when presenting this observation to management?

An increase to the threat landscape

A decrease in data quality in the ERP system

A decrease in network performance

An increase in potential fines from regulators

387. Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Deviation detection

Cluster sampling

Random sampling

Classification

388. Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Legacy data has not been purged.

Admin account passwords are not set to expire.

Default settings have not been changed.

Database activity logging is not complete.

389. Which of the following is MOST helpful for understanding an organization’s key driver to modernize application platforms?

Vendor software inventories

Network architecture diagrams

System-wide incident reports

Inventory of end-of-life software

390. An IS auditor wants to verify alignment of the organization's business continuity plan (BCP) with the business strategy.

Which of the following would be MOST helpful to review?

Disaster recovery plan (DRP) testing results

Business impact analysis (BIA)

Corporate risk management policy

Key performance indicators (KPIs)

Page 40 of 41

391. Which of the following BEST describes a digital signature?

It is under control of the receiver.

It is capable of authorization.

It dynamically validates modifications of data.

It is unique to the sender using it.

392. Which of the following is the BEST indication that there are potential problems within an organization's IT service desk function?

Undocumented operating procedures

Lack of segregation of duties

An excessive backlog of user requests

Lack of key performance indicators (KPIs)

393. Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?

Scalability

High availability

Alternate routing

Flexibility

394. Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

Monitoring tools are configured to alert in case of downtime

A comprehensive security review is performed every quarter.

Data for different tenants is segregated by database schema

Tenants are required to implement data classification polices

395. Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

The recovery plan does not contain the process and application dependencies.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

The duration of tabletop exercises is longer than the recovery time objective (RTO).

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

396. Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

Jobs are scheduled and a log of this activity is retained for subsequent review.

Job failure alerts are automatically generated and routed to support personnel.

397. The PRIMARY advantage of object-oriented technology is enhanced:

efficiency due to the re-use of elements of logic.

management of sequential program execution for data access.

grouping of objects into methods for data access.

management of a restricted variety of data types for a data object.

398. Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Balanced scorecard

Enterprise dashboard

Enterprise architecture (EA)

Key performance indicators (KPIs)

399. An incident response team has been notified of a virus outbreak in a network subnet.

Which of the following should be the NEXT step?

Focus on limiting the damage.

Remove and restore the affected systems.

Verify that the compromised systems are fully functional.

Document the incident.

400. Which of the following should be an IS auditor's PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?

Reviewing whether all changes have been implemented

Validating whether baselines have been established

Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements

Determining whether there is a process for annual review of the maintenance manual

Page 41 of 41

401. Which of the following is the BEST indicator for measuring performance of IT help desk function?

Percentage of problems raised from incidents

Mean time to categorize tickets

Number 0t incidents reported

Number of reopened tickets

402. Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Invite external auditors and regulators to perform regular assessments of the IS audit function.

Implement rigorous managerial review and sign-off of IS audit deliverables.

Frequently review IS audit policies, procedures, and instruction manuals.

Establish and embed quality assurance (QA) within the IS audit function.

403. During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed.

Which of the following is the auditor's BEST course of action?

Determine whether the tested scenarios covered the most significant project risks.

Help management complete remaining scenario testing before implementation.

Recommend project implementation be postponed until all scenarios have been tested.

Perform remaining scenario testing in the production environment post implementation.

404. Which of the following security measures will reduce the risk of propagation when a cyberattack

occurs?

Perimeter firewall

Data loss prevention (DLP) system

Network segmentation

Web application firewall (WAF)

405. Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

Electronic copies of customer sales receipts are maintained.

Monthly bank statements are reconciled without exception.

Nightly batch processing has been replaced with real-time processing.

The data transferred over the POS interface is encrypted.

406. The PRIMARY reason to assign data ownership for protection of data is to establish:

reliability.

traceability.

authority,

accountability.

407. Which of the following provides the MOST assurance of the integrity of a firewall log?

The log is reviewed on a monthly basis.

Authorized access is required to view the log.

The log cannot be modified.

The log is retained per policy.

TAGS:

CISA, CISA exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get CISA Dumps Full Version

Q&As: 1405
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

ISACA CISA Exam Questions Simulate Actual CISA Exam

Related

Posts

CRISC Exam Dumps – Reliable Way to Pass and Get Certified

Prepare NIST-COBIT-2019 Exam with Using NIST-COBIT-2019 Dump Questions

Pass CCAK Exam to Get ISACA Certification

CGEIT Exam Dumps – Reliable Way to Pass and Get Certified

About Us

EMAIL

Services

Opening Hours