ISACA CISA Exam Questions Simulate Actual CISA Exam

Category:

Comments:

0 Comments

Post Date:

March 18, 2023

CISA exam dumps questions are designed to simulate the actual exam. This means that you will get a feel for the types of questions you can expect to see on the exam, as well as the format and difficulty level. In addition, CISA Certification CISA dumps are often accompanied by detailed explanations and answers. This means that if you get a question wrong, you can learn from your mistake and understand why the correct answer is the right one. Test free online CISA exam dumps below.

Page 1 of 36

1. An IS auditor is reviewing a machine learning model that predicts the likelihood that a user will watch a certain movie.

Which of the following would be of GREATEST concern to the auditor?

When the model was tested with data drawn from a different population, the accuracy decreased.

The data set for training the model was obtained from an unreliable source.

An open-source programming language was used to develop the model.

The model was tested with data drawn from the same population as the training data.

2. Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

To determine whether project objectives in the business case have been achieved

To ensure key stakeholder sign-off has been obtained

To align project objectives with business needs

To document lessons learned to improve future project delivery

3. Which type of risk would MOST influence the selection of a sampling methodology?

Inherent

Residual

Control

Detection

4. Which of the following would be of GREATEST concern to an IS auditor reviewing the feasibility study for a new application system?

Security requirements have not been defined.

Conditions under which the system will operate are unclear.

The business case does not include well-defined strategic benefits.

System requirements and expectations have not been clarified.

5. Which of the following is the MOST important factor when an organization is developing information security policies and procedures?

Alignment with an information security framework

Compliance with relevant regulations

Inclusion of mission and objectives

Consultation with security staff

6. Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

Identify approved data workflows across the enterprise.

Conduct a threat analysis against sensitive data usage.

Create the DLP pcJc.es and templates

Conduct a data inventory and classification exercise

7. When planning an internal penetration test, which of the following is the MOST important step prior to finalizing the scope of testing?

Ensuring the scope of penetration testing is restricted to the test environment

Obtaining management's consent to the testing scope in writing

Notifying the IT security department regarding the testing scope

Agreeing on systems to be excluded from the testing scope with the IT department

8. Which of the following provides the BEST assurance that vendor-supported software remains up to date?

Release and patch management

Licensing agreement and escrow

Software asset management

Version management

9. Recovery facilities providing a redundant combination of Internet connections to the local communications loop is an example of which type of telecommunications continuity?

Voice recovery

Alternative routing

Long-haul network diversity

Last-mile circuit protection

10. Which of the following is the BEST source of information to determine the required level of data protection on a file server?

Data classification policy and procedures

Access rights of similar file servers

Previous data breach incident reports

Acceptable use policy and privacy statements

Page 2 of 36

11. An IS auditor follows up on a recent security incident and finds the incident response was not adequate.

Which of the following findings should be considered MOST critical?

The security weakness facilitating the attack was not identified.

The attack was not automatically blocked by the intrusion detection system (IDS).

The attack could not be traced back to the originating person.

Appropriate response documentation was not maintained.

12. Management has requested a post-implementation review of a newly implemented purchasing package to determine the extent that business requirements are being met.

Which of the following is MOST likely to be assessed?

Acceptance testing results

Results of live processing

Implementation methodology

Purchasing guidelines and policies

13. An organization is disposing of removable onsite media which contains sensitive information.

Which of the following is the MOST effective method to prevent disclosure of sensitive data?

Encrypting and destroying keys

Machine shredding

Software formatting

Wiping and rewriting three times

14. Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

To ensure that older versions are availability for reference

To ensure that only the latest approved version of the application is used

To ensure compatibility different versions of the application

To ensure that only authorized users can access the application

15. Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Rotate job duties periodically.

Perform an independent audit.

Hire temporary staff.

Implement compensating controls.

16. An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor.

Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Service level agreement (SLA)

Hardware change management policy

Vendor memo indicating problem correction

An up-to-date RACI chart

17. Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Readily available resources such as domains and risk and control methodologies

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

Wide acceptance by different business and support units with IT governance objectives

18. An organization has assigned two new IS auditors to audit a new system implementation. One of the auditors has an IT-related degree, and one has a business degree.

Which of the following is MOST important to meet the IS audit standard for proficiency?

Team member assignments must be based on individual competencies

Technical co-sourcing must be used to help the new staff

The standard is met as long as one member has a globally recognized audit certification.

The standard is met as long as a supervisor reviews the new auditors' work

19. Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Legacy data has not been purged.

Admin account passwords are not set to expire.

Default settings have not been changed.

Database activity logging is not complete.

20. Which of the following backup schemes is the BEST option when storage media is limited?

Real-time backup

Virtual backup

Differential backup

Full backup

Page 3 of 36

21. Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Version control software

Audit hooks

Utility software

Audit analytics tool

22. Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Agile auditing

Continuous auditing

Outsourced auditing

Risk-based auditing

23. Which of the following would MOST effectively ensure the integrity of data transmitted over a network?

Message encryption

Certificate authority (CA)

Steganography

Message digest

24. A web proxy server for corporate connections to external resources reduces organizational risk by:

anonymizing users through changed IP addresses.

providing multi-factor authentication for additional security.

providing faster response than direct access.

load balancing traffic to optimize data pathways.

25. Which of following is MOST important to determine when conducting a post-implementation review?

Whether the solution architecture compiles with IT standards

Whether success criteria have been achieved

Whether the project has been delivered within the approved budget

Whether lessons teamed have been documented

26. Which of the following is the MOST effective way to identify exfiltration of sensitive data by a malicious insider?

Implement data loss prevention (DLP) software

Review perimeter firewall logs

Provide ongoing information security awareness training

Establish behavioral analytics monitoring

27. Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Align service level agreements (SLAs) with current needs.

Monitor customer satisfaction with the change.

Minimize costs related to the third-party agreement.

Ensure right to audit is included within the contract.

28. Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

A. The recovery plan does not contain the process and application dependencies.

B. The duration of tabletop exercises is longer than the recovery point objective (RPO).

C. The duration of tabletop exercises is longer than the recovery time objective (RTO).

D. The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

29. In an online application, which of the following would provide the MOST information about the transaction audit trail?

System/process flowchart

File layouts

Data architecture

Source code documentation

30. Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

Data privacy must be managed in accordance with the regulations applicable to the organization.

Data privacy must be monitored in accordance with industry standards and best practices.

No personal information may be transferred to the service provider without notifying the customer.

Customer data transferred to the service provider must be reported to the regulatory authority.

Page 4 of 36

31. Which of the following is MOST effective for controlling visitor access to a data center?

Visitors are escorted by an authorized employee

Pre-approval of entry requests

Visitors sign in at the front desk upon arrival

Closed-circuit television (CCTV) is used to monitor the facilities

32. Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Lessons learned were documented and applied.

Business and IT stakeholders participated in the post-implementation review.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

Internal audit follow-up was completed without any findings.

33. Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Process and resource inefficiencies

Irregularities and illegal acts

Noncompliance with organizational policies

Misalignment with business objectives

34. An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment.

Which of the following should the auditor do FIRSTS

Determine whether another DBA could make the changes

Report a potential segregation of duties violation

identify whether any compensating controls exist

Ensure a change management process is followed prior to implementation

35. During the review of a system disruption incident, an IS auditor notes that IT support staff were put in a position to make decisions beyond their level of authority.

Which of the following is the BEST recommendation to help prevent this situation in the future?

Introduce escalation protocols.

Develop a competency matrix.

Implement fallback options.

Enable an emergency access I

36. During an ongoing audit, management requests a briefing on the findings to date.

Which of the following is the IS auditor's BEST course of action?

Review working papers with the auditee.

Request the auditee provide management responses.

Request management wait until a final report is ready for discussion.

Present observations for discussion only.

37. Which of the following is MOST important for an IS auditor to review when determining whether IT investments are providing value to tie business?

Return on investment (ROI)

Business strategy

Business cases

Total cost of ownership (TCO)

38. Management has decided to accept a risk in response to a draft audit recommendation.

Which of the following should be the IS auditor’s NEXT course of action?

Document management's acceptance in the audit report.

Escalate the acceptance to the board.

Ensure a follow-up audit is on next year's plan.

Escalate acceptance to the audit committee.

39. When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

When planning an audit engagement

When gathering information for the fieldwork

When a violation of a regulatory requirement has been identified

When evaluating representations from the auditee

40. An IS auditor is reviewing processes for importing market price data from external data providers.

Which of the following findings should the auditor consider MOST critical?

The quality of the data is not monitored.

Imported data is not disposed frequently.

The transfer protocol is not encrypted.

The transfer protocol does not require authentication.

Page 5 of 36

41. Which of the following is the PRIMARY benefit of a tabletop exercise for an incident response plan?

It demonstrates the maturity of the incident response program.

It reduces the likelihood of an incident occurring.

It identifies deficiencies in the operating environment.

It increases confidence in the team's response readiness.

42. Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

SIEM reporting is customized.

SIEM configuration is reviewed annually

The SIEM is decentralized.

SIEM reporting is ad hoc.

43. During the audit of an enterprise resource planning (ERP) system, an IS auditor found an application patch was applied to the production environment.

It is MOST important for the IS auditor to verify approval from the:

information security officer.

system administrator.

information asset owner.

project manager.

44. An IS auditor determines that the vendor's deliverables do not include the source code for a newly acquired product.

To address this issue, which of the following should the auditor recommend be included in the contract?

Confidentiality and data protection clauses

Service level agreement (SLA)

Software escrow agreement

Right-to-audit clause

45. During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Require the auditee to address the recommendations in full.

Adjust the annual risk assessment accordingly.

Evaluate senior management's acceptance of the risk.

Update the audit program based on management's acceptance of risk.

46. An internal audit department recently established a quality assurance (QA) program.

Which of the following activities Is MOST important to include as part of the QA program requirements?

Long-term Internal audit resource planning

Ongoing monitoring of the audit activities

Analysis of user satisfaction reports from business lines

Feedback from Internal audit staff

47. An IS auditor is reviewing a medical device that is attached to a patient’s body, which automatically takes and uploads measurements to a cloud server. Treatment may be updated based on the measurements.

Which of the following should be the auditor's PRIMARY focus?

Physical access controls on the device

Security and quality certification of the device

Device identification and authentication

Confirmation that the device is regularly updated

48. What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?

The contract does not contain a right-to-audit clause.

An operational level agreement (OLA) was not negotiated.

Several vendor deliverables missed the commitment date.

Software escrow was not negotiated.

49. A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

the provider has alternate service locations.

the contract includes compensation for deficient service levels.

the provider's information security controls are aligned with the company's.

the provider adheres to the company's data retention policies.

50. An IS auditor has discovered that a software system still in regular use is years out of date and no

longer supported. The auditee has stated that it will take six months until the software is running on the current version.

Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version.

Close all unused ports on the outdated software system.

Monitor network traffic attempting to reach the outdated software system.

Segregate the outdated software system from the main network.

Page 6 of 36

51. Which of the following is the PRIMARY reason to perform a risk assessment?

To determine the current risk profile

To ensure alignment with the business impact analysis (BIA)

To achieve compliance with regulatory requirements

To help allocate budget for risk mitigation controls

52. Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Effectiveness of the security program

Security incidents vs. industry benchmarks

Total number of hours budgeted to security

Total number of false positives

53. Which of the following BEST indicates a need to review an organization's information security policy?

High number of low-risk findings in the audit report

Increasing exceptions approved by management

Increasing complexity of business transactions

Completion of annual IT risk assessment

54. Which of the following is MOST critical to the success of an information security program?

Management's commitment to information security

User accountability for information security

Alignment of information security with IT objectives

Integration of business and information security

55. A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include.

In the vendor contract to ensure continuity?

Continuous 24/7 support must be available.

The vendor must have a documented disaster recovery plan (DRP) in place.

Source code for the software must be placed in escrow.

The vendor must train the organization's staff to manage the new software

56. Which of the following should be the FIRST step in a data migration project?

Reviewing decisions on how business processes should be conducted in the new system

Completing data cleanup in the current database to eliminate inconsistencies

Understanding the new system's data structure

Creating data conversion scripts

57. When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Implementation plan

Project budget provisions

Requirements analysis

Project plan

58. Effective separation of duties in an online environment can BEST be achieved by utilizing:

appropriate supervision.

transaction logging.

written procedure manuals.

access authorization tables.

59. Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Performing a cyber resilience test

Performing a full interruption test

Performing a tabletop test

Performing a parallel test

60. Which of the following findings related to segregation of duties should be of GREATEST concern to an IS auditor?

The person who tests source code also approves changes.

The person who administers servers is also part of the infrastructure management team.

The person who creates new user accounts also modifies user access levels.

The person who edits source code also has write access to production.

Page 7 of 36

61. What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

Establish rules for converting data from one format to another

Implement data entry controls for new and existing applications

Implement a consistent database indexing strategy

Develop a metadata repository to store and access metadata

62. An IS auditor has been asked to audit the proposed acquisition of new computer hardware.

The auditor’s PRIMARY concern Is that:

the implementation plan meets user requirements.

a full, visible audit trail will be Included.

a dear business case has been established.

the new hardware meets established security standards

63. During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed.

Which of the following is the auditor's BEST course of action?

Determine whether the tested scenarios covered the most significant project risks.

Help management complete remaining scenario testing before implementation.

Recommend project implementation be postponed until all scenarios have been tested.

Perform remaining scenario testing in the production environment post implementation.

64. An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems.

What type of control is being implemented?

Directive

Detective

Preventive

Compensating

65. Management has learned the implementation of a new IT system will not be completed on time and has requested an audit.

Which of the following audit findings should be of GREATEST concern?

The actual start times of some activities were later than originally scheduled.

Tasks defined on the critical path do not have resources allocated.

The project manager lacks formal certification.

Milestones have not been defined for all project products.

66. Which of the following types of firewalls provides the GREATEST degree of control against hacker intrusion?

Packet filtering router

Circuit gateway

Application-level gateway

Screening router.

67. The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

is more effective at suppressing flames.

allows more time to abort release of the suppressant.

has a decreased risk of leakage.

disperses dry chemical suppressants exclusively.

68. Which of the following is the BEST source of information for examining the classification of new data?

Input by data custodians

Security policy requirements

Risk assessment results

Current level of protection

69. IT disaster recovery time objectives (RTOs) should be based on the:

maximum tolerable loss of data.

nature of the outage

maximum tolerable downtime (MTD).

business-defined criticality of the systems.

70. Demonstrated support from which of the following roles in an organization has the MOST influence over information security governance?

Chief information security officer (CISO)

Information security steering committee

Board of directors

Chief information officer (CIO)

Page 8 of 36

71. Which of the following presents the GREATEST challenge to the alignment of business and IT?

Lack of chief information officer (CIO) involvement in board meetings

Insufficient IT budget to execute new business projects

Lack of information security involvement in business strategy development

An IT steering committee chaired by the chief information officer (CIO)

72. Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

The end-to-end process is understood and documented.

Roles and responsibilities are defined for the business processes in scope.

A benchmarking exercise of industry peers who use RPA has been completed.

A request for proposal (RFP) has been issued to qualified vendors.

73. An IS auditor is reviewing the perimeter security design of a network.

Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?

Intrusion detection system (IDS)

Security information and event management (SIEM) system

Stateful firewall

Load balancer

74. Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

Ensuring standards are adhered to within the development process

Ensuring the test work supports observations

Updating development methodology

Implementing solutions to correct defects

75. Which of the following should be the PRIMARY consideration when validating a data analytic algorithm that has never been used before?

Enhancing the design of data visualization

Increasing speed and efficiency of audit procedures

Confirming completeness and accuracy

Decreasing the time for data analytics execution

76. Which of the following helps to ensure the integrity of data for a system interface?

System interface testing

user acceptance testing (IJAT)

Validation checks

Audit logs

77. An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities.

Which of the following is the BEST recommendation by the IS auditor?

A. Improve the change management process

B. Establish security metrics.

C. Perform a penetration test

D. Perform a configuration review

78. Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Business interruption due to remediation

IT budgeting constraints

Availability of responsible IT personnel

Risk rating of original findings

79. What is the PRIMARY reason to adopt a risk-based IS audit strategy?

To achieve synergy between audit and other risk management functions

To prioritize available resources and focus on areas with significant risk

To reduce the time and effort needed to perform a full audit cycle

To identify key threats, risks, and controls for the organization

80. Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Identifying relevant roles for an enterprise IT governance framework

Making decisions regarding risk response and monitoring of residual risk

Verifying that legal, regulatory, and contractual requirements are being met

Providing independent and objective feedback to facilitate improvement of IT processes

Page 9 of 36

81. IT management has accepted the risk associated with an IS auditor's finding due to the cost and complexity of the corrective actions.

Which of the following should be the auditor's NEXT course of action?

Perform a cost-benefit analysis.

Document and inform the audit committee.

Report the finding to external regulators.

Notify senior management.

82. Which type of attack targets security vulnerabilities in web applications to gain access to data sets?

Denial of service (DOS)

SQL injection

Phishing attacks

Rootkits

83. An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration.

Which of the following should be the IS auditor's NEXT course of action?

Identify existing mitigating controls.

Disclose the findings to senior management.

Assist in drafting corrective actions.

Attempt to exploit the weakness.

84. The PRIMARY reason to assign data ownership for protection of data is to establish:

reliability.

traceability.

authority,

accountability.

85. Which of the following would provide the BEST evidence that a cloud provider's change management process is effective?

Minutes from regular change management meetings with the vendor

Written assurances from the vendor's CEO and CIO

The results of a third-party review provided by the vendor

A copy of change management policies provided by the vendor

86. Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

The IT strategy is modified in response to organizational change.

The IT strategy is approved by executive management.

The IT strategy is based on IT operational best practices.

The IT strategy has significant impact on the business strategy

87. Which of the following is the BEST reason to implement a data retention policy?

To establish a recovery point objective (RPO) for disaster recovery procedures

To limit the liability associated with storing and protecting information

To document business objectives for processing data within the organization

To assign responsibility and ownership for data protection outside IT

88. During which phase of the software development life cycle is it BEST to initiate the discussion of application controls?

A. Business case development phase when stakeholders are identified

B. Application design phase process functionalities are finalized

C. User acceptance testing (UAT) phase when test scenarios are designed

D. Application coding phase when algorithms are developed to solve business problems

89. Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

The system does not have a maintenance plan.

The system contains several minor defects.

The system deployment was delayed by three weeks.

The system was over budget by 15%.

90. Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Encryption of the spreadsheet

Version history

Formulas within macros

Reconciliation of key calculations

Page 10 of 36

91. Which of the following is the MOST important outcome of an information security program?

Operating system weaknesses are more easily identified.

Emerging security technologies are better understood and accepted.

The cost to mitigate information security risk is reduced.

Organizational awareness of security responsibilities is improved.

92. An IS auditor has been tasked to review the processes that prevent fraud within a business expense claim system.

Which of the following stakeholders is MOST important to involve in this review?

Information security manager

Quality assurance (QA) manager

Business department executive

Business process owner

93. An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions.

Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

Differential backup

Full backup

Incremental backup

Mirror backup

94. Which of the following poses the GREATEST risk to the use of active RFID tags?

Session hijacking

Eavesdropping

Piggybacking

Phishing attacks

95. A senior IS auditor suspects that a PC may have been used to perpetrate fraud in a finance department. The auditor should FIRST report this suspicion to:

audit management.

the police.

the audit committee.

auditee line management.

96. An IS audit manager was temporarily tasked with supervising a project manager assigned to the

organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience.

What is the BEST course of action?

Transfer the assignment to a different audit manager despite lack of IT project management experience.

Outsource the audit to independent and qualified resources.

Manage the audit since there is no one else with the appropriate experience.

Have a senior IS auditor manage the project with the IS audit manager performing final review.

97. Which of the following data would be used when performing a business impact analysis (BIA)?

Projected impact of current business on future business

Cost-benefit analysis of running the current business

Cost of regulatory compliance

Expected costs for recovering the business

98. An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access.

Which of the following is the GREATEST risk associated with this situation?

Users can export application logs.

Users can view sensitive data.

Users can make unauthorized changes.

Users can install open-licensed software.

99. During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.

Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Key performance indicators (KPIs)

Maximum allowable downtime (MAD)

Recovery point objective (RPO)

Mean time to restore (MTTR)

100. An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository.

Which of the following audit procedures would have MOST likely identified this exception?

Inspecting a sample of alerts generated from the central log repository

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

Inspecting a sample of alert settings configured in the central log repository

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Page 11 of 36

101. Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Balanced scorecard

Enterprise dashboard

Enterprise architecture (EA)

Key performance indicators (KPIs)

102. When auditing the security architecture of an online application, an IS auditor should FIRST review the:

firewall standards.

configuration of the firewall

firmware version of the firewall

location of the firewall within the network

103. Which of the following management decisions presents the GREATEST risk associated with data leakage?

There is no requirement for desktops to be encrypted

Staff are allowed to work remotely

Security awareness training is not provided to staff

Security policies have not been updated in the past year

104. An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system.

Which of the following is the BEST way to prevent the misconfiguration from recurring?

Monitoring access rights on a regular basis

Referencing a standard user-access matrix

Granting user access using a role-based model

Correcting the segregation of duties conflicts

105. During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing.

Which of the following should the IS auditor identity as the associated risk?

A. The use of the cloud negatively impacting IT availably

B. Increased need for user awareness training

C. Increased vulnerability due to anytime, anywhere accessibility

D. Lack of governance and oversight for IT infrastructure and applications

106. Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Perform a business impact analysis (BIA).

Determine which databases will be in scope.

Identify the most critical database controls.

Evaluate the types of databases being used

107. Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

Data storage costs

Data classification

Vendor cloud certification

Service level agreements (SLAs)

108. Backup procedures for an organization's critical data are considered to be which type of control?

Directive

Corrective

Detective

Compensating

109. Which of the following poses the GREATEST risk to an organization related to system interfaces?

There is no process documentation for some system interfaces.

Notifications of data transfers through the interfaces are not retained.

Parts of the data transfer process are performed manually.

There is no reliable inventory of system interfaces.

110. When protecting the confidentiality of information assets, the MOST effective control practice is the:

Awareness training of personnel on regulatory requirements

Utilization of a dual-factor authentication mechanism

Configuration of read-only access to all users

Enforcement of a need-to-know access control philosophy

Page 12 of 36

111. An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider.

What should be the manager's PRIMARY concern when being made aware that a new auditor in the department previously worked for this provider?

Independence

Professional conduct

Subject matter expertise

Resource availability

112. An IS auditor who was instrumental in designing an application is called upon to review the application.

The auditor should:

refuse the assignment to avoid conflict of interest.

use the knowledge of the application to carry out the audit.

inform audit management of the earlier involvement.

modify the scope of the audit.

113. Which of the following is the MAIN purpose of an information security management system?

To identify and eliminate the root causes of information security incidents

To enhance the impact of reports used to monitor information security incidents

To keep information security policies and procedures up-to-date

To reduce the frequency and impact of information security incidents

114. During the walk-through procedures for an upcoming audit, an IS auditor notes that the key application in scope is part of a Software as a Service (SaaS) agreement.

What should the auditor do NEXT?

Verify whether IT management monitors the effectiveness of the environment.

Verify whether a right-to-audit clause exists.

Verify whether a third-party security attestation exists.

Verify whether service level agreements (SLAs) are defined and monitored.

115. Which of the following should an IS auditor be MOST concerned with when a system uses RFID?

Scalability

Maintainability

Nonrepudiation

Privacy

116. Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

System flowchart

Data flow diagram

Process flowchart

Entity-relationship diagram

117. An auditee disagrees with a recommendation for corrective action that appears in the draft engagement report.

Which of the following is the IS auditor's BEST course of action when preparing the final report?

Come to an agreement prior to issuing the final report.

Include the position supported by senior management in the final engagement report

Ensure the auditee's comments are included in the working papers

Exclude the disputed recommendation from the final engagement report

118. Which of the following is MOST helpful for measuring benefits realization for a new system?

Function point analysis

Balanced scorecard review

Post-implementation review

Business impact analysis (BIA)

119. The PRIMARY goal of capacity management is to:

minimize data storage needs across the organization.

provide necessary IT resources to meet business requirements.

minimize system idle time to optimize cost.

ensure that IT teams have sufficient personnel.

120. Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?

User requirements

User acceptance testing (UAT) plans

Deployment plans

Architectural design

Page 13 of 36

121. An organization relies on an external vendor that uses a cloud-based Software as a Service (SaaS) model to back up its data.

Which of the following is the GREATEST risk to the organization related to data backup and retrieval?

The organization may be locked into an unfavorable contract with the vendor.

The vendor may be unable to restore critical data.

The vendor may be unable to restore data by recovery time objective (RTO) requirements.

The organization may not be allowed to inspect the vendor's data center.

122. A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room.

Which of the following would be the MOST effective compensating control to recommend?

Installing security cameras at the doors

Changing to a biometric access control system

Implementing a monitored mantrap at entrance and exit points

Requiring two-factor authentication at entrance and exit points

123. Which of the following BEST guards against the risk of attack by hackers?

Tunneling

Encryption

Message validation

Firewalls

124. An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule.

What should the auditor do NEXT?

Interview IT management to clarify the current procedure.

Report this finding to senior management.

Review the organization's patch management policy.

Request a plan of action to be established as a follow-up item.

125. Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

Policies and procedures for managing documents provided by department heads

A system-generated list of staff and their project assignments. roles, and responsibilities

Previous audit reports related to other departments' use of the same system

Information provided by the audit team lead an the authentication systems used by the department

126. The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

Technology risk

Detection risk

Control risk

Inherent risk

127. An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives.

Which of the following findings should be the IS auditor's GREATEST concern?

Users are not required to sign updated acceptable use agreements.

Users have not been trained on the new system.

The business continuity plan (BCP) was not updated.

Mobile devices are not encrypted.

128. The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:

payment processing.

payroll processing.

procurement.

product registration.

129. Which of the following is the MOST important consideration when developing tabletop exercises within a cybersecurity incident response plan?

Ensure participants are selected from all cross-functional units in the organization.

Create exercises that are challenging enough to prove inadequacies in the current incident response plan.

Ensure the incident response team will have enough distractions to simulate real-life situations.

Identify the scope and scenarios that are relevant to current threats faced by the organization.

130. Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Have an independent party review the source calculations

Execute copies of EUC programs out of a secure library

implement complex password controls

Verify EUC results through manual calculations

Page 14 of 36

131. When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

data analytics findings.

audit trails

acceptance lasting results

rollback plans

132. Which of the following is the PRIMARY reason to involve IS auditors in the software acquisition process?

To help ensure hardware and operating system requirements are considered

To help ensure proposed contracts and service level agreements (SLAs) address key elements

To help ensure the project management process complies with policies and procedures

To help ensure adequate controls to address common threats and risks are considered

133. Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Legal and compliance requirements

Customer agreements

Data classification

Organizational policies and procedures

134. An organization has replaced all of the storage devices at its primary data center with new higher-capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether

the recovery site devices can handle the storage requirements

hardware maintenance contract is in place for both old and new storage devices

the procurement was in accordance with corporate policies and procedures

the relocation plan has been communicated to all concerned parties

135. Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

Detectors trigger audible alarms when activated.

Detectors have the correct industry certification.

Detectors are linked to dry pipe fire suppression systems.

Detectors are linked to wet pipe fire suppression systems.

136. Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Continuous auditing

Manual checks

Exception reporting

Automated reconciliations

137. Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

Temperature sensors

Humidity sensors

Water sensors

Air pressure sensors

138. When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:

a risk management process.

an information security framework.

past information security incidents.

industry best practices.

139. Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?

Integrated test facility (ITF)

Snapshots

Data analytics

Audit hooks

140. An IS auditor has been tasked with auditing the inventory control process for a large organization that processes millions of data transactions.

Which of the following is the BEST testing strategy to adopt?

Continuous monitoring

Control self-assessments (CSAs)

Risk assessments

Stop-or-go sampling

Page 15 of 36

141. The IS auditor has recommended that management test a new system before using it in production mode.

The BEST approach for management in developing a test plan is to use processing parameters that are:

randomly selected by a test generator.

provided by the vendor of the application.

randomly selected by the user.

simulated by production entities and customers.

142. When reviewing past results of a recurring annual audit, an IS auditor notes that findings may not have been reported and independence may not have been maintained.

Which of the following is the auditor's BEST course of action?

Inform senior management.

Reevaluate internal controls.

Inform audit management.

Re-perform past audits to ensure independence.

143. To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Review IT staff job descriptions for alignment

Develop quarterly training for each IT staff member.

Identify required IT skill sets that support key business processes

Include strategic objectives m IT staff performance objectives

144. Which of the following should be the FIRST step to successfully implement a corporate data classification program?

Approve a data classification policy.

Select a data loss prevention (DLP) product.

Confirm that adequate resources are available for the project.

Check for the required regulatory requirements.

145. An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software.

Which of the following would be MOST helpful to review?

Service level agreements (SLAs)

Project steering committee charter

IT audit reports

Enterprise architecture (EA)

146. An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider.

Which of the following would be the BEST way to prevent accepting bad data?

Obtain error codes indicating failed data feeds.

Purchase data cleansing tools from a reputable vendor.

Appoint data quality champions across the organization.

Implement business rules to reject invalid data.

147. Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?

IS audit manager

Audit committee

Business owner

Project sponsor

148. Which of the following is MOST important to determine when conducting an audit Of an organization's data privacy practices?

Whether a disciplinary process is established for data privacy violations

Whether strong encryption algorithms are deployed for personal data protection

Whether privacy technologies are implemented for personal data protection

Whether the systems inventory containing personal data is maintained

149. During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST

perform a business impact analysis (BIA).

issue an intermediate report to management.

evaluate the impact on current disaster recovery capability.

conduct additional compliance testing.

150. Which of the following should be done FIRST when planning a penetration test?

Execute nondisclosure agreements (NDAs).

Determine reporting requirements for vulnerabilities.

Define the testing scope.

Obtain management consent for the testing.

Page 16 of 36

151. Which of the following is MOST important when implementing a data classification program?

Understanding the data classification levels

Formalizing data ownership

Developing a privacy policy

Planning for secure storage capacity

152. What is MOST important to verify during an external assessment of network vulnerability?

Update of security information event management (SIEM) rules

Regular review of the network security policy

Completeness of network asset inventory

Location of intrusion detection systems (IDS)

153. Which of the following is a detective control?

Programmed edit checks for data entry

Backup procedures

Use of pass cards to gain access to physical facilities

Verification of hash totals

154. Which of the following is MOST helpful to an IS auditor when assessing the effectiveness of controls?

A control self-assessment (CSA)

Results of control testing

Interviews with management

A control matrix

155. When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

A. each information asset is to a assigned to a different classification.

B. the security criteria are clearly documented for each classification

C. Senior IT managers are identified as information owner.

D. the information owner is required to approve access to the asset

156. An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that

A. security parameters are set in accordance with the manufacturer s standards.

B. a detailed business case was formally approved prior to the purchase.

C. security parameters are set in accordance with the organization's policies.

D. the procurement project invited lenders from at least three different suppliers.

157. Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Utilize a network-based firewall.

Conduct regular user security awareness training.

Perform domain name system (DNS) server security hardening.

Enforce a strong password policy meeting complexity requirement.

158. Which of the following BEST ensures that effective change management is in place in an IS environment?

User authorization procedures for application access are well established.

User-prepared detailed test criteria for acceptance testing of the software.

Adequate testing was carried out by the development team.

Access to production source and object programs is well controlled.

159. Which of the following MUST be completed as part of the annual audit planning process?

Business impact analysis (BIA)

Fieldwork

Risk assessment

Risk control matrix

160. The decision to accept an IT control risk related to data quality should be the responsibility of the:

information security team.

IS audit manager.

chief information officer (CIO).

business owner.

Page 17 of 36

161. An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations.

The auditor's MAIN concern should be that:

violation reports may not be reviewed in a timely manner.

a significant number of false positive violations may be reported.

violations may not be categorized according to the organization's risk profile.

violation reports may not be retained according to the organization's risk profile.

162. Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

A. Cost of projects divided by total IT cost

B. Expected return divided by total project cost

C. Net present value (NPV) of the portfolio

D. Total cost of each project

163. A web application is developed in-house by an organization.

Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

Web application firewall (WAF) implementation

Penetration test results

Code review by a third party

Database application monitoring logs

164. Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Testing

Replication

Staging

Development

165. Which of the following BEST addresses the availability of an online store?

RAID level 5 storage devices

Online backups

A mirrored site at another location

Clustered architecture

166. During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period.

Which of the following is the auditor's MOST important course of action?

Document the finding and present it to management.

Determine if a root cause analysis was conducted.

Confirm the resolution time of the incidents.

Validate whether all incidents have been actioned.

167. A project team has decided to switch to an agile approach to develop a replacement for an existing business application.

Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Compare the agile process with previous methodology.

Identify and assess existing agile process control

Understand the specific agile methodology that will be followed.

Interview business process owners to compile a list of business requirements

168. Which of the following is MOST important for an IS auditor to verify when evaluating an organization's data conversion and infrastructure migration plan?

Strategic: goals have been considered.

A rollback plan is included.

A code check review is included.

A migration steering committee has been formed.

169. During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system.

Which of the following is the auditor's BEST recommendation?

System administrators should ensure consistency of assigned rights.

IT security should regularly revoke excessive system rights.

Human resources (HR) should delete access rights of terminated employees.

Line management should regularly review and request modification of access rights

170. An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

document the exception in an audit report.

review security incident reports.

identify compensating controls.

notify the audit committee.

Page 18 of 36

171. An organization has decided to purchase a web-based email service from a third-party vendor and eliminate its own email server infrastructure.

What type of cloud computing environment would BEST meet the organization's objective?

Platform as a Service (PaaS)

Software as a Service (SaaS)

Database as a Service (DBaaS)

Infrastructure as a Service (laaS)

172. Which of the following BEST Indicates that an incident management process is effective?

Decreased time for incident resolution

Increased number of incidents reviewed by IT management

Decreased number of calls lo the help desk

Increased number of reported critical incidents

173. A checksum is classified as which type of control?

Corrective control

Administrative control

Detective control

Preventive control

174. The use of control totals satisfies which of the following control objectives?

Transaction integrity

Processing integrity

Distribution control

System recoverability

175. Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?

Evaluating the likelihood of attack

Estimating potential damage

Identifying vulnerable assets

Assessing the Impact of vulnerabilities

176. An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers.

Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

An imaging process was used to obtain a copy of the data from each computer.

The legal department has not been engaged.

The chain of custody has not been documented.

Audit was only involved during extraction of the Information

177. Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Reviewing the parameter settings

Reviewing the system log

Interviewing the firewall administrator

Reviewing the actual procedures

178. A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied.

Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

unit testing

Network performance

User acceptance testing (UAT)

Regression testing

179. A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification.

Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

Establish key performance indicators (KPls) for timely identification of security incidents.

Engage an external security incident response expert for incident handling.

Enhance the alert functionality of the intrusion detection system (IDS).

Include the requirement in the incident management response plan.

180. During a follow-up engagement, an IS auditor confirms evidence of a problem that was not an issue in the original audit.

Which of the following is the auditor's BEST course of action?

Include the evidence as part of a future audit.

Report only on the areas within the scope of the follow-up.

Report the risk to management in the follow-up report.

Expand the follow-up scope to include examining the evidence.

Page 19 of 36

181. An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit.

Which of the following should be the auditor's NEXT course of action?

Evaluate the appropriateness of the remedial action taken.

Conduct a risk analysis incorporating the change.

Report results of the follow-up to the audit committee.

Inform senior management of the change in approach.

182. Which of the following provides the BE ST method for maintaining the security of corporate applications pushed to employee-owned mobile devices?

Enabling remote data destruction capabilities

Implementing mobile device management (MDM)

Disabling unnecessary network connectivity options

Requiring security awareness training for mobile users

183. Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Reviewing vacation patterns

Reviewing user activity logs

Interviewing senior IT management

Mapping IT processes to roles

184. Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Staff members who failed the test did not receive follow-up education

Test results were not communicated to staff members.

Staff members were not notified about the test beforehand.

Security awareness training was not provided prior to the test.

185. An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank's customers.

Which of the following controls is MOST important for the auditor to confirm is in place?

The default configurations have been changed.

All tables in the database are normalized.

The service port used by the database server has been changed.

The default administration account is used after changing the account password.

186. An external audit firm was engaged to perform a validation and verification review for a systems implementation project. The IS auditor identifies that regression testing is not part of the project plan and was not performed by the systems implementation team. According to the team, the parallel testing being performed is sufficient, making regression testing unnecessary.

What should be the auditor’s NEXT step?

Evaluate the extent of the parallel testing being performed

Recommend integration and stress testing be conducted by the systems implementation team

Conclude that parallel testing is sufficient and regression testing is not needed

Recommend regression testing be conducted by the systems implementation team

187. In an online application which of the following would provide the MOST information about the transaction audit trail?

File layouts

Data architecture

System/process flowchart

Source code documentation

188. The MOST important measure of the effectiveness of an organization's security program is the:

comparison with critical incidents experienced by competitors.

number of vulnerability alerts escalated to senior management.

number of new vulnerabilities reported.

adverse impact of incidents on critical business activities.

189. Which of the following areas is MOST likely to be overlooked when implementing a new data classification process?

End-user computing (EUC) systems

Email attachments

Data sent to vendors

New system applications

190. An incident response team has been notified of a virus outbreak in a network subnet.

Which of the following should be the NEXT step?

Verify that the compromised systems are fully functional

Focus on limiting the damage

Document the incident

Remove and restore the affected systems

Page 20 of 36

191. Which of the following is the MOST important consideration for patching mission critical business application servers against known vulnerabilities?

Patches are implemented in a test environment prior to rollout into production.

Network vulnerability scans are conducted after patches are implemented.

Vulnerability assessments are periodically conducted according to defined schedules.

Roles and responsibilities for implementing patches are defined

192. Which of the following is the MOST important consideration of any disaster response plan?

Lost revenue

Personnel safety

IT asset protection

Adequate resource capacity

193. IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance.

Which of the following controls will MOST effectively compensate for the lack of referential integrity?

More frequent data backups

Periodic table link checks

Concurrent access controls

Performance monitoring tools

194. Which of the following concerns is MOST effectively addressed by implementing an IT framework for alignment between IT and business objectives?

Inaccurate business impact analysis (BIA)

Inadequate IT change management practices

Lack of a benchmark analysis

Inadequate IT portfolio management

195. Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

Mobile device tracking program

Mobile device upgrade program

Mobile device testing program

Mobile device awareness program

196. Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Risk identification

Risk classification

Control self-assessment (CSA)

Impact assessment

197. During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments.

Which of the following is the team's MOST important course of action?

Consult the legal department to understand the procedure for requesting data from a different jurisdiction.

Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.

Request the data from the branch as the team audit charter covers the country where it is based.

Agree on a data extraction and sharing strategy with the IT team of the audited branch.

198. An organization has both an IT strategy committee and an IT steering committee.

When reviewing the minutes of the IT steering committee, an IS auditor would expect to find that the committee:

assessed the contribution of IT to the business.

acquired and assigned appropriate resources for projects.

compared the risk and return of IT investments.

reviewed the achievement of the strategic IT objective.

199. An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases.

Which of the following should be off GREATEST concern to the organization?

Vendor selection criteria are not sufficiently evaluated.

Business resources have not been optimally assigned.

Business impacts of projects are not adequately analyzed.

Project costs exceed established budgets.

200. During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:

application test cases.

acceptance testing.

cost-benefit analysis.

project plans.

Page 21 of 36

201. Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

To optimize system resources

To follow system hardening standards

To optimize asset management workflows

To ensure proper change control

202. Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system.

What is the BEST control to ensure that data is accurately entered into the system?

Reconciliation of total amounts by project

Validity checks, preventing entry of character data

Reasonableness checks for each cost type

Display the back of the project detail after the entry

203. Which of the following is an advantage of using agile software development methodology over the waterfall methodology?

Less funding required overall

Quicker deliverables

Quicker end user acceptance

Clearly defined business expectations

204. In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Configure data quality alerts to check variances between the data warehouse and the source system

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

Include the data warehouse in the impact analysis (or any changes m the source system

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

205. Which of the following provides the BEST evidence that a third-party service provider's information

security controls are effective?

An audit report of the controls by the service provider's external auditor

Documentation of the service provider's security configuration controls

An interview with the service provider's information security officer

A review of the service provider's policies and procedures

206. An IS auditor is reviewing processes for importing market price data from external data providers.

Which of the following findings should the auditor consider MOST critical?

The transfer protocol does not require authentication.

The quality of the data is not monitored.

Imported data is not disposed of frequently.

The transfer protocol is not encrypted.

207. During an operational audit on the procurement department, the audit team encounters a key

system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit.

Which of the following is the BEST way to handle this situation?

Perform a skills assessment to identify members from other business units with knowledge of Al.

Remove the Al portion from the audit scope and proceed with the audit.

Delay the audit until the team receives training on Al.

Engage external consultants who have audit experience and knowledge of Al.

208. Which of the following is the MOST significant risk when an application uses individual end-user accounts to access the underlying database?

Multiple connects to the database are used and slow the process_

User accounts may remain active after a termination.

Users may be able to circumvent application controls.

Application may not capture a complete audit trail.

209. Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

Write access to production program libraries

Write access to development data libraries

Execute access to production program libraries

Execute access to development program libraries

210. An organization allows its employees lo use personal mobile devices for work.

Which of the following would BEST maintain information security without compromising employee privacy?

Installing security software on the devices

Partitioning the work environment from personal space on devices

Preventing users from adding applications

Restricting the use of devices for personal purposes during working hours

Page 22 of 36

211. An organization's software developers need access to personally identifiable information (Pll) stored in a particular data format.

Which of the following is the BEST way to protect this sensitive information while allowing the developers to use it in development and test environments?

Data masking

Data tokenization

Data encryption

Data abstraction

212. Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Expected deliverables meeting project deadlines

Sign-off from the IT team

Ongoing participation by relevant stakeholders

Quality assurance (OA) review

213. Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Analyze whether predetermined test objectives were met.

Perform testing at the backup data center.

Evaluate participation by key personnel.

Test offsite backup files.

214. An IS auditor finds that a recently deployed application has a number of developers with inappropriate update access left over from the testing environment.

Which of the following would have BEST prevented the update access from being migrated?

Establishing a role-based matrix for provisioning users

Re-assigning user access rights in the quality assurance (QA) environment

Holding the application owner accountable for application security

Including a step within the system development life cycle (SDLC) to clean up access prior to go-live

215. Which of the following is the BEST way to prevent social engineering incidents?

Ensure user workstations are running the most recent version of antivirus software.

Maintain an onboarding and annual security awareness program.

Include security responsibilities in job descriptions and require signed acknowledgment.

Enforce strict email security gateway controls.

216. Which of the following threats is mitigated by a firewall?

Intrusion attack

Asynchronous attack

Passive assault

Trojan horse

217. Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?

Shared facilities

Adequacy of physical and environmental controls

Results of business continuity plan (BCP) test

Retention policy and period

218. An organization is considering allowing users to connect personal devices to the corporate network.

Which of the following should be done FIRST?

Conduct security awareness training.

Implement an acceptable use policy

Create inventory records of personal devices

Configure users on the mobile device management (MDM) solution

219. Which of the following metrics would BEST measure the agility of an organization's IT function?

Average number of learning and training hours per IT staff member

Frequency of security assessments against the most recent standards and guidelines

Average time to turn strategic IT objectives into an agreed upon and approved initiative

Percentage of staff with sufficient IT-related skills for the competency required of their roles

220. Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision.

Which of the following should be the IS auditor's NEXT course of action?

Accept management's decision and continue the follow-up.

Report the issue to IS audit management.

Report the disagreement to the board.

Present the issue to executive management.

Page 23 of 36

221. Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Assurance that the new system meets functional requirements

More time for users to complete training for the new system

Significant cost savings over other system implemental or approaches

Assurance that the new system meets performance requirements

222. Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

Review strategic projects tor return on investments (ROls)

Solicit feedback from other departments to gauge the organization's maturity

Meet with senior management to understand business goals

Review the organization's key performance indicators (KPls)

223. A new system development project is running late against a critical implementation deadline.

Which of the following is the MOST important activity?

Document last-minute enhancements

Perform a pre-implementation audit

Perform user acceptance testing (UAT)

Ensure that code has been reviewed

224. What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Notify law enforcement of the finding.

Require the third party to notify customers.

The audit report with a significant finding.

Notify audit management of the finding.

225. Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization's configuration and release management process?

The organization does not use an industry-recognized methodology

Changes and change approvals are not documented

All changes require middle and senior management approval

There is no centralized configuration management database (CMDB)

226. Which of the following is the MOST appropriate indicator of change management effectiveness?

Time lag between changes to the configuration and the update of records

Number of system software changes

Time lag between changes and updates of documentation materials

Number of incidents resulting from changes

227. Which of following areas is MOST important for an IS auditor to focus on when reviewing the maturity model for a technology organization?

Standard operating procedures

Service level agreements (SLAs)

Roles and responsibility matrix

Business resiliency

228. Which of the following would be of GREATEST concern to an IS auditor reviewing an IT-related customer service project?

The project risk exceeds the organization's risk appetite.

Executing the project will require additional investments.

Expected business value is expressed in qualitative terms.

The organization will be the first to offer the proposed services.

229. If a recent release of a program has to be backed out of production, the corresponding changes within the delta version of the code should be:

filed in production for future reference in researching the problem.

applied to the source code that reflects the version in production.

eliminated from the source code that reflects the version in production.

reinstalled when replacing the version back into production.

230. Which of the following is the MOST important consideration for a contingency facility?

The contingency facility has the same badge access controls as the primary site.

Both the contingency facility and the primary site have the same number of business assets in their inventory.

The contingency facility is located a sufficient distance away from the primary site.

Both the contingency facility and the primary site are easily identifiable.

Page 24 of 36

231. An organization is migrating its HR application to an Infrastructure as a Service (laaS) model in a private cloud.

Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

The cloud provider's external auditor

The cloud provider

The operating system vendor

The organization

232. Which of the following is the PRIMARY basis on which audit objectives are established?

Audit risk

Consideration of risks

Assessment of prior audits

Business strategy

233. The PRIMARY objective of a follow-up audit is to:

assess the appropriateness of recommendations.

verify compliance with policies.

evaluate whether the risk profile has changed.

determine adequacy of actions taken on recommendations.

234. Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Whether there is explicit permission from regulators to collect personal data

The organization's legitimate purpose for collecting personal data

Whether sharing of personal information with third-party service providers is prohibited

The encryption mechanism selected by the organization for protecting personal data

235. Which of the following should be of GREATEST concern to an |$ auditor reviewing data conversion and migration during the implementation of a new application system?

The change management process was not formally documented

Backups of the old system and data are not available online

Unauthorized data modifications occurred during conversion,

Data conversion was performed using manual processes

236. Which of the following should be considered when examining fire suppression systems as part of a data center environmental controls review?

Installation manuals

Onsite replacement availability

Insurance coverage

Maintenance procedures

237. Which of the following would be MOST helpful to an IS auditor performing a risk assessment of an application programming interface (API) that feeds credit scores from a well-known commercial credit agency into an organizational system?

A data dictionary of the transferred data

A technical design document for the interface configuration

The most recent audit report from the credit agency

The approved business case for the API

238. Which of the following is the GREATEST risk of project dashboards being set without sufficiently defined criteria?

Adverse findings from internal and external auditors

Lack of project portfolio status oversight

Lack of alignment of project status reports

Inadequate decision-making and prioritization

239. An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services.

Which of the following would BEST enable the organization to resolve this issue?

Problem management

Incident management

Service level management

Change management

240. Which of the following BEST indicates that an incident management process is effective?

Decreased number of calls to the help desk

Decreased time for incident resolution

Increased number of incidents reviewed by IT management

Increased number of reported critical incidents

Page 25 of 36

241. Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

The DRP has not been formally approved by senior management.

The DRP has not been distributed to end users.

The DRP has not been updated since an IT infrastructure upgrade.

The DRP contains recovery procedures for critical servers only.

242. Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Use an electronic vault for incremental backups

Deploy a fully automated backup maintenance system.

Periodically test backups stored in a remote location

Use both tape and disk backup systems

243. An IS audit reveals an IT application is experiencing poor performance including data inconsistency and integrity issues.

What is the MOST likely cause?

Database clustering

Data caching

Reindexing of the database table

Load balancing

244. The BEST way to evaluate the effectiveness of a newly developed application is to:

perform a post-implementation review-

analyze load testing results.

perform a secure code review.

review acceptance testing results.

245. Which type of threat can utilize a large group of automated social media accounts to steal data, send spam, or launch distributed denial of service (DDoS) attacks?

Botnet attack

Data mining

Phishing attempt

Malware sharing

246. From a risk management perspective, which of the following is the BEST approach when implementing a large and complex data center IT infrastructure?

Simulating the new infrastructure before deployment

Prototyping and a one-phase deployment

A deployment plan based on sequenced phases

A big bang deployment with a successful proof of concept

247. An IS auditor is assessing the adequacy of management's remediation action plan.

Which of the following should be the MOST important consideration?

Plan approval by the audit committee

Impacts on future audit work

Criticality of audit findings

Potential cost savings

248. An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Source code version control

Project change management controls

Existence of an architecture review board

Configuration management

249. Which of the following is MOST critical to the success of an information security program?

User accountability for information security

Management's commitment to information security

Integration of business and information security

Alignment of information security with IT objectives

250. During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.

Which of the following is the BEST way to help management understand the associated risk?

Explain the impact to disaster recovery.

Explain the impact to resource requirements.

Explain the impact to incident management.

Explain the impact to backup scheduling.

Page 26 of 36

251. A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.

Which of the following is the senior auditor s MOST appropriate course of action?

Ask the auditee to retest

Approve the work papers as written

Have the finding reinstated

Refer the issue to the audit director

252. Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?

The testing produces a lower number of false positive results

Network bandwidth is utilized more efficiently

Custom-developed applications can be tested more accurately

The testing process can be automated to cover large groups of assets

253. Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Limiting the size of file attachments being sent via email

Automatically deleting emails older than one year

Moving emails to a virtual email vault after 30 days

Allowing employees to store large emails on flash drives

254. An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Examine the workflow to identify gaps in asset-handling responsibilities.

Escalate the finding to the asset owner for remediation.

Recommend the drives be sent to the vendor for destruction.

Evaluate the corporate asset-handling policy for potential gaps.

255. An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors.

Which of the following is the BEST way to prevent this vulnerability from being exploited?

Implement security awareness training.

Install vendor patches

Review hardware vendor contracts.

Review security log incidents.

256. What should be an IS auditor's PRIMARY focus when reviewing a patch management procedure in an environment where availability is a top priority?

Deployment automation to all servers

Technical skills of the deployment team

Comprehensive testing prior to deployment

Validity certification prior to deployment

257. During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?

Post-implementation review phase

Final implementation phase

User acceptance testing (UAT) phase

Design review phase

258. What is the BEST control to address SQL injection vulnerabilities?

Unicode translation

Secure Sockets Layer (SSL) encryption

Input validation

Digital signatures

259. A configuration management audit identified that predefined automated procedures are used when deploying and configuring application infrastructure in a cloud-based environment.

Which of the following is MOST important for the IS auditor to review?

Storage location of configuration management documentation

Processes for making changes to cloud environment specifications

Contracts of vendors responsible for maintaining provisioning tools

Number of administrators with access to cloud management consoles

260. Which of the following is the BEST way to foster continuous improvement of IS audit processes and practices?

Invite external auditors and regulators to perform regular assessments of the IS audit function.

Implement rigorous managerial review and sign-off of IS audit deliverables.

Frequently review IS audit policies, procedures, and instruction manuals.

Establish and embed quality assurance (QA) within the IS audit function.

Page 27 of 36

261. Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?

Timely audit execution

Effective allocation of audit resources

Reduced travel and expense costs

Effective risk mitigation

262. Capacity management enables organizations to:

forecast technology trends

establish the capacity of network communication links

identify the extent to which components need to be upgraded

determine business transaction volumes.

263. During an information security review, an IS auditor learns an organizational policy requires all employ-ees to attend information security training during the first week of each new year.

What is the auditor's BEST recommendation to ensure employees hired after January receive adequate guidance regarding security awareness?

Ensure new employees read and sign acknowledgment of the acceptable use policy.

Revise the policy to include security training during onboarding.

Revise the policy to require security training every six months for all employees.

Require management of new employees to provide an overview of security awareness.

264. The PRIMARY advantage of object-oriented technology is enhanced:

efficiency due to the re-use of elements of logic.

management of sequential program execution for data access.

grouping of objects into methods for data access.

management of a restricted variety of data types for a data object.

265. Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Requirements may become unreasonable.

The policy may conflict with existing application requirements.

Local regulations may contradict the policy.

Local management may not accept the policy.

266. An organization's business continuity plan (BCP) should be:

updated before an independent audit review.

tested after an intrusion attempt into the organization's hot site.

tested whenever new applications are implemented.

updated based on changes to personnel and environments.

267. Which of the following concerns is BEST addressed by securing production source libraries?

Programs are not approved before production source libraries are updated.

Production source and object libraries may not be synchronized.

Changes are applied to the wrong version of production source libraries.

Unauthorized changes can be moved into production.

268. Which of the following observations should be of GREATEST concern to an IS auditor assessing access controls for the accounts payable module of a finance system?

Payment files are stored on a shared drive in a writable format prior to processing.

Accounts payable staff have access to update vendor bank account details.

The IS auditor was granted access to create purchase orders.

Configured delegation limits do not align to the organization's delegation’s policy.

269. Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Available resources for the activities included in the action plan

A management response in the final report with a committed implementation date

A heal map with the gaps and recommendations displayed in terms of risk

Supporting evidence for the gaps and recommendations mentioned in the audit report

270. Which of the following is the MOST effective way to detect as many abnormalities as possible during an IS audit?

Conduct a walk-through of the process.

Perform substantive testing on sampled records.

Perform judgmental sampling of key processes.

Use a data analytics tool to identify trends.

Page 28 of 36

271. An organization allows programmers to change production systems in emergency situations without seeking prior approval.

Which of the following controls should an IS auditor consider MOST important?

Programmers' subsequent reports

Limited number of super users

Operator logs

Automated log of changes

272. Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

IT value analysis

Prior audit reports

IT balanced scorecard

Vulnerability assessment report

273. What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Senior management's request

Prior year's audit findings

Organizational risk assessment

Previous audit coverage and scope

274. When auditing the feasibility study of a system development project, the IS auditor should:

review qualifications of key members of the project team.

review the request for proposal (RFP) to ensure that it covers the scope of work.

review cost-benefit documentation for reasonableness.

ensure that vendor contracts are reviewed by legal counsel.

275. An IS auditor is providing input to an RFP to acquire a financial application system.

Which of the following is MOST important for the auditor to recommend?

The application should meet the organization's requirements.

Audit trails should be included in the design.

Potential suppliers should have experience in the relevant area.

Vendor employee background checks should be conducted regularly.

276. When auditing an organization's software acquisition process the BEST way for an IS auditor to understand the software benefits to the organization would be to review the

feasibility study

business case

request for proposal (RFP)

alignment with IT strategy

277. Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Frequent testing of backups

Annual walk-through testing

Periodic risk assessment

Full operational test

278. An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Users are not required to change their passwords on a regular basis

Management does not review application user activity logs

User accounts are shared between users

Password length is set to eight characters

279. Which of the following is a concern associated with virtualization?

The physical footprint of servers could decrease within the data center.

Performance issues with the host could impact the guest operating systems.

Processing capacity may be shared across multiple operating systems.

One host may have multiple versions of the same operating system.

280. An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

indicate whether the organization meets quality standards.

ensure that IT staff meet performance requirements.

train and educate IT staff.

assess IT functions and processes.

Page 29 of 36

281. Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?

The production configuration does not conform to corporate policy.

Responsibility for the firewall administration rests with two different divisions.

Industry hardening guidance has not been considered.

The firewall configuration file is extremely long and complex.

282. Which of the following would MOST effectively help to reduce the number of repealed incidents in an organization?

Testing incident response plans with a wide range of scenarios

Prioritizing incidents after impact assessment.

Linking incidents to problem management activities

Training incident management teams on current incident trends

283. Which of the following BEST facilitates the legal process in the event of an incident?

Right to perform e-discovery

Advice from legal counsel

Preserving the chain of custody

Results of a root cause analysis

284. Which of the following is MOST important to include in security awareness training?

How to respond to various types of suspicious activity

The importance of complex passwords

Descriptions of the organization's security infrastructure

Contact information for the organization's security team

285. Data from a system of sensors located outside of a network is received by the open ports on a server.

Which of the following is the BEST way to ensure the integrity of the data being collected from the sensor system?

Route the traffic from the sensor system through a proxy server.

Hash the data that is transmitted from the sensor system.

Implement network address translation on the sensor system.

Transmit the sensor data via a virtual private network (VPN) to the server.

286. An organization has partnered with a third party to transport backup drives to an offsite storage facility.

Which of the following is MOST important before sending the drives?

Creating a chain of custody to accompany the drive in transit

Ensuring data protection is aligned with the data classification policy

Encrypting the drive with strong protection standards

Ensuring the drive is placed in a tamper-evident mechanism

287. The GREATEST benefit of using a polo typing approach in software development is that it helps to:

minimize scope changes to the system.

decrease the time allocated for user testing and review.

conceptualize and clarify requirements.

Improve efficiency of quality assurance (QA) testing

288. An organization has outsourced its data processing function to a service provider.

Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Assessment of the personnel training processes of the provider

Adequacy of the service provider's insurance

Review of performance against service level agreements (SLAs)

Periodic audits of controls by an independent auditor

289. When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:

the organization's web server.

the demilitarized zone (DMZ).

the organization's network.

the Internet

290. An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied.

Which of the following should be of MOST concern to the auditor?

Log feeds are uploaded via batch process.

Completeness testing has not been performed on the log data.

The log data is not normalized.

Data encryption standards have not been considered.

Page 30 of 36

291. An IS auditor is reviewing a network diagram.

Which of the following would be the BEST location for placement of a firewall?

Between each host and the local network switch/hub

Between virtual local area networks (VLANs)

Inside the demilitarized zone (DMZ)

At borders of network segments with different security levels

292. An IS auditor is reviewing the security of a web-based customer relationship management (CRM) system that is directly accessed by customers via the Internet, which of the following should be a concern for the auditor?

The system is hosted on an external third-party service provider’s server.

The system is hosted in a hybrid-cloud platform managed by a service provider.

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

The system is hosted within an internal segment of a corporate network.

293. Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

Design and application of key controls in public audit

Security strategy in public cloud Infrastructure as a Service (IaaS)

Modern encoding methods for digital communications

Technology and process life cycle for digital certificates and key pairs

294. An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes.

Which of the following findings should be the auditor's GREATEST concern?

Key business process end users did not participate in the business impact " analysis (BIA)

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

A test plan for the BCP has not been completed during the last two years

295. When assessing the overall effectiveness of an organization's disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?

Management contracts with a third party for warm site services.

Management schedules an annual tabletop exercise.

Management documents and distributes a copy of the plan to all personnel.

Management reviews and updates the plan annually or as changes occur.

296. An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process.

To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Data with customer personal information

Data reported to the regulatory body

Data supporting financial statements

Data impacting business objectives

297. Which of the following should be an IS auditor's PRIMARY focus when auditing the implementation of a new IT operations performance monitoring system?

Reviewing whether all changes have been implemented

Validating whether baselines have been established

Confirming whether multi-factor authentication (MFA) is deployed as part of the operational enhancements

Determining whether there is a process for annual review of the maintenance manual

298. Which of the following is MOST critical for the effective implementation of IT governance?

Strong risk management practices

Internal auditor commitment

Supportive corporate culture

Documented policies

299. A system performance dashboard indicates several application servers are reaching the defined threshold for maximum CPU allocation.

Which of the following would be the IS auditor's BEST recommendation for the IT department?

Increase the defined processing threshold to reflect capacity consumption during normal operations.

Notify end users of potential disruptions caused by degradation of servers.

Terminate both ingress and egress connections of these servers to avoid overload.

Validate the processing capacity of these servers is adequate to complete computing tasks.

300. Controls related to authorized modifications to production programs are BEST tested by:

tracing modifications from the original request for change forward to the executable program.

tracing modifications from the executable program back to the original request for change.

testing only the authorizations to implement the new program.

reviewing only the actual lines of source code changed in the program.

Page 31 of 36

301. Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

Classifies documents to correctly reflect the level of sensitivity of information they contain

Defines the conditions under which documents containing sensitive information may be transmitted

Classifies documents in accordance with industry standards and best practices

Ensures documents are handled in accordance With the sensitivity of information they contain

302. While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level.

What is the MOST effective way for the organization to improve this situation?

Use automatic document classification based on content.

Have IT security staff conduct targeted training for data owners.

Publish the data classification policy on the corporate web portal.

Conduct awareness presentations and seminars for information classification policies.

303. An IS auditor assessing the controls within a newly implemented call center would First

gather information from the customers regarding response times and quality of service.

review the manual and automated controls in the call center.

test the technical infrastructure at the call center.

evaluate the operational risk associated with the call center.

304. A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged.

Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Trace a sample of complete PCR forms to the log of all program changes

Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

Review a sample of PCRs for proper approval throughout the program change process

Trace a sample of program change from the log to completed PCR forms

305. In an area susceptible to unexpected increases in electrical power, which of the following would MOST effectively protect the system?

Generator

Voltage regulator

Circuit breaker

Alternate power supply line

306. Which of the following is the BEST disposal method for flash drives that previously stored confidential data?

Destruction

Degaussing

Cryptographic erasure

Overwriting

307. Which of the following BEST helps to ensure data integrity across system interfaces?

Environment segregation

Reconciliation

System backups

Access controls

308. Which of the following is the BEST reason to implement a data retention policy?

To limit the liability associated with storing and protecting information

To document business objectives for processing data within the organization

To assign responsibility and ownership for data protection outside IT

To establish a recovery point detective (RPO) for (toaster recovery procedures

309. Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

Business management

Internal auditor

Risk management

ITC manager

310. In a data center audit, an IS auditor finds that the humidity level is very low.

The IS auditor would be MOST concerned because of an expected increase in:

risk of fire.

backup tape failures.

static electricity problems.

employee discomfort.

Page 32 of 36

311. An employee loses a mobile device resulting in loss of sensitive corporate data.

Which of the following would have BEST prevented data leakage?

Data encryption on the mobile device

Complex password policy for mobile devices

The triggering of remote data wipe capabilities

Awareness training for mobile device users

312. Which of the following provides the MOST useful information to an IS auditor when selecting projects for inclusion in an IT audit plan?

A. Project charter

B. Project plan

C. Project issue log

D. Project business case

313. In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Implementation

Development

Feasibility

Design

314. Which of the following is the BEST way to ensure a vendor complies with system security requirements?

Require security training for vendor staff.

Review past incidents reported by the vendor.

Review past audits on the vendor's security compliance.

Require a compliance clause in the vendor contract.

315. An IS auditor discovers that backups of critical systems are not being performed in accordance with the recovery point objective (RPO) established in the business continuity plan (BCP).

What should the auditor do NEXT?

Request an immediate backup be performed.

Expand the audit scope.

Identify the root cause.

Include the observation in the report.

316. in a post-implantation Nation review of a recently purchased system it is MOST important for the iS auditor to determine whether the:

stakeholder expectations were identified

vendor product offered a viable solution.

user requirements were met.

test scenarios reflected operating activities.

317. Which of the following physical controls provides the GREATEST assurance that only authorized individuals can access a data center?

The data center is patrolled by a security guard.

Access to the data center is monitored by video cameras.

ID badges must be displayed before access is granted

Access to the data center is controlled by a mantrap.

318. Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?

Findings from prior audits

Results of a risk assessment

An inventory of personal devices to be connected to the corporate network

Policies including BYOD acceptable user statements

319. Which type of attack poses the GREATEST risk to an organization's most sensitive data?

Password attack

Eavesdropping attack

Insider attack

Spear phishing attack

320. An IS auditor finds a user account where privileged access is not appropriate for the user’s role.

Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?

Activity log for the account

Interview with the user's manager

Last logon date for the account

Documented approval for the account

Page 33 of 36

321. Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization?

Insufficient processes to track ownership of each EUC application?

Insufficient processes to lest for version control

Lack of awareness training for EUC users

Lack of defined criteria for EUC applications

322. Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model.

Which of the following is the IS auditor's BEST recommendation?

Create regional centers of excellence.

Engage an IT governance consultant.

Create regional IT steering committees.

Update the IT steering committee's formal charter.

323. Which of the following BEST demonstrates alignment of the IT department with the corporate mission?

Analysis of IT department functionality

Biweekly reporting to senior management

Annual board meetings

Quarterly steering committee meetings

324. In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and analyze transaction processing is:

integrated test facility (ITF).

parallel simulation.

transaction tagging.

embedded audit modules.

325. Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only.

Which of the following did the IS auditor potentially compromise?

Proficiency

Due professional care

Sufficient evidence

Reporting

326. A third-party consultant is managing the replacement of an accounting system.

Which of the following should be the IS auditor's GREATEST concern?

Data migration is not part of the contracted activities.

The replacement is occurring near year-end reporting

The user department will manage access rights.

Testing was performed by the third-party consultant

327. Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

Compliance testing

Stop-or-go sampling

Substantive testing

Variable sampling

328. During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers.

How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

Review compliance with data loss and applicable mobile device user acceptance policies.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

Verify employees have received appropriate mobile device security awareness training.

329. How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

Easy software version rollback

Smaller incremental changes

Fewer manual milestones

Automated software testing

330. An audit has identified that business units have purchased cloud-based applications without IPs support.

What is the GREATEST risk associated with this situation?

The applications are not included in business continuity plans (BCFs)

The applications may not reasonably protect data.

The application purchases did not follow procurement policy.

The applications could be modified without advanced notice.

Page 34 of 36

331. Which of the following is MOST important for an IS auditor to consider when performing the risk assessment poor to an audit engagement?

The design of controls

Industry standards and best practices

The results of the previous audit

The amount of time since the previous audit

332. An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated.

Which of the following should be the GREATEST concern?

Availability of the user list reviewed

Confidentiality of the user list reviewed

Source of the user list reviewed

Completeness of the user list reviewed

333. An IS auditor finds that while an organization's IT strategy is heavily focused on research and development, the majority of protects n the IT portfolio focus on operations and maintenance.

Which of the Mowing is the BEST recommendation?

Align the IT strategy will business objectives

Review priorities in the IT portfolio

Change the IT strategy to focus on operational excellence.

Align the IT portfolio with the IT strategy.

334. An organization's security team created a simulated production environment with multiple vulnerable applications.

What would be the PRIMARY purpose of creating such an environment?

To test the intrusion detection system (IDS)

To provide training to security managers

To collect digital evidence of cyberattacks

To attract attackers in order to study their behavior

335. Following an IT audit, management has decided to accept the risk highlighted in the audit report.

Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?

A communication plan exists for informing parties impacted by the risk.

Potential impact and likelihood are adequately documented.

Identified risk is reported into the organization's risk committee.

Established criteria exist for accepting and approving risk.

336. Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Review of monthly performance reports submitted by the vendor

Certifications maintained by the vendor

Regular independent assessment of the vendor

Substantive log file review of the vendor's system

337. During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization.

Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Key performance indicators (KPIs)

Mean time to restore (MTTR)

Maximum allowable downtime (MAD)

Recovery point objective (RPO)

338. Which of the following should be identified FIRST during the risk assessment process?

Vulnerability to threats

Existing controls

Information assets

Legal requirements

339. What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Perform background verification checks.

Review third-party audit reports.

Implement change management review.

Conduct a privacy impact analysis.

340. An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company.

Which of the following would be MOST helpful In determining the effectiveness of the framework?

Sell-assessment reports of IT capability and maturity

IT performance benchmarking reports with competitors

Recent third-party IS audit reports

Current and previous internal IS audit reports

Page 35 of 36

341. Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Implementing the remediation plan

Partially completing the CSA

Developing the remediation plan

Developing the CSA questionnaire

342. An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget.

Which of the following is the GREATEST risk to communicate to senior management?

Noncompliance with project methodology

Inability to achieve expected benefits

Increased staff turnover

Project abandonment

343. When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

database conflicts are managed during replication.

end users are trained in the replication process.

the source database is backed up on both sites.

user rights are identical on both databases.

344. Which of the following cloud capabilities BEST enables an organization to meet unexpectedly high service demand?

Scalability

High availability

Alternate routing

Flexibility

345. Which of the following findings would be of GREATEST concern to an IS auditor reviewing the security architecture of an organization that has just implemented a Zero Trust solution?

An increase in security-related costs

User complaints about the new mode of working

An increase in user identification errors

A noticeable drop in the performance of IT systems

346. The waterfall life cycle model of software development is BEST suited for which of the following situations?

The protect requirements are wall understood.

The project is subject to time pressures.

The project intends to apply an object-oriented design approach.

The project will involve the use of new technology.

347. Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

Deviation detection

Cluster sampling

Random sampling

Classification

348. Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Independence

Integrity

Materiality

Accountability

349. The PRIMARY responsibility of a project steering committee is to:

sign off on the final build document.

ensure that each project deadline is met.

ensure that developed systems meet business needs.

provide regular project updates and oversight.

350. Which of the following is the MOST important responsibility of user departments associated with program changes?

Providing unit test data

Analyzing change requests

Updating documentation lo reflect latest changes

Approving changes before implementation

Page 36 of 36

351. An IS auditor wants to inspect recent events in a system to observe failed authentications and password changes.

Which of the following is the MOST appropriate method to use for this purpose?

Penetration testing

Authenticated scanning

Change management records

System log review

352. Which of the following is the BEST indication of effective governance over IT infrastructure?

The ability to deliver continuous, reliable performance

A requirement for annual security awareness programs

An increase in the number of IT infrastructure servers

A decrease in the number of information security incidents

353. Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Logs are being collected in a separate protected host

Automated alerts are being sent when a risk is detected

Insider attacks are being controlled

Access to configuration files Is restricted.

354. In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:

allocation of IT staff.

project management methodologies used.

major IT initiatives.

links to operational tactical plans.

355. Which of the following should be done FIRST when planning to conduct internal and external penetration testing for a client?

Establish the timing of testing.

Identify milestones.

Determine the test reporting

Establish the rules of engagement.

356. To confirm integrity for a hashed message, the receiver should use:

the same hashing algorithm as the sender's to create a binary image of the file.

a different hashing algorithm from the sender's to create a binary image of the file.

the same hashing algorithm as the sender's to create a numerical representation of the file.

a different hashing algorithm from the sender's to create a numerical representation of the file.

357. Which of the following BEST enables alignment of IT with business objectives?

Benchmarking against peer organizations

Developing key performance indicators (KPIs)

Completing an IT risk assessment

Leveraging an IT governance framework

358. An organization has an acceptable use policy in place, but users do not formally acknowledge the policy.

Which of the following is the MOST significant risk from this finding?

Lack of data for measuring compliance

Violation of industry standards

Noncompliance with documentation requirements

Lack of user accountability

TAGS:

CISA, CISA exam dumps

Notify of

Label

Name*

Email*

Website

Label

Name*

Email*

Website

0 Comments

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Get CISA Dumps Full Version

Q&As: 1196
Versions: PDF and Software Download Now

About Dumpsinfo

Dumpsinfo is a good platform providing the latest exam information and dumps questions for all IT certification exams. You can study all the latest exam dumps questions online.

[email protected]

Mon - Sat 9:00am - 6:00pm

ISACA CISA Exam Questions Simulate Actual CISA Exam

Related

Posts

CGEIT Exam Dumps – Reliable Way to Pass and Get Certified

Pass Cybersecurity Audit Certificate Exam to Get ISACA Certification

COBIT 2019 Dumps Guarantee You Pass COBIT 2019 Exam Easily

About Us

EMAIL

Services

Opening Hours