ISACA CISA Exam Questions Simulate Actual CISA Exam

Category:

Comments:

0 Comments

Post Date:

March 18, 2023

CISA exam dumps questions are designed to simulate the actual exam. This means that you will get a feel for the types of questions you can expect to see on the exam, as well as the format and difficulty level. In addition, CISA Certification CISA dumps are often accompanied by detailed explanations and answers. This means that if you get a question wrong, you can learn from your mistake and understand why the correct answer is the right one. Test free online CISA exam dumps below.

Page 1 of 21

1. An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality.

Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

The current business capabilities delivered by the legacy system

The proposed network topology to be used by the redesigned system

The data flows between the components to be used by the redesigned system

The database entity relationships within the legacy system

2. An organization has outsourced its data processing function to a service provider.

Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Assessment of the personnel training processes of the provider

Adequacy of the service provider's insurance

Review of performance against service level agreements (SLAs)

Periodic audits of controls by an independent auditor

3. Which of the following is the MOST important responsibility of user departments associated with program changes?

Providing unit test data

Analyzing change requests

Updating documentation lo reflect latest changes

Approving changes before implementation

4. During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months.

Which of the following is the BEST course of action?

Require documentation that the finding will be addressed within the new system

Schedule a meeting to discuss the issue with senior management

Perform an ad hoc audit to determine if the vulnerability has been exploited

Recommend the finding be resolved prior to implementing the new system

5. An IS auditor observes that a business-critical application does not currently have any level of fault tolerance.

Which of the following is the GREATEST concern with this situation?

Degradation of services

Limited tolerance for damage

Decreased mean time between failures (MTBF)

Single point of failure

6. Which of the following is the BEST way to sanitize a hard disk for reuse to ensure the organization's information cannot be accessed?

Re-partitioning

Degaussing

Formatting

Data wiping

7. Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Implement network access control.

Implement outbound firewall rules.

Perform network reviews.

Review access control lists.

8. An IS auditor assessing the controls within a newly implemented call center would First

gather information from the customers regarding response times and quality of service.

review the manual and automated controls in the call center.

test the technical infrastructure at the call center.

evaluate the operational risk associated with the call center.

9. Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

The IS auditor provided consulting advice concerning application system best practices.

The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

The IS auditor designed an embedded audit module exclusively for auditing the application system.

The IS auditor implemented a specific control during the development of the application system.

10. Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

Configure a single server as a primary authentication server and a second server as a secondary authentication server.

Configure each authentication server as belonging to a cluster of authentication servers.

Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

Configure each authentication server and ensure that the disks of each server form part of a duplex.

Page 2 of 21

11. An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments.

The IS auditor should FIRST

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

12. To confirm integrity for a hashed message, the receiver should use:

the same hashing algorithm as the sender's to create a binary image of the file.

a different hashing algorithm from the sender's to create a binary image of the file.

the same hashing algorithm as the sender's to create a numerical representation of the file.

a different hashing algorithm from the sender's to create a numerical representation of the file.

13. Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

An assessment of whether requirements will be fully met

An assessment indicating security controls will operate effectively

An assessment of whether the expected benefits can be achieved

An assessment indicating the benefits will exceed the implement

14. During an incident management audit, an IS auditor finds that several similar incidents

were logged during the audit period.

Which of the following is the auditor's MOST important course of action?

Document the finding and present it to management.

Determine if a root cause analysis was conducted.

Confirm the resolution time of the incidents.

Validate whether all incidents have been actioned.

15. An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding.

Which of two following is the MOST reliable follow-up procedure?

Review the documentation of recant changes to implement sequential order numbering.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

Examine a sample of system generated purchase orders obtained from management

16. Which of the following MOST effectively minimizes downtime during system conversions?

Phased approach

Direct cutover

Pilot study

Parallel run

17. During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon.

Which of the following is the auditor's BEST course of action?

Report the deviation by the control owner in the audit report.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.

Cancel the follow-up audit and reschedule for the next audit period.

Request justification from management for not implementing the recommended control.

18. Which of the following is MOST important for an effective control self-assessment (CSA) program?

Determining the scope of the assessment

Performing detailed test procedures

Evaluating changes to the risk environment

Understanding the business process

19. A review of an organization’s IT portfolio revealed several applications that are not in use.

The BEST way to prevent this situation from recurring would be to implement.

A formal request for proposal (RFP) process

Business case development procedures

An information asset acquisition policy

Asset life cycle management.

20. Which of the following would BEST help to ensure that an incident receives attention from appropriate personnel in a timely manner?

Completing the incident management log

Broadcasting an emergency message

Requiring a dedicated incident response team

Implementing incident escalation procedures

Page 3 of 21

21. Which of the following findings from an IT governance review should be of GREATEST concern?

The IT budget is not monitored

All IT services are provided by third parties.

IT value analysis has not been completed.

IT supports two different operating systems.

22. Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Rotate job duties periodically.

Perform an independent audit.

Hire temporary staff.

Implement compensating controls.

23. Which of the following should be restricted from a network administrator's privileges in an adequately segregated IT environment?

Monitoring network traffic

Changing existing configurations for applications

Hardening network ports

Ensuring transmission protocols are functioning correctly

24. in a controlled application development environment the MOST important segregation of duties should be between the person who implements changes into the production environment and the:

application programmer

systems programmer

computer operator

quality assurance (QA) personnel

25. Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Use of stateful firewalls with default configuration

Ad hoc monitoring of firewall activity

Misconfiguration of the firewall rules

Potential back doors to the firewall software

26. Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

Integration testing

Regression testing

Automated testing

User acceptance testing (UAT)

27. While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

re-prioritize the original issue as high risk and escalate to senior management.

schedule a follow-up audit in the next audit cycle.

postpone follow-up activities and escalate the alternative controls to senior audit management.

determine whether the alternative controls sufficiently mitigate the risk.

28. What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Perform background verification checks.

Review third-party audit reports.

Implement change management review.

Conduct a privacy impact analysis.

29. Which of the following concerns is BEST addressed by securing production source libraries?

Programs are not approved before production source libraries are updated.

Production source and object libraries may not be synchronized.

Changes are applied to the wrong version of production source libraries.

Unauthorized changes can be moved into production.

30. When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

architecture and cloud environment of the system.

business process supported by the system.

policies and procedures of the business area being audited.

availability reports associated with the cloud-based system.

Page 4 of 21

31. In a RAO model, which of the following roles must be assigned to only one individual?

Responsible

Informed

Consulted

Accountable

32. Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

Antivirus software was unable to prevent the attack even though it was properly updated

The most recent security patches were not tested prior to implementation

Backups were only performed within the local network

Employees were not trained on cybersecurity policies and procedures

33. The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:

payment processing.

payroll processing.

procurement.

product registration.

34. Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

A control self-assessment (CSA)

Results of control testing

Interviews with management

A control matrix

35. Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Audit charter

IT steering committee

Information security policy

Audit best practices

36. An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization.

Which of the following monthly performance

metrics is the BEST indicator of service quality?

The total number of users requesting help desk services

The average call waiting time on each request

The percent of issues resolved by the first contact

The average turnaround time spent on each reported issue

37. An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit.

What should the auditor consider the MOST significant concern?

Attack vectors are evolving for industrial control systems.

There is a greater risk of system exploitation.

Disaster recovery plans (DRPs) are not in place.

Technical specifications are not documented.

38. Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?

File level encryption

File Transfer Protocol (FTP)

Instant messaging policy

Application level firewalls

39. What is the BEST control to address SQL injection vulnerabilities?

Unicode translation

Secure Sockets Layer (SSL) encryption

Input validation

Digital signatures

40. Which of the following would provide the BEST evidence of an IT strategy corrections effectiveness?

The minutes from the IT strategy committee meetings

Synchronization of IT activities with corporate objectives

The IT strategy committee charier

Business unit satisfaction survey results

Page 5 of 21

41. Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Perform a business impact analysis (BIA).

Determine which databases will be in scope.

Identify the most critical database controls.

Evaluate the types of databases being used

42. A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.

Which of the following is MOST effective in detecting such an intrusion?

Periodically reviewing log files

Configuring the router as a firewall

Using smart cards with one-time passwords

Installing biometrics-based authentication

43. With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

A business impact analysis (BIA) has not been performed

Business data is not sanitized in the development environment

There is no plan for monitoring system downtime

The process owner has not signed off on user acceptance testing (UAT)

44. An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data.

Which of the following is the PRIMARY advantage of this approach?

Audit transparency

Data confidentiality

Professionalism

Audit efficiency

45. Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

The organization's systems inventory is kept up to date.

Vulnerability scanning results are reported to the CIS

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

Access to the vulnerability scanning tool is periodically reviewed

46. An IS auditor has been asked to audit the proposed acquisition of new computer hardware.

The auditor’s PRIMARY concern Is that:

the implementation plan meets user requirements.

a full, visible audit trail will be Included.

a dear business case has been established.

the new hardware meets established security standards

47. Which of the following is an example of a preventative control in an accounts payable system?

The system only allows payments to vendors who are included In the system's master vendor list.

Backups of the system and its data are performed on a nightly basis and tested periodically.

The system produces daily payment summary reports that staff use to compare against invoice totals.

Policies and procedures are clearly communicated to all members of the accounts payable department

48. An IS auditor is assigned to review the IS department s quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards.

Which of the following should be the auditor's NEXT action1?

Make recommendations to IS management as to appropriate quality standards

Postpone the audit until IS management implements written standards

Document and lest compliance with the informal standards

Finalize the audit and report the finding

49. An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud.

Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

The cloud provider's external auditor

The cloud provider

The operating system vendor

The organization

50. A web proxy server for corporate connections to external resources reduces organizational risk by:

anonymizing users through changed IP addresses.

providing multi-factor authentication for additional security.

providing faster response than direct access.

load balancing traffic to optimize data pathways.

Page 6 of 21

51. Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor?

CCTV recordings are not regularly reviewed.

CCTV cameras are not installed in break rooms

CCTV records are deleted after one year.

CCTV footage is not recorded 24 x 7.

52. During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Input from customers

Industry standard business definitions

Validation of rules by the business

Built-in data error prevention application controls

53. During an ongoing audit, management requests a briefing on the findings to date.

Which of the following is the IS auditor's BEST course of action?

Review working papers with the auditee.

Request the auditee provide management responses.

Request management wait until a final report is ready for discussion.

Present observations for discussion only.

54. A database administrator (DBA) should be prevented from having end user responsibilities :

having end user responsibilities

accessing sensitive information

having access to production files

using an emergency user ID

55. Which of the following BEST addresses the availability of an online store?

RAID level 5 storage devices

Online backups

A mirrored site at another location

Clustered architecture

56. An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system.

The auditor's FIRST course of action should be to:

review recent changes to the system.

verify completeness of user acceptance testing (UAT).

verify results to determine validity of user concerns.

review initial business requirements.

57. An organization with many desktop PCs is considering moving to a thin client architecture.

Which of the following is the MAJOR advantage?

The security of the desktop PC is enhanced.

Administrative security can be provided for the client.

Desktop application software will never have to be upgraded.

System administration can be better managed

58. Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

The organization does not use an industry-recognized methodology

Changes and change approvals are not documented

All changes require middle and senior management approval

There is no centralized configuration management database (CMDB)

59. Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Background checks

User awareness training

Transaction log review

Mandatory holidays

60. In order to be useful, a key performance indicator (KPI) MUST

be approved by management.

be measurable in percentages.

be changed frequently to reflect organizational strategy.

have a target value.

Page 7 of 21

61. When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

The information security department has difficulty filling vacancies

An information security governance audit was not conducted within the past year

The data center manager has final sign-off on security projects

Information security policies are updated annually

62. Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Ensuring that audit trails exist for transactions

Restricting access to update programs to accounts payable staff only

Including the creator's user ID as a field in every transaction record created

Restricting program functionality according to user security profiles

63. Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Limiting access to the data files based on frequency of use

Obtaining formal agreement by users to comply with the data classification policy

Applying access controls determined by the data owner

Using scripted access control lists to prevent unauthorized access to the server

64. Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Identify approved data workflows across the enterprise.

Conduct a threat analysis against sensitive data usage.

Create the DLP pcJc.es and templates

Conduct a data inventory and classification exercise

65. IT disaster recovery time objectives (RTOs) should be based on the:

maximum tolerable loss of data.

nature of the outage

maximum tolerable downtime (MTD).

business-defined criticality of the systems.

66. Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Temperature sensors

Humidity sensors

Water sensors

Air pressure sensors

67. The PRIMARY benefit of information asset classification is that it:

prevents loss of assets.

helps to align organizational objectives.

facilitates budgeting accuracy.

enables risk management decisions.

68. Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Readily available resources such as domains and risk and control methodologies

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

Wide acceptance by different business and support units with IT governance objectives

69. Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Disabled USB ports

Full disk encryption

Biometric access control

Two-factor authentication

70. A bank has a combination of corporate customer accounts (higher monetary value) and small business accounts (lower monetary value) as part of online banking.

Which of the following is the BEST sampling approach for an IS auditor to use for these accounts?

Difference estimation sampling

Stratified mean per unit sampling

Customer unit sampling

Unstratified mean per unit sampling

Page 8 of 21

71. Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Annual sign-off of acceptable use policy

Regular monitoring of user access logs

Security awareness training

Formalized disciplinary action

72. Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Program coding standards have been followed

Acceptance test criteria have been developed

Data conversion procedures have been establish.

The design has been approved by senior management.

73. During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers.

How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

Review compliance with data loss and applicable mobile device user acceptance policies.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

Verify employees have received appropriate mobile device security awareness training.

74. Which of the following provides the MOST assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system?

Comparing code between old and new systems

Running historical transactions through the new system

Reviewing quality assurance (QA) procedures

Loading balance and transaction data to the new system

75. Which of the following data would be used when performing a business impact analysis (BIA)?

Projected impact of current business on future business

Cost-benefit analysis of running the current business

Cost of regulatory compliance

Expected costs for recovering the business

76. Which of the following is MOST important during software license audits?

Judgmental sampling

Substantive testing

Compliance testing

Stop-or-go sampling

77. Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

The end-to-end process is understood and documented.

Roles and responsibilities are defined for the business processes in scope.

A benchmarking exercise of industry peers who use RPA has been completed.

A request for proposal (RFP) has been issued to qualified vendors.

78. Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

Unit the use of logs to only those purposes for which they were collected

Restrict the transfer of log files from host machine to online storage

Only collect logs from servers classified as business critical

Limit log collection to only periods of increased security activity

79. A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization.

Which of the following is MOST effective in detecting such an intrusion?

Using smart cards with one-time passwords

Periodically reviewing log files

Configuring the router as a firewall

Installing biometrics-based authentication

80. Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Apply single sign-on for access control

Implement segregation of duties.

Enforce an internal data access policy.

Enforce the use of digital signatures.

Page 9 of 21

81. When an intrusion into an organization network is deleted, which of the following should be done FIRST?

Block all compromised network nodes.

Contact law enforcement.

Notify senior management.

Identity nodes that have been compromised.

82. Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Analyze whether predetermined test objectives were met.

Perform testing at the backup data center.

Evaluate participation by key personnel.

Test offsite backup files.

83. Audit frameworks cart assist the IS audit function by:

defining the authority and responsibility of the IS audit function.

providing details on how to execute the audit program.

providing direction and information regarding the performance of audits.

outlining the specific steps needed to complete audits

84. An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions.

Which of the following is MOST important for the auditor to confirm when sourcing the population data?

The data is taken directly from the system.

There is no privacy information in the data.

The data can be obtained in a timely manner.

The data analysis tools have been recently updated.

85. Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

To ensure that older versions are availability for reference

To ensure that only the latest approved version of the application is used

To ensure compatibility different versions of the application

To ensure that only authorized users can access the application

86. For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

attributes for system passwords.

security training prior to implementation.

security requirements for the new application.

the firewall configuration for the web server.

87. An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations.

The auditor's MAIN concern should be that:

violation reports may not be reviewed in a timely manner.

a significant number of false positive violations may be reported.

violations may not be categorized according to the organization's risk profile.

violation reports may not be retained according to the organization's risk profile.

88. Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Conduct periodic on-site assessments using agreed-upon criteria.

Periodically review the service level agreement (SLA) with the vendor.

Conduct an unannounced vulnerability assessment of vendor's IT systems.

Obtain evidence of the vendor's control self-assessment (CSA).

89. An IS auditor is performing a follow-up audit for findings identified in an organization's user provisioning process.

Which of the following is the MOST appropriate population to sample from when testing for remediation?

All users provisioned after the finding was originally identified

All users provisioned after management resolved the audit issue

All users provisioned after the final audit report was issued

All users who have followed user provisioning processes provided by management

90. When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

each information asset is to a assigned to a different classification.

the security criteria are clearly documented for each classification

Senior IT managers are identified as information owner.

the information owner is required to approve access to the asset

Page 10 of 21

91. Which of the following demonstrates the use of data analytics for a loan origination process?

Evaluating whether loan records are included in the batch file and are validated by the servicing system

Comparing a population of loans input in the origination system to loans booked on the servicing system

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

92. An IS auditor finds that one employee has unauthorized access to confidential data.

The IS auditor's BEST recommendation should be to:

reclassify the data to a lower level of confidentiality

require the business owner to conduct regular access reviews.

implement a strong password schema for users.

recommend corrective actions to be taken by the security administrator.

93. Which of the following occurs during the issues management process for a system development project?

Contingency planning

Configuration management

Help desk management

Impact assessment

94. Coding standards provide which of the following?

Program documentation

Access control tables

Data flow diagrams

Field naming conventions

95. Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?

Update security policies based on the new regulation.

Determine which systems and IT-related processes may be impacted.

Evaluate how security awareness and training content may be impacted.

Review the design and effectiveness of existing IT controls.

96. Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Restricting evidence access to professionally certified forensic investigators

Documenting evidence handling by personnel throughout the forensic investigation

Performing investigative procedures on the original hard drives rather than images of the hard drives

Engaging an independent third party to perform the forensic investigation

97. CORRECT TEXT

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Staff members who failed the test did not receive follow-up education

Test results were not communicated to staff members.

Staff members were not notified about the test beforehand.

Security awareness training was not provided prior to the test.

98. During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

application test cases.

acceptance testing.

cost-benefit analysis.

project plans.

99. Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?

Project segments are established.

The work is separated into phases.

The work is separated into sprints.

Project milestones are created.

100. An IS auditor who was instrumental in designing an application is called upon to review the application.

The auditor should:

refuse the assignment to avoid conflict of interest.

use the knowledge of the application to carry out the audit.

inform audit management of the earlier involvement.

modify the scope of the audit.

Page 11 of 21

101. Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Have an independent party review the source calculations

Execute copies of EUC programs out of a secure library

implement complex password controls

Verify EUC results through manual calculations

102. An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.

What is the BEST way (or the auditor to address this issue?

Recommend the application be patched to meet requirements.

Inform the IT director of the policy noncompliance.

Verify management has approved a policy exception to accept the risk.

Take no action since the application will be decommissioned in three months.

103. Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Level of stakeholder satisfaction with the scope of planned IT projects

Percentage of enterprise risk assessments that include IT-related risk

Percentage of stat satisfied with their IT-related roles

Frequency of business process capability maturity assessments

104. Which of the following is MOST important to consider when scheduling follow-up audits?

The efforts required for independent verification with new auditors

The impact if corrective actions are not taken

The amount of time the auditee has agreed to spend with auditors

Controls and detection risks related to the observations

105. An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization's RACI chart.

Which of the following roles within the chart would provide this information?

Consulted

Informed

Responsible

Accountable

106. Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only.

Which of the following did the IS auditor potentially compromise?

Proficiency

Due professional care

Sufficient evidence

Reporting

107. When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

communicate via Transport Layer Security (TLS),

block authorized users from unauthorized activities.

channel access only through the public-facing firewall.

channel access through authentication.

108. Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Legal and compliance requirements

Customer agreements

Data classification

Organizational policies and procedures

109. An IS auditor follows up on a recent security incident and finds the incident response was not adequate.

Which of the following findings should be considered MOST critical?

The security weakness facilitating the attack was not identified.

The attack was not automatically blocked by the intrusion detection system (IDS).

The attack could not be traced back to the originating person.

Appropriate response documentation was not maintained.

110. A programmer has made unauthorized changes lo key fields in a payroll system report.

Which of the following control weaknesses would have contributed MOST to this problem?

The programmer did not involve the user in testing

The user requirements were not documented

The programmer has access to the production programs

Payroll files were not under the control of a librarian

Page 12 of 21

111. An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Network penetration tests are not performed

The network firewall policy has not been approved by the information security officer.

Network firewall rules have not been documented.

The network device inventory is incomplete.

112. Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Logs are being collected in a separate protected host

Automated alerts are being sent when a risk is detected

Insider attacks are being controlled

Access to configuration files Is restricted.

113. Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

Stronger data security

Better utilization of resources

Increased application performance

Improved disaster recovery

114. Which of the following is the BEST way to detect unauthorized copies of licensed software on systems?

Implement controls to prohibit downloads of unauthorized software.

Conduct periodic software scanning.

Perform periodic counting of licenses.

Require senior management approval when installing licenses.

115. Which of the following should an organization do to anticipate the effects of a disaster?

Define recovery point objectives (RPO)

Simulate a disaster recovery

Develop a business impact analysis (BIA)

Analyze capability maturity model gaps

116. Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Ensure that the facts presented in the report are correct

Communicate the recommendations lo senior management

Specify implementation dates for the recommendations.

Request input in determining corrective action.

117. Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Limiting the size of file attachments being sent via email

Automatically deleting emails older than one year

Moving emails to a virtual email vault after 30 days

Allowing employees to store large emails on flash drives

118. Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

Password/PIN protection

Device tracking software

Device encryption

Periodic backup

119. An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Source code version control

Project change management controls

Existence of an architecture review board

Configuration management

120. A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon

The MOST effective plan of action would be to:

evaluate replacement systems and performance monitoring software.

restrict functionality of system monitoring software to security-related events.

re-install the system and performance monitoring software.

use analytical tools to produce exception reports from the system and performance monitoring software

Page 13 of 21

121. A disaster recovery plan (DRP) should include steps for:

assessing and quantifying risk.

negotiating contracts with disaster planning consultants.

identifying application control requirements.

obtaining replacement supplies.

122. An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities.

Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Increasing the frequency of risk-based IS audits for each business entity

Developing a risk-based plan considering each entity's business processes

Conducting an audit of newly introduced IT policies and procedures

Revising IS audit plans to focus on IT changes introduced after the split

123. An accounting department uses a spreadsheet to calculate sensitive financial transactions.

Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

There Is a reconciliation process between the spreadsheet and the finance system

A separate copy of the spreadsheet is routinely backed up

The spreadsheet is locked down to avoid inadvertent changes

Access to the spreadsheet is given only to those who require access

124. One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:

basis for allocating indirect costs.

cost of replacing equipment.

estimated cost of ownership.

basis for allocating financial resources.

125. An IS auditor is following up on prior period items and finds management did not address an audit finding.

Which of the following should be the IS auditor's NEXT course of action?

Note the exception in a new report as the item was not addressed by management.

Recommend alternative solutions to address the repeat finding.

Conduct a risk assessment of the repeat finding.

Interview management to determine why the finding was not addressed.

126. An incident response team has been notified of a virus outbreak in a network subnet.

Which of the following should be the NEXT step?

Verify that the compromised systems are fully functional

Focus on limiting the damage

Document the incident

Remove and restore the affected systems

127. A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

the provider has alternate service locations.

the contract includes compensation for deficient service levels.

the provider's information security controls are aligned with the company's.

the provider adheres to the company's data retention policies.

128. Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

Review strategic projects tor return on investments (ROls)

Solicit feedback from other departments to gauge the organization's maturity

Meet with senior management to understand business goals

Review the organization's key performance indicators (KPls)

129. Upon completion of audit work, an IS auditor should:

provide a report to senior management prior to discussion with the auditee.

distribute a summary of general findings to the members of the auditing team.

provide a report to the auditee stating the initial findings.

review the working papers with the auditee.

130. Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Chief information security officer (CISO)

Information security steering committee

Board of directors

Chief information officer (CIO)

Page 14 of 21

131. An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found.

Which sampling method would be appropriate?

Discovery sampling

Judgmental sampling

Variable sampling

Stratified sampling

132. Which of the following is the GREATEST risk if two users have concurrent access to the same database record?

Availability integrity

Data integrity

Entity integrity

Referential integrity

133. In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?

Discovery

Attacks

Planning

Reporting

134. An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs).

Which of the following findings should be of MOST concern to the auditor?

KPI data is not being analyzed

KPIs are not clearly defined

Some KPIs are not documented

KPIs have never been updated

135. Which of the following is a corrective control?

Separating equipment development testing and production

Verifying duplicate calculations in data processing

Reviewing user access rights for segregation

Executing emergency response plans

136. Which of the following is MOST critical for the effective implementation of IT governance?

Strong risk management practices

Internal auditor commitment

Supportive corporate culture

Documented policies

137. The use of which of the following is an inherent risk in the application container infrastructure?

Shared registries

Host operating system

Shared data

Shared kernel

138. An IS auditor is reviewing documentation of application systems change control and identifies several patches that were not tested before being put into production.

Which of the following is the MOST significant risk from this situation?

Loss of application support

Lack of system integrity

Outdated system documentation

Developer access 1o production

139. Which of the following is the BEST data integrity check?

Counting the transactions processed per day

Performing a sequence check

Tracing data back to the point of origin

Preparing and running test data

140. Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Write access to production program libraries

Write access to development data libraries

Execute access to production program libraries

Execute access to development program libraries

Page 15 of 21

141. An IS auditor discovers that validation controls m a web application have been moved from the server side into the browser to boost performance

This would MOST likely increase the risk of a successful attack by.

phishing.

denial of service (DoS)

structured query language (SQL) injection

buffer overflow

142. A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification.

Which of the following is the IS auditors BEST recommendation to facilitate compliance with the regulation?

Establish key performance indicators (KPls) for timely identification of security incidents.

Engage an external security incident response expert for incident handling.

Enhance the alert functionality of the intrusion detection system (IDS).

Include the requirement in the incident management response plan.

143. During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date

When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

There are documented compensating controls over the business processes.

The risk acceptances were previously reviewed and approved by appropriate senior management

The business environment has not significantly changed since the risk acceptances were approved.

The risk acceptances with issues reflect a small percentage of the total population

144. During an audit of a financial application, it was determined that many terminated users' accounts were not disabled.

Which of the following should be the IS auditor's NEXT step?

Perform substantive testing of terminated users' access rights.

Perform a review of terminated users' account activity

Communicate risks to the application owner.

Conclude that IT general controls ate ineffective.

145. The use of control totals satisfies which of the following control objectives?

Transaction integrity

Processing integrity

Distribution control

System recoverability

146. An IT governance body wants to determine whether IT service delivery is based on consistently effective processes.

Which of the following is the BEST approach?

implement a control self-assessment (CSA)

Conduct a gap analysis

Develop a maturity model

Evaluate key performance indicators (KPIs)

147. Providing security certification for a new system should include which of the following prior to the system's implementation?

End-user authorization to use the system in production

External audit sign-off on financial controls

Testing of the system within the production environment

An evaluation of the configuration management practices

148. Which of the following would BEST help lo support an auditors conclusion about the effectiveness of an implemented data classification program?

Purchase of information management tools

Business use cases and scenarios

Access rights provisioned according to scheme

Detailed data classification scheme

149. Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Circuit gateway

Application level gateway

Packet filtering router

Screening router

150. Management has learned the implementation of a new IT system will not be completed on time and has requested an audit.

Which of the following audit findings should be of GREATEST concern?

The actual start times of some activities were later than originally scheduled.

Tasks defined on the critical path do not have resources allocated.

The project manager lacks formal certification.

Milestones have not been defined for all project products.

Page 16 of 21

151. Which of the following is MOST important to consider when developing a service level agreement (SLAP)?

Description of the services from the viewpoint of the provider

Detailed identification of work to be completed

Provisions for regulatory requirements that impact the end users' businesses

Description of the services from the viewpoint of the client organization

152. Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Degaussing

Random character overwrite

Physical destruction

Low-level formatting

153. An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit.

Which of the following should be the auditor's NEXT course of action?

Evaluate the appropriateness of the remedial action taken.

Conduct a risk analysis incorporating the change.

Report results of the follow-up to the audit committee.

Inform senior management of the change in approach.

154. An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives.

Which of the following findings should be the IS auditor's GREATEST concern?

Users are not required to sign updated acceptable use agreements.

Users have not been trained on the new system.

The business continuity plan (BCP) was not updated.

Mobile devices are not encrypted.

155. Which type of device sits on the perimeter of a corporate of home network, where it obtains a public IP address and then generates private IP addresses internally?

Switch

Intrusion prevention system (IPS)

Gateway

Router

156. Which of the following is the BEST point in time to conduct a post-implementation review?

After a full processing cycle

Immediately after deployment

After the warranty period

Prior to the annual performance review

157. In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

hire another person to perform migration to production.

implement continuous monitoring controls.

remove production access from the developers.

perform a user access review for the development team

158. In an online application, which of the following would provide the MOST information about the transaction audit trail?

System/process flowchart

File layouts

Data architecture

Source code documentation

159. During a database management evaluation an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts

Which of the following is the auditor's BEST course of action?

Identify accounts that have had excessive failed login attempts and request they be disabled

Request the IT manager to change administrator security parameters and update the finding

Document the finding and explain the risk of having administrator accounts with inappropriate security settings

160. Which of the following is the MOST appropriate control to ensure integrity of online orders?

Data Encryption Standard (DES)

Digital signature

Public key encryption

Multi-factor authentication

Page 17 of 21

161. Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

Walk-through reviews

Substantive testing

Compliance testing

Design documentation reviews

162. An organization is planning to implement a work-from-home policy that allows users to work remotely as needed.

Which of the following is the BEST solution for ensuring secure remote access to corporate resources?

Additional firewall rules

Multi-factor authentication

Virtual private network (VPN)

Virtual desktop

163. Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

The exceptions are likely to continue indefinitely.

The exceptions may result in noncompliance.

The exceptions may elevate the level of operational risk.

The exceptions may negatively impact process efficiency.

164. Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

The IT strategy is modified in response to organizational change.

The IT strategy is approved by executive management.

The IT strategy is based on IT operational best practices.

The IT strategy has significant impact on the business strategy

165. An IS auditor is planning an audit of an organization's accounts payable processes.

Which of the following controls is MOST important to assess in the audit?

Segregation of duties between issuing purchase orders and making payments.

Segregation of duties between receiving invoices and setting authorization limits

Management review and approval of authorization tiers

Management review and approval of purchase orders

166. Which of the following is MOST important for an IS auditor to validate when auditing network device management?

Devices cannot be accessed through service accounts.

Backup policies include device configuration files.

All devices have current security patches assessed.

All devices are located within a protected network segment.

167. Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Expected deliverables meeting project deadlines

Sign-off from the IT team

Ongoing participation by relevant stakeholders

Quality assurance (OA) review

168. Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?

Cross-site scripting (XSS)

Social engineering

Adverse posts about the organization

169. After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Verifying that access privileges have been reviewed

investigating access rights for expiration dates

Updating the continuity plan for critical resources

Updating the security policy

170. When auditing the feasibility study of a system development project, the IS auditor should:

review qualifications of key members of the project team.

review the request for proposal (RFP) to ensure that it covers the scope of work.

review cost-benefit documentation for reasonableness.

ensure that vendor contracts are reviewed by legal counsel.

Page 18 of 21

171. Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Role-based access control policies

Types of data that can be uploaded to the platform

Processes for on-boarding and off-boarding users to the platform

Processes for reviewing administrator activity

172. Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

The certificate revocation list has not been updated.

The PKI policy has not been updated within the last year.

The private key certificate has not been updated.

The certificate practice statement has not been published

173. Which of the following is a PRIMARY responsibility of an IT steering committee?

Prioritizing IT projects in accordance with business requirements

Reviewing periodic IT risk assessments

Validating and monitoring the skill sets of IT department staff

Establishing IT budgets for the business

174. Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions.

Which of the following is MOST important for the organization to ensure?

The policy includes a strong risk-based approach.

The retention period allows for review during the year-end audit.

The total transaction amount has no impact on financial reporting.

The retention period complies with data owner responsibilities.

175. Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Statement of work (SOW)

Nondisclosure agreement (NDA)

Service level agreement (SLA)

Privacy agreement

176. Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?

Monitor access to stored images and snapshots of virtual machines.

Restrict access to images and snapshots of virtual machines.

Limit creation of virtual machine images and snapshots.

Review logical access controls on virtual machines regularly.

177. Which of the following would be a result of utilizing a top-down maturity model process?

A means of benchmarking the effectiveness of similar processes with peers

A means of comparing the effectiveness of other processes within the enterprise

Identification of older, more established processes to ensure timely review

Identification of processes with the most improvement opportunities

178. Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

To determine whether project objectives in the business case have been achieved

To ensure key stakeholder sign-off has been obtained

To align project objectives with business needs

To document lessons learned to improve future project delivery

179. Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

An increase in the number of identified false positives

An increase in the number of detected Incidents not previously identified

An increase in the number of unfamiliar sources of intruders

An increase in the number of internally reported critical incidents

180. The IS quality assurance (OA) group is responsible for:

ensuring that program changes adhere to established standards.

designing procedures to protect data against accidental disclosure.

ensuring that the output received from system processing is complete.

monitoring the execution of computer processing tasks.

Page 19 of 21

181. In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

Planning phase

Execution phase

Follow-up phase

Selection phase

182. Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

The method relies exclusively on the use of asymmetric encryption algorithms.

The method relies exclusively on the use of 128-bit encryption.

The method relies exclusively on the use of digital signatures.

The method relies exclusively on the use of public key infrastructure (PKI).

183. An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report.

Which of the following is the IS auditor's BEST course of action when preparing the final report?

Come to an agreement prior to issuing the final report.

Include the position supported by senior management in the final engagement report

Ensure the auditee's comments are included in the working papers

Exclude the disputed recommendation from the final engagement report

184. Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

Implement data loss prevention (DLP) software

Review perimeter firewall logs

Provide ongoing information security awareness training

Establish behavioral analytics monitoring

185. Which of the following observations would an IS auditor consider the GREATEST risk when

conducting an audit of a virtual server farm tor potential software vulnerabilities?

Guest operating systems are updated monthly

The hypervisor is updated quarterly.

A variety of guest operating systems operate on one virtual server

Antivirus software has been implemented on the guest operating system only.

186. From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?

Inability to close unused ports on critical servers

Inability to identify unused licenses within the organization

Inability to deploy updated security patches

Inability to determine the cost of deployed software

187. Which of the following is MOST important to include in security awareness training?

How to respond to various types of suspicious activity

The importance of complex passwords

Descriptions of the organization's security infrastructure

Contact information for the organization's security team

188. Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Periodic vendor reviews

Dual control

Independent reconciliation

Re-keying of monetary amounts

Engage an external security incident response expert for incident handling.

189. Which of following is MOST important to determine when conducing a post-implementation review?

Whether the solution architecture compiles with IT standards

Whether success criteria have been achieved

Whether the project has been delivered within the approved budget

Whether lessons teamed have been documented

190. Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Perimeter firewall

Data loss prevention (DLP) system

Web application firewall

Network segmentation

Page 20 of 21

191. Which of the following BEST enables alignment of IT with business objectives?

Benchmarking against peer organizations

Developing key performance indicators (KPIs)

Completing an IT risk assessment

Leveraging an IT governance framework

192. Which of the following should be of MOST concern to an IS auditor reviewing the information systems acquisition, development, and implementation process?

Data owners are not trained on the use of data conversion tools.

A post-implementation lessons-learned exercise was not conducted.

There is no system documentation available for review.

System deployment is routinely performed by contractors.

193. Which of the following be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

Preventive maintenance costs exceed the business allocated budget.

Preventive maintenance has not been approved by the information system

Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs)

The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.

194. An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:

deleted data cannot easily be retrieved.

deleting the files logically does not overwrite the files' physical data.

backup copies of files were not deleted as well.

deleting all files separately is not as efficient as formatting the hard disk.

195. The use of access control lists (ACLs) is the MOST effective method to mitigate security risk for routers because they: (Identify Correct answer and related explanation/references from CISA Certification - Information Systems Auditor official Manual or book)

are recommended by security standards.

can limit Telnet and traffic from the open Internet.

act as fitters between the world and the network.

can detect cyberattacks.

196. Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Effectiveness of the security program

Security incidents vs. industry benchmarks

Total number of hours budgeted to security

Total number of false positives

197. During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS).

Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Sampling risk

Detection risk

Control risk

Inherent risk

198. An organization has assigned two now IS auditors to audit a now system implementation. One of the auditors has an IT-related degree, and one has a business degree.

Which of the following is MOST important to meet the IS audit standard for proficiency?

The standard is met as long as one member has a globally recognized audit certification.

Technical co-sourcing must be used to help the new staff.

Team member assignments must be based on individual competencies.

The standard is met as long as a supervisor reviews the new auditors' work.

199. A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

use a proxy server to filter out Internet sites that should not be accessed.

keep a manual log of Internet access.

monitor remote access activities.

include a statement in its security policy about Internet use.

200. Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?

Analysis of industry benchmarks

Identification of organizational goals

Analysis of quantitative benefits

Implementation of a balanced scorecard

Page 21 of 21

201. A third-party consultant is managing the replacement of an accounting system.

Which of the following should be the IS auditor's GREATEST concern?

Data migration is not part of the contracted activities.

The replacement is occurring near year-end reporting

The user department will manage access rights.

Testing was performed by the third-party consultant

202. An organization's IT risk assessment should include the identification of:

vulnerabilities

compensating controls

business needs

business process owners

203. Which of the following is the BEST way to verify the effectiveness of a data restoration process?

Performing periodic reviews of physical access to backup media

Performing periodic complete data restorations

Validating off ne backups using software utilities

Reviewing and updating data restoration policies annually

204. Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?

Security policies are not applicable across all business units

End users are not required to acknowledge security policy training

The security policy has not been reviewed within the past year

Security policy documents are available on a public domain website

205. Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?

Assign the security risk analysis to a specially trained member of the project management office.

Deploy changes in a controlled environment and observe for security defects.

Include a mandatory step to analyze the security impact when making changes.

Mandate that the change analyses are documented in a standard format.

206. An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has slated that it will take six months until the software is running on the current version.

Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version.

Close all unused ports on the outdated software system.

Monitor network traffic attempting to reach the outdated software system.

Segregate the outdated software system from the main network.

207. Which of the following would be of GREATEST concern to an IS auditor reviewing an IT strategy document?

Target architecture is defined at a technical level.

The previous year's IT strategic goals were not achieved.

Strategic IT goals are derived solely from the latest market trends.

Financial estimates of new initiatives are disclosed within the document.

208. Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?

The lack of technical documentation to support the program code

The lack of completion of all requirements at the end of each sprint

The lack of acceptance criteria behind user requirements.

The lack of a detailed unit and system test plan

TAGS:

CISA, CISA exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Posts

ISACA Free Dumps

Get CISA Dumps Full Version

Q&As: 693
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

ISACA CISA Exam Questions Simulate Actual CISA Exam

Related

Posts

CGEIT Exam Dumps – Reliable Way to Pass and Get Certified

Pass Cybersecurity Audit Certificate Exam to Get ISACA Certification

COBIT 2019 Dumps Guarantee You Pass COBIT 2019 Exam Easily

About Us

EMAIL

Services

Opening Hours