Q1} Which of the following is MOST important for an IS auditor to ensure when evaluating an

organization's end-user computing (EUC) policy as part of an IT governance audit?

The EUC policy supports business objectives.

The EUC policy is covered in onboarding and awareness training

The EUC policy identifies control procedures.

The EUC policy requires signed acknowledgment by users.

Q2} An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor
and identifies one transaction with a value five times as high as the average transaction. Which
of the following should the auditor do NEXT?

Increase the sample size to 100% of the population

Exclude the transaction from the sample population

Report the variance immediately to the audit committee.

Request an explanation of the variance from the auditee.

Q3} Which of the following is MOST important to consider when developing a service level
agreement (SLA)?

Provisions for regulatory requirements that impact the end users' businesses

Detailed identification of work to be completed

in Description of the services from the viewpoint of the client organization

Description of the services from the viewpoint of the provider

 Q4}Which of the following is MOST important to determine when conducting an audit of an
organization's data privacy practices?

0Whether strong encryption algorithms are deployed for personal data protection
Whether privacy technologies are implemented for personal data protection

Whether the systems inventory containing personal data is maintained

Whether a disciplinary process is established for data privacy violations

Q5} Which of the following access control techniques is MOST difficult for an intruder to
compromise?

USB token and password

Airlock entrance and swipe card

Smart card and numeric keypad

13 Biometrics and PIN

Q6} A firewall between internal network segments improves security and reduces risk by:

logging all packets passing through network segments.

monitoring and reporting on sessions between network participants.

13 inspecting all traffic flowing between network segments and applying security policies.

ensuring all connecting systems have appropriate security controls enabled.

 Q7} Which of the following is the BEST reason for an IS auditor to emphasize to management
the importance of using an IT governance framework?

Frameworks help facilitate control self-assessments (CSAS).

Frameworks can be tailored and optimized for different organizations.

Frameworks enable IT benchmarks against competitors.

Frameworks help organizations understand and manage IT risk.

Q8} Which of the following should be of GREATEST concern to an IS auditor when auditing an
organization's IT strategy development process?

Information security was not included as a key objective in the IT strategic plan.

The IT strategy was developed based on the current IT capability.

The IT strategy was developed before the business plan.

A business impact analysis (BIA) was not performed to support the IT strategy.

Q9} An organization is implementing a data loss prevention (DLP) system in response to a new
regulatory requirement. Reviewing which of the following would be MOST helpful in evaluating

in Enterprise architecture (EA)

Industry trends

Historical record of data breaches

System manuals
 Q10} The charging method that effectively encourages the MOST efficient use of IS resources is:

total utilization to achieve full operating capacity.

residual income in excess of actual incurred costs.

specific charges that can be tied back to specific usage.

allocations based on the ability to absorb charges.

Q11} The use of access control lists (ACLS) is the MOST effective method to mitigate security risk
for routers because they:

are recommended by security standards.

act as filters between the world and the network.

can limit Telnet and traffic from the open Internet.

can detect cyberattacks.

Q12} Which of the following is MOST appropriate to review when determining if the work
completed on an IT project is in alignment with budgeted costs?

Business impact analysis (BIA)

Earned value analysis (EVA)

Return on investment (ROI) analysis

Financial value analysis

 Q13} During a database management evaluation, an IS auditor discovers that some accounts
with database administrator (DBA) privileges have been assigned a default password with an
unlimited number of failed login attempts. Which of the following is the auditor's BEST course of
action?

Postpone the audit until adequate security and password management practices are established.

Identify accounts that have had excessive failed login attempts and request they be disabled.

Request the IT manager to change administrator security parameters and update the finding.

Document the finding and explain the risk of having administrator accounts with inappropriate
security settings.

Q14} Which of the following database models is MOST appropriate to use when handling a large
number of transactions that need to be readily accessible?

Network

Hierarchical

Object

Relational

Q15} Which of the following is the GREATEST benefit of an effective data classification process?

Appropriate ownership over data is assigned.

Data custodians are identified.

Data retention periods are well defined.

Data is protected according to its sensitivity.

 Q16} As part of the architecture of virtualized environments, in a bare metal or native
virtualization the hypervisor runs without:

any applications on the host operating system.

any applications on the guest operating system.

a guest operating system.

a host operating system.

Q17} Which of the following is MOST important to include in security awareness training?

The importance of complex passwords

Contact information for the organization's security team

Descriptions of the organization's security infrastructure

How to respond to various types of suspicious activity

Q18}Which of the following is MOST important to include in a contract to outsource data

processing that involves customer personally identifiable information (PII)?

The vendor must provide an independent report of its data processing facilities.

The vendor must compensate the organization if service levels are not met.

The vendor must comply with the organization's legal and regulatory requirements.

The vendor must sign a nondisclosure agreement (NDA) with the organization.
 Q19} The PRIMARY reason for prohibiting developers from having access to the production
system environment is to prevent a developer from:

modifying production systems without proper authorization.

compiling codes in the production server to avoid excessive CPU usage.

accidentally copying test data to a production system data server.

colluding with production support to steal sensitive information.

Q20} Which of the following should an IS auditor expect to find when reviewing an IT balanced
scorecard?

An assessment of how senior management evaluates the IT department

An assessment of business processes

An assessment of controls needed to mitigate risks

An assessment of how senior management evaluates IT portfolio performance

Q21} Which of the following is the BEST indication that an information security awareness
program is effective?

A reduction in the number of information security attacks

A reduction in the cost of maintaining the information security program

A reduction in the success rate of social engineering attacks

A reduction in the number of reported information security incidents

 Q22} In planning a major system development project, function point analysis would assist in:

determining the business functions undertaken by a system or program.

analyzing the functions undertaken by system users as an aid to job redesign.

estimating the size of a system development task.

estimating the elapsed time of the project.

Q23} Which of the following is MOST important to determine when conducting an audit of an
organization's data privacy practices?

HI Whether strong encryption algorithms are deployed for personal data protection
Whether the systems inventory containing personal data is maintained

Whether privacy technologies are implemented for personal data protection

Whether a disciplinary process is established for data privacy violations

Q24} Which of the following provides the BEST evidence of effective IT portfolio management?

The IT portfolio is updated as business strategy changes.

HI Programs in the IT portfolio are prioritized by each business function.

The IT portfolio is updated on the basis of current industry benchmarks.

IT portfolio updates are communicated when approved.

 Q25} Which of the following should be of MOST concern to an IS auditor when reviewing the
protection of data?

Classified data is not encrypted.

Data is not properly classified.

The classification scheme is not published.

Passwords are not changed regularly.

Q26} When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

When a violation of a regulatory requirement has been identified

When planning an audit engagement

When gathering information for the fieldwork

When evaluating representations from the auditee

Q27} Which of the following is the GREATEST concern associated with IS risk-based auditing
when audit resources are limited?

The audit schedule may become too predictable.

Conducting risk assessments may reduce the time available for auditing.

Some business processes may not be audited.

There may be significant delays in responding to management audit requests.

 Q28} The quality assurance (QA) team is testing a new e-ticketing application prior to go live to
ensure that sales tax is calculated and applied correctly. Which of the following should be of
GREATEST concern?

User acceptance criteria for the test performed are not clearly defined.

The project manager wants to delay implementation by a few days.

The tax schedules are not uploaded into the production database.

User procedures to manage the e-ticketing application are still being drafted.

Q29}A source code repository should be designed to:

Oprevent changes from being incorporated into existing code.

provide automatic incorporation and distribution of modified code.

prevent developers from accessing secure source code.

provide secure versioning and backup capabilities for existing code.

Q30}Which of the following is MOST important for an IS auditor to review when assessing the
integrity of encryption controls for data at rest?

Frequency of encryption key changes

Encryption of test data

Length of encryption keys

Protection of encryption keys

 Q31} Which of the following is the BEST way to reduce the risk associated with inadequate
segregation of duties for privileged users?

Require prior authorization of privileged users' actions.

Implement remote logging with independent monitoring

Implement keystroke logging.

Use data loss prevention (DLP) software.

Q32} An IS auditor finds that the cost of developing an application is now projected to
significantly exceed the budget. Which of the following is the GREATEST risk to communicate to
senior management?

Noncompliance with project methodology

Project abandonment

Increased staff turnover

Inability to achieve expected benefits

Q33} Which of the following is the PRIMARY reason for an IS auditor to perform a risk
assessment while executing a risk-based IS audit strategy?

It helps to identify areas that are most sensitive to fraudulent practices.

It helps to identify areas with relatively high probability of material problems.

It increases awareness of the types of management actions that may be inappropriate.

It ensures adherence to global audit standards.

 Q34} An organization recently implemented a data warehouse that is pulling data from
geographically dispersed sources. Updates are not synchronized due to time zone differences.
Which of the following controls would MOST likely compensate for the lack of synchronization?

Backup controls

Concurrency controls

Discretionary access controls

13
Normalization controls

Q35} Which of the following is the BEST method for reducing data redundancy in a database?

Transaction logging

Data normalization

Periodic data review

Concurrent controls

HDD
Q36} Which of the following is the PRIMARY purpose of obtaining a baseline image during an
operating system audit?

To identify atypical running processes

To verify the integrity of operating system backups

To verify antivirus definitions

To identify local administrator account access

 Q37} During which of the following processes would an IS auditor identify and evaluate the
design of IT controls?

Walk-throughs

Pre-audit discussions

Validation of factual accuracy

Review of prior year documentation

Q38} Which of the following is the MOST effective accuracy control for entry of a valid numeric
part number?

Hash totals

Online review of description

Self-checking digit

Comparison to historical order pattern

Q39} Once a security policy is approved by key stakeholders, the NEXT step should be to:

validate it against security standards.

HI update it according to schedule.

integrate it into the security awareness program.

share it with external auditors.

 Q40} An IS auditor is reviewing the service agreement with a technology company that provides
IT help desk services to the organization. Which of the following monthly performance metrics
is the BEST indicator of service quality?

The percent of issues resolved by the first contact

ID The average turnaround time spent on each reported issue

The total number of users requesting help desk services

The average call waiting time on each request

Q41} Which of the following is the GREATEST benefit of an effective data classification process?

Appropriate ownership over data is assigned.

Data custodians are identified.

Data retention periods are well defined.

Data is protected according to its sensitivity.

Q42} Exception reports generated by application processing are MOST likely to trigger
processes related to:

incident management.

change management

project management.

configuration management.
 Q43} How can an organization authorize traffic from remote users to corporate network
resources while ensuring traffic is encrypted and travels through a secure tunnel?

Ensuring all external traffic is routed through a perimeter firewall with user authentication

Requiring the use of a thin client to connect directly to the server

Requiring connections via a virtual private network (VPN) connection with a trusted certificate

Validating all data transfer requests through an encrypted reverse proxy

Q44} An organization considering the outsourcing of a business application should FIRST:

Operform a vulnerability assessment.

define service level requirements.

issue a request for proposal (RFP).

conduct a cost-benefit analysis.

Q45} An IS auditor has been asked to review an organization's IT resource management

practices. Which of the following findings should be of GREATEST concern?

The lack of a confidentiality agreement for IT management

Insufficient IT training

An undocumented IT strategy

An existing vacancy for an IT administrator

 Q46} When reviewing an ongoing business process reengineering (BPR) project, which of the
following should be an IS auditor's GREATEST concern?

Control gaps are created but not addressed.

Existing processes may not be fully documented.

A business impact analysis (BIA) may not be carried out.

Additional cost may be required to stabilize the process.

Q47} Which of the following presents the GREATEST concern for an organization transitioning
from a partially remote to a fully remote operating model?

[1 Remote connection infrastructure capacity has not been tested for the workload.
Remote connection software licenses expire within the year and renewal costs are expected to
increase.
Employees have not been required to increase the complexity of their system passwords.

Employees using personal devices for access have not received additional security training.

Q48} As part of the architecture of virtualized environments, in a bare metal or native

virtualization the hypervisor runs without:

a guest operating system.

any applications on the guest operating system.

any applications on the host operating system.

a host operating system.

 Q49} Which of the following would be an auditor's GREATEST concern when reviewing data
inputs from spreadsheets into the core finance system?

The department data protection policy has not been reviewed or updated for two years.

Undocumented code formats data and transmits directly to the database.

Spreadsheets are accessible by all members of the finance department.

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

Q50} When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

When gathering information for the fieldwork

When evaluating representations from the auditee

When planning an audit engagement

When a violation of a regulatory requirement has been identified

Q51} An organization is implementing a data loss prevention (DLP) system in response to a new
regulatory requirement. Reviewing which of the following would be MOST helpful in evaluating
the system's design?

Enterprise architecture (EA)

Industry trends

System manuals

Historical record of data breaches

 Q52} Which of the following is the GREATEST benefit related to disaster recovery for an
organization that has converted its infrastructure to a virtualized environment?

Virtual servers reduce the time and complexity associated with backup procedures.

Virtual servers decrease the recovery time objective (RTO).

Virtual servers eliminate the need to verify backups.

Virtual servers can be recreated on similar hardware faster than restoring from backups.

Q53} Management states that a recommendation made during a prior audit has been
implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the

HI Perform testing or other audit procedures to confirm the status of the original risk
Report to audit management that the actions taken have not effectively addressed the original
risk.
Make an additional recommendation on how to remediate the finding.

Recommend external verification of management's preferred actions.

Q54} A fire alarm system has been installed in the computer room. The MOST effective location
for the fire alarm control panel would be inside the:

HI booth used by the building security personnel.

computer room closest to the server computers.

system administrator's office.

computer room closest to the uninterruptible power supply (UPS) module.

 Q55} Transaction records from a business database were inadvertently deleted, and system
operators decided to restore from a snapshot copy. Which of the following provides the BEST
assurance that the transactions were recovered successfully?

Compare transaction values against external statements to verify accuracy.

Review transaction recovery logs to ensure no errors were recorded.

Recount the transaction records to ensure no records are missing.

Rerun the process on a backup machine to verify the results are the same.

Q56} Which of the following should be of GREATEST concern to an IS auditor when reviewing
the quality of business intelligence reports generated from a data warehouse?

Data quality reports are generated from the data warehouse in nightly batches.

Data errors in the reports are corrected within the data warehouse.

Data errors are not consistently reviewed by IT personnel.

Data quality reports do not provide real-time insight into business trends.

Q57} Which of the following should an IS auditor recommend be done FIRST when an
organization is made aware of a new regulation that is likely to impact IT security requirements?

Evaluate how security awareness and training content may be impacted.

Review the design and effectiveness of existing IT controls.

Determine which systems and IT-related processes may be impacted.

Update security policies based on the new regulation.

 Q58} Which of the following BEST addresses the availability of an online store?

A mirrored site at another location

RAID level 5 storage devices

Online backups

Clustered architecture

Q59} As part of the architecture of virtualized environments, in a bare metal or native

virtualization the hypervisor runs without:

a host operating system.

a guest operating system.

any applications on the host operating system.

any applications on the guest operating system.

Q60}Which of the following areas is MOST important for an IS auditor to focus on when
reviewing the maturity model for a technology organization?

Standard operating procedures

Service level agreements (SLAs)

Roles and responsibility matrix

Business resiliency
 Q61} A finance department has a multi-year project to upgrade the enterprise resource
planning (ERP) system hosting the general ledger, and in year one, the system version upgrade
will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing
the first year of the project?

Regression testing

User acceptance testing (UAT)

Unit testing.

Network performance testing

Q62} Which type of attack targets security vulnerabilities in web applications to gain access to
data sets?

Rootkits

SQL injection

Phishing attacks

Denial of service (DoS)

Q63} An organization uses public key infrastructure (PKI) to provide email security. Which of the
following would be the MOST efficient method to determine whether email messages have
been modified in transit?

The message is encrypted using a symmetric algorithm.

The message is sent along with an encrypted hash of the message.

The message is encrypted using the private key of the sender.

The message is sent using Transport Layer Security (TLS) protocol.

 Q64} Which of the following architectural components is MOST relevant for understanding the
security profile of a new software platform on the cloud?

Virtual network infrastructure design

Computing and storage configurations

Application-to-database connectivity

Backup and restoration capabilities

Q65} Which of the following should be an IS auditor's GREATEST concern when a data owner
assigns an incorrect classification level to data?

Data may not be encrypted by the system administrator.

Controls to adequately safeguard the data may not be applied.

Competitors may be able to view the data.

Control costs may exceed the intrinsic value of the IT asset.

Q66} A firewall between internal network segments improves security and reduces risk by:

ensuring all connecting systems have appropriate security controls enabled.

monitoring and reporting on sessions between network participants.

logging all packets passing through network segments.

m inspecting all traffic flowing between network segments and applying security policies.
 Q67} Which of the following actions would be MOST appropriate for an IS auditor to consider
when given feedback that a recently completed audit did not consider inherently high-risk
controls?

Identify new risks to the process that were not considered in the review.

Determine if the planning steps align with industry best practices.

Re-communicate the audit results to the auditee.

Conduct a lessons learned activity including internal audit management.

Q68} Which of the following is MOST likely to increase non-sampling risk?

Improperly stratified populations

Inappropriate materiality ratings

Poor knowledge of the audit process

Decreased tolerance rate

Q69} An organization is migrating its HR application to an Infrastructure as a Service (laaS)

model in a private cloud. Who is PRIMARILY responsible for the security configurations of the
deployed application's operating system?

The cloud provider

The operating system vendor

The organization

The cloud provider's external auditor

 Q70} Which of the following BEST enables an organization to determine the effectiveness of its
information security awareness program?

Reviewing security staff performance evaluations

Evaluating the results of a social engineering exercise

Measuring user satisfaction with the quality of the training

Performing an analysis of the number of help desk calls

Q71} Which of the following should be done FIRST to minimize the risk of unstructured data?

Implement strong encryption for unstructured data.

Implement user access controls to unstructured data.

Purchase tools to analyze unstructured data.

Identify repositories of unstructured data.

Q72} Which of the following represents the GREATEST risk to virtualized environments?

Hypervisors may be a single point of failure.

Servers may only be accessed remotely.

Virtual servers may not have the latest security updates.

Account reviews may not be performed for guest operating systems.

 Q73} Which of the following is an IS auditor's BEST recommendation to mitigate the risk of
eavesdropping associated with an application programming interface (API) integration
implementation?

Implement Simple Object Access Protocol (SOAP),

Mask the API endpoints.

Encrypt the extensible markup language (XML) file.

0
Implement Transport Layer Security (TLS).

Q74} Which of the following should be of GREATEST concern to an IS auditor when auditing an
organization's IT strategy development process?

The IT strategy was developed before the business plan.

A business impact analysis (BIA) was not performed to support the IT strategy

The IT strategy was developed based on the current IT capability.

Information security was not included as a key objective in the IT strategic plan.

0
Q75} Which of the following would be MOST important to include in an IS audit report?

Specific technology solutions for each audit observation

The roadmap for addressing the various risk areas

The level of unmitigated risk along with business impact

0

Observations not reported as findings due to inadequate evidence

 Q76} An IS auditor learns of organizational changes that might impact the annual audit plan.
Which of the following is the auditor's BEST course of action?

Modify the current audit plan.

Notify the audit committee of the changes.

Assess the impact of the changes on the audit plan.

Modify the audit plan after the changes occur.

Q77} What should an IS auditor ensure when a financial organization intends to utilize
production data in the testing environment?

The data utilized is complete.

The data utilized is accurate.

The data utilized is current.

The data utilized is de-identified.

Q78} Which of the following is the GREATEST benefit of an effective data classification process?

Data is protected according to its sensitivity.

Appropriate ownership over data is assigned.

Data retention periods are well defined.

Data custodians are identified.

 Q79} Which of the following is the MOST effective control to protect the integrity of database
activity logs?

s Logs are periodically monitored and reviewed.

Read-only access to logs is granted to personnel.

Log access is restricted via multi-factor authentication.

Sensitive data contained in the logs is masked.

Q80} Which of the following should be of concern to an IS auditor reviewing an organization's

network to ensure attack vectors from the Internet are minimized?

A data loss prevention (DLP) system is behind the organization's firewalls.

The organization's email server is in the demilitarized zone (DMZ).

The organization employs different types of firewalls in the demilitarized zone (DMZ).

A router is Internet-facing at the network perimeter.

Q81} When testing the accuracy of transaction data, which of the following situations BEST
justifies the use of a smaller sample size?

The IS audit staff has a high level of experience.

Proper segregation of duties is in place.

The data can be directly changed by users.

It is expected that the population is error-free.

 Q82} Which of the following provides the MOST useful information for performing a business
impact analysis (BIA)?

Inventory of relevant business processes

Documentation of application configurations

Results of business resumption planning efforts

Policies for business procurement

HD
Q83} Which of the following should be of GREATEST concern to an IS auditor who is assessing an
organization's configuration and release management process?

There is no centralized configuration management database (CMDB).

®
All changes require middle and senior management approval.

The organization does not use an industry-recognized methodology.

Changes and change approvals are not documented.

Q84} Which of the following is the MOST cost-effective way to determine the effectiveness of a
business continuity plan (BCP)?

Stress test

Post-implementation review

Full operational test

a

Tabletop exercise
 Q85} An organization has decided to outsource a critical application due to a lack of specialized
resources. Which risk response has been adopted?

19 Mitigation
Sharing

Acceptance

Avoidance

Q86} While conducting a post-implementation review, an IS auditor determines that a key

deliverable was not met. What should the auditor do FIRST?

Document the issue and mark the project as incomplete.

Review lessons learned to verify whether the issue was documented.

Work with the project manager to determine the root cause.

19 Report the unmet deliverable to senior management.

Q87} Which of the following IT processes should be correlated to incidents as the BEST way to
support continuous improvement in service management?

Incident management

Change management

19 Problem management

Risk management
 Q88}What is the PRIMARY benefit of using one-time passwords?

Users do not have to memorize complex passwords.

An intercepted password cannot be reused.

Security for applications can be automated.

Users cannot be locked out of an account.

Q89} Which of the following should an IS auditor expect to find when reviewing an IT balanced
scorecard?

An assessment of business processes

An assessment of how senior management evaluates the IT department

An assessment of how senior management evaluates IT portfolio performance

An assessment of controls needed to mitigate risks

Q90} A web application is developed in-house by an organization. Which of the following would
provide the BEST evidence to an IS auditor that the application is secure from external attack?

Database application monitoring logs

Code review by a third party

Web application firewall implementation

Penetration test results

 Q91} In planning a major system development project, function point analysis would assist in:

estimating the elapsed time of the project.

estimating the size of a system development task.

analyzing the functions undertaken by system users as an aid to job redesign

determining the business functions undertaken by a system or program.

Q92} Which of the following is MOST important to have in place to manage the risk of a resource
shortage when there are multiple IT investment projects in progress?

IT risk management

IT change management

IT portfolio management

IT project management

Q93} Which type of control is an IS auditor MOST likely to recommend for an environment
where segregation of duties is not feasible?

Managerial control

Preventive control

Deterrent control

Compensating control
 Q94} Which of the following should be of MOST concern to an IS auditor when reviewing the
protection of data?

Classified data is not encrypted.

The classification scheme is not published.

Data is not properly classified.

Passwords are not changed regularly.

Q95} Which of the following is the GREATEST concern associated with IS risk-based auditing
when audit resources are limited?

Conducting risk assessments may reduce the time available for auditing.

There may be significant delays in responding to management audit requests.

The audit schedule may become too predictable.

Some business processes may not be audited.

Q96} What is the PRIMARY purpose of performing a parallel run of a new system?

To train the end users and supporting staff on the new system

To validate the new system against its predecessor

To reduce the need for additional testing

s To verify the new system provides required business functionality

 Q97} Which of the following is the BEST method for reducing data redundancy in a database?

Transaction logging

Data normalization

Concurrent controls

Periodic data review

Q98} Which of the following is MOST critical to the success of an information security program?

User accountability for information security

Integration of business and information security

Alignment of information security with IT objectives

Management's commitment to information security

Q99} Which of the following is used to prevent or manage concurrent edits to source code files?

Operating system permissions

Check-in/check-out process

Database locks.

File system permissions

 Q100}A database administrator (DBA) should be prevented from:

having end user responsibilities.

using an emergency user ID.

having access to production files.

accessing sensitive information.

Q101}Which of the following provides the MOST comprehensive information about inherent
risk within an organization?

Business impact analysis (BIA)

Risk-based audit findings

Vulnerability analysis

Risk assessments

Q102} Management states that a recommendation made during a prior audit has been
implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the
following is the auditor's MOST appropriate course of action?

0 Recommend external verification of management's preferred actions.

Make an additional recommendation on how to remediate the finding.

Perform testing or other audit procedures to confirm the status of the original risk.

Report to audit management that the actions taken have not effectively addressed the original
risk
 Q103} Which of the following provides the MOST useful information for performing a business
impact analysis (BIA)?

Policies for business procurement

Inventory of relevant business processes

Results of business resumption planning efforts

Documentation of application configurations

Q104} An IS auditor is concerned that unauthorized access to a highly sensitive data center
might be gained by piggybacking or tailgating. Which of the following is the BEST
recommendation?

Procedures for escorting visitors

Biometrics

Intruder alarms

Airlock entrance

Q105} Which of the following would MOST likely be detailed in an audit charter?

List of evidence required for the audit

Appointments needed with key process owners

Right to access relevant information

Timeline of the audit engagement

 Q106} Demonstrated support from which of the following roles in an organization has the
MOST influence over information security governance?

Chief information officer (CIO)

Chief information security officer (CISO)

Board of directors

0
Information security steering committee

Q107} Which of the following is the PRIMARY reason for an IS auditor to perform a risk
assessment while executing a risk-based IS audit strategy?

It helps to identify areas that are most sensitive to fraudulent practices.

It increases awareness of the types of management actions that may be inappropriate.

It ensures adherence to global audit standards.

It helps to identify areas with relatively high probability of material problems.

0
Q108} Which of the following poses the GREATEST risk to an organization when employees use
public social networking sites?

Cross-site scripting (XSS)

Adverse posts about the organization

Social engineering
0

Copyright violations
 Q109} While conducting an IT operations audit, an internal IS auditor discovers there are backup
media missing that potentially contain unencrypted data. Which of the following should be the
IS auditor's NEXT step?

Determine what data is on the missing media.

11 Notify legal and regulatory authorities of the lost media.

Write a report regarding the missing media.

Review the backup media policy and procedures.

Q110} Which of the following would provide the MOST useful information to an IS auditor when
evaluating the maturity of an IT department's incident management processes?

Reviewing incident management logs from the previous year

Benchmarking the department's incident handling procedures

1] Identifying unmitigated risks in the way incidents are handled

Performing a gap analysis of incident management procedures

Q111} Which of the following is critical to the successful establishment of an enterprise IT

architecture?

II Organizational support for standardization

An architecture encompassing only critical systems

A well-defined data migration policy

Comparison of the architecture with that of other organizations

 Q112} Which of the following audit procedures would provide the BEST assurance that an
application program is functioning as designed?

Interviewing business management

Reviewing program documentation

Using a continuous auditing module

Confirming accounts

Q113} To mitigate the risk of exposing data through application programming interface (API)
queries, which of the following design considerations is MOST important?

Data quality

Data retention

Data minimization

Data integrity

Q114}Which of the following is a method to prevent disclosure of classified documents printed

on a shared printer?

Encrypting the data stream between the user's computer and the printer

Using passwords to allow authorized users to send documents to the printer

Producing a header page with classification level for printed documents

Requiring a key code to be entered on the printer to produce hard copy

 Q115} Which of the following BEST enables an IS auditor to combine and compare access
control lists from various applications and devices?

Integrated test facility (ITF)

Snapshots

Data analytics

Audit hooks

Q116} A source code repository should be designed to:

prevent changes from being incorporated into existing code.

provide automatic incorporation and distribution of modified code.

provide secure versioning and backup capabilities for existing code.

prevent developers from accessing secure source code.

Q117} When is it MOST important for an IS auditor to apply the concept of materiality in an
audit?

When planning an audit engagement

a When gathering information for the fieldwork

When a violation of a regulatory requirement has been identified

When evaluating representations from the auditee

 Q118} Which of the following BEST enables the effectiveness of an organization's disaster
recovery team?

Periodic testing and updating of recovery protocols

Parallel business continuity and tabletop testing

Engaging a third-party disaster recovery service

Daily security threat briefings for the recovery team

Q119} Which of the following should an IS auditor recommend be done FIRST when an
organization is made aware of a new regulation that is likely to impact IT security requirements?

Determine which systems and IT-related processes may be impacted.

Review the design and effectiveness of existing IT controls.

Evaluate how security awareness and training content may be impacted.

Update security policies based on the new regulation.

Q120} An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party
provider that hosts the bank's secondary data center. Which of the following findings should be
of GREATEST concern to the auditor?

The SLA has not been reviewed in more than a year.

0 The recovery time objective (RTO) has a longer duration than documented in the disaster
recovery plan (DRP).
The recovery point objective (RPO) has a shorter duration than documented in the disaster
recovery plan (DRP).
Backup data is hosted online only.
 Q121} An organization has shifted from a bottom-up approach to a top-down approach in the
development of IT policies. This should result in:

s greater consistency across the organization.

a more comprehensive risk assessment plan.

a synthesis of existing operational policies.

greater adherence to best practices.

Q122} Email required for business purposes is being stored on employees' personal devices.
Which of the following is an IS auditor's BEST recommendation?

in
Implement an email containerization solution on personal devices.

Prohibit employees from storing company email on personal devices.

Require employees to utilize passwords on personal devices.

Ensure antivirus protection is installed on personal devices.

Q123} Which of the following is MOST important to include in security awareness training?

Contact information for the organization's security team

Descriptions of the organization's security infrastructure

The importance of complex passwords

How to respond to various types of suspicious activity

 Q124} Which of the following is MOST important during software license audits?

Judgmental sampling

Compliance testing

Substantive testing

0 Stop-or-go sampling
Q125} Which of the following is the BEST indication that an information security awareness
program is effective?

A reduction in the cost of maintaining the information security program

A reduction in the number of reported information security incidents

A reduction in the number of information security attacks

19 A reduction in the success rate of social engineering attacks

Q126} What is the BEST way to reduce the risk of inaccurate or misleading data proliferating
through business intelligence systems?

Implement data entry controls for new and existing applications.

19 Establish rules for converting data from one format to another.

Develop a metadata repository to store and access metadata.

Implement a consistent database indexing strategy.

 Q127} With regard to resilience, which of the following is the GREATEST risk to an organization
that has implemented a new critical system?

There is no plan for monitoring system downtime.

A business impact analysis (BIA) has not been performed.

Business data is not sanitized in the development environment.

The process owner has not signed off on user acceptance testing (UAT).

Q128} Which of the following provides the BEST assurance of data integrity after file transfers?

Reasonableness check

Hash values

Check digits

Monetary unit sampling

Q129} An incident response team has been notified of a virus outbreak in a network subnet.
Which of the following should be the NEXT step?

Verify that the compromised systems are fully functional.

0 Remove and restore the affected systems.

Document the incident.

Focus on limiting the damage.

 Q130} Which of the following is an IS auditor's BEST recommendation to mitigate the risk of
eavesdropping associated with an application programming interface (API) integration
implementation?

Implement Simple Object Access Protocol (SOAP).

Implement Transport Layer Security (TLS).

Encrypt the extensible markup language (XML) file.

Mask the API endpoints.

Q131} Which of the following is the MOST cost-effective way to determine the effectiveness of a
business continuity plan (BCP)?

E Full operational test

Tabletop exercise

Post-implementation review

Stress test

Q132} An IS auditor has found that despite an increase in phishing attacks over the past two
years, there has been a significant decrease in the success rate. Which of the following is the

Implementation of an intrusion detection system (IDS)

Enhanced training for incident responders

Development of an incident response plan

Implementation of a security awareness program

 Q133} A request for proposal (RFP) for the acquisition of computer hardware should include:

maximum cost restriction.

support and maintenance requirements.

the requirement that the supplier allow a right of audit.

detailed specification of the current hardware infrastructure.

Q134} A configuration management audit identified that predefined automated procedures are
used when deploying and configuring application infrastructure in a cloud-based environment.
Which of the following is MOST important for the IS auditor to review?

Processes for making changes to cloud environment specifications

Number of administrators with access to cloud management consoles

Storage location of configuration management documentation

Contracts of vendors responsible for maintaining provisioning tools

Q135} Which of the following is the MOST effective accuracy control for entry of a valid numeric
part number?

Hash totals

Comparison to historical order pattern

Online review of description

Self-checking digit
 Q136} A programmer has made unauthorized changes to key fields in a payroll system report.
Which of the following control weaknesses would have contributed MOST to this problem?

The programmer has access to the production programs.

Payroll files were not under the control of a librarian.

The programmer did not involve the user in testing.

The user requirements were not documented.

Q137} Which of the following provides the BEST audit evidence that a firewall is configured in
compliance with the organization's security policy?

Performing penetration testing

Reviewing the rule base

Analyzing log files

Analyzing how the configuration changes are performed

Q138} A vendor requires privileged access to a key business application. Which of the following
is the BEST recommendation to reduce the risk of data leakage?

Implement real-time activity monitoring for privileged roles.

Perform a review of privileged roles and responsibilities.

Require the vendor to implement job rotation for privileged roles.

Include the right-to-audit in the vendor contract.

 Q139} An organization is considering using production data for testing a new application's
functionality. Which of the following data protection techniques would BEST ensure that
personal data cannot be inadvertently recovered in test environments while also reducing the
need for strict confidentiality of the data?

Data encryption.

Data anonymization

Data normalization

Data minimization

Q140} Which of the following is the BEST way to ensure email confidentiality in transit?

Encryption of corporate network traffic

End-to-end encryption

Digital signatures

Complex user passwords

Q141} Which of the following is the BEST way to help ensure new IT implementations align with
enterprise architecture (EA) principles and requirements?

in Conduct EA reviews as part of the change advisory board.

Document the security view as part of the EA.

Perform mandatory post-implementation reviews of IT implementations.

Consider stakeholder concerns when defining the EA.

 Q142} Which of the following is an IS auditor's BEST approach when preparing to evaluate
whether the IT strategy supports the organization's vision and mission?

Solicit feedback from other departments to gauge the organization's maturity

Review strategic projects for return on investments (ROIs).

Review the organization's key performance indicators (KPIs).

0
Meet with senior management to understand business goals.

Q143} Which of the following is the PRIMARY purpose of obtaining a baseline image during an
operating system audit?

To verify antivirus definitions

To identify atypical running processes

To identify local administrator account access

To verify the integrity of operating system backups

0
Q144} Which of the following is the BEST reason for an IS auditor to emphasize to management
the importance of using an IT governance framework?

Frameworks help facilitate control self-assessments (CSAS).

Frameworks enable IT benchmarks against competitors.

Frameworks can be tailored and optimized for different organizations.

0

Frameworks help organizations understand and manage IT risk.

 Q145} An IS auditor is reviewing the service agreement with a technology company that
provides IT help desk services to the organization. Which of the following monthly performance
metrics is the BEST indicator of service quality?

The average turnaround time spent on each reported issue

The total number of users requesting help desk services

The percent of issues resolved by the first contact

0
The average call waiting time on each request

Q146} An IS auditor is reviewing the system development practices of an organization that is

about to move from a waterfall to an agile approach. Which of the following is MOST important

Secure code review

Capacity planning

Release management

Code versioning

0
Q147} As part of compliance testing, which of the following is the PRIMARY source of
information for testing user access controls?

System user access list

Key risk indicators (KRIs)

User access policy

0

Previous internal audit reports

 Q148} While conducting a post-implementation review, an IS auditor determines that a key
deliverable was not met. What should the auditor do FIRST?

Review lessons learned to verify whether the issue was documented.

Document the issue and mark the project as incomplete.

Work with the project manager to determine the root cause.

Report the unmet deliverable to senior management.

Q149} Which of the following concerns is MOST effectively addressed by implementing an IT

framework for alignment between IT and business objectives?

Inadequate IT change management practices

Inaccurate business impact analysis (BIA)

Inadequate IT portfolio management

Lack of a benchmark analysis

Q150} An organization has initiated the process of divesting itself of a business in one of its
operating jurisdictions. Meanwhile, new data privacy regulations for that region have just been
announced. What should the IS auditor do FIRST when developing an audit plan for the
organization?

Exclude the business entity being divested from the audit plan.

Conduct an audit of the affected business entity immediately.

Assess the impact of the new regulations on the affected business entity.

Recommend that management accept the risk arising from the new requlations.
 Q151} Which of the following is the GREATEST benefit of an effective data classification process?

Data custodians are identified.

Appropriate ownership over data is assigned,

Data retention periods are well defined.

Data is protected according to its sensitivity.

Q152} As part of the architecture of virtualized environments, in a bare metal or native

virtualization the hypervisor runs without:

a guest operating system.

any applications on the guest operating system.

a host operating system.

any applications on the host operating system.

Q153} An organization is planning to hire a third party to develop software. What is the MOST
appropriate way for the organization to ensure access to code if the software development
company goes out of business?

Establish a software escrow agreement.

Establish a service level agreement (SLA).

Request software licenses.

Request a copy of the software.

 Q154} When reviewing an ongoing business process reengineering (BPR) project, which of the
following should be an IS auditor's GREATEST concern?

Existing processes may not be fully documented.

Control gaps are created but not addressed.

A business impact analysis (BIA) may not be carried out.

Additional cost may be required to stabilize the process.

Q155} An IT steering committee assists the board of directors in fulfilling IT governance duties
by:

developing IT policies and procedures for project tracking.

approving IT security awareness training content.

HI overseeing major projects and IT resource allocation.

assigning IT services to infrastructure components.

Q156} Recovery facilities providing a redundant combination of Internet connections to the

local communications loop is an example of which type of telecommunications continuity?

Voice recovery

Long-haul network diversity

Last-mile circuit protection

HI Alternative routing
 Q157} How can an organization authorize traffic from remote users to corporate network
resources while ensuring traffic is encrypted and travels through a secure tunnel?

Requiring connections via a virtual private network (VPN) connection with a trusted certificate

Validating all data transfer requests through an encrypted reverse proxy

Requiring the use of a thin client to connect directly to the server

Ensuring all external traffic is routed through a perimeter firewall with user

Q158} Exception reports generated by application processing are MOST likely to trigger
processes related to:

project management.

configuration management.

incident management.

change management.

Q159} Backup procedures for an organization's critical data are considered to be which type of
control?

Directive

Detective

Corrective

Compensating
 Q160} An organization uses public key infrastructure (PKI) to provide email security. Which of
the following would be the MOST efficient method to determine whether email messages have
been modified in transit?

The message is sent using Transport Layer Security (TLS) protocol.

The message is encrypted using the private key of the sender.

The message is sent along with an encrypted hash of the message.

The message is encrypted using a symmetric algorithm.

Q161} An IS auditor conducts a review of a third-party vendor's reporting of key performance

indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?

KPIs are not clearly defined.

KPI data is not being analyzed.

KPIs have never been updated.

Some KPIs are not documented.

Q162} Which of the following observations should be of GREATEST concern to an IS auditor

when auditing web application security control as part of an IT general controls audit?

The application control configuration is not available.

Application control is not aligned with an IT framework.

An application control matrix has not been established.

An application control assessment has not been performed.

 Q163} When auditing the feasibility study of a system development project, the IS auditor
should:

review the request for proposal (RFP) to ensure that it covers the scope of work.

review qualifications of key members of the project team.

review cost-benefit documentation for reasonableness.

ensure that vendor contracts are reviewed by legal counsel.

Q164} An organization recently implemented a data warehouse that is pulling data from
geographically dispersed sources. Updates are not synchronized due to time zone differences.
Which of the following controls would MOST likely compensate for the lack of synchronization?

Concurrency controls

Normalization controls

Backup controls

Discretionary access controls

Q165} Which of the following BEST mitigates the risk associated with the deployment of a new
production system?

Release management

Configuration management

Incident management

Problem management
 Q166} Which of the following is the BEST method to delete sensitive information from storage
media that will be reused?

Multiple overwriting

Crypto-shredding

Re-partitioning

Reformatting

Q167} Which of the following is the PRIMARY objective of implementing privacy-related

controls within an organization?

To identify data at rest and data in transit for encryption

To provide options to individuals regarding use of their data

To prevent confidential data loss

To comply with legal and regulatory requirements

Q168} An organization considering the outsourcing of a business application should FIRST:

define service level requirements.

perform a vulnerability assessment.

conduct a cost-benefit analysis.

issue a request for proposal (RFP).

 Q169} Which of the following controls associated with software development would be
classified as a preventive control to address scope creep?

Iteration retrospective

Iteration review

System demo

Backlog grooming

Q170} An IT balanced scorecard is BEST used for which of the following purposes?

Measuring risk in IT processes

Monitoring strategic performance

Evaluating IT's financial position

Evaluating business processes

Q171} Which of the following would protect the confidentiality of information sent in email
messages?

13 Digital signatures

Secure Hash Algorithm 1 (SHA-1)

Encryption

Digital certificates
 Q172}Which of the following is MOST important for an IS auditor to review when determining
whether IT investments are providing value to the business?

Return on investment (ROI)

Total cost of ownership (TCO)

Business strategy

s Business cases
Q173} In a virtualized environment, which of the following techniques BEST mitigates the risk of
pervasive network attacks?

Segmentation

Demilitarized zone (DMZ)

Configuration assessment

Encryption

Q174} Which of the following should an IS auditor be MOST concerned with when reviewing the
IT asset disposal process?

Data migration to the new asset

Monetary value of the asset

Data stored on the asset

Certificate of destruction
 Q175} Which of the following should be the FIRST consideration when deciding whether data
should be moved to a cloud provider for storage?

Data storage costs

Data classification

Service level agreements (SLAs)

Vendor cloud certification

Q176} Which of the following is the BEST way to reduce the risk associated with inadequate
segregation of duties for privileged users?

Implement remote logging with independent monitoring.

Use data loss prevention (DLP) software.

Implement keystroke logging.

Require prior authorization of privileged users' actions.

Q177} Which of the following is an IS auditor's BEST course of action when the auditee indicates
that a corrective action plan for a high-risk finding will take longer than expected?

Accept the longer target date and document it in the audit system.

Determine if an interim compensating control has been implemented.

Require that remediation is completed in the agreed timeframe.

Escalate the overdue finding to the audit committee.

 Q178} Which of the following is the PRIMARY reason to perform a risk assessment?

To achieve compliance with regulatory requirements.

To help allocate budget for risk mitigation controls

To determine the current risk profile

To ensure alignment with the business impact analysis (BIA)

Q179} Which of the following should be done FIRST when planning to conduct internal and
external penetration testing for a client?

Establish the rules of engagement.

®
Establish the timing of testing.

Determine the test reporting.

Identify milestones.

Q180} What is the PRIMARY objective of evaluating the readiness of an information system
implementation?

Determine whether the system implementation is on schedule.

Determine whether the system complies with the organization's policy.

Determine whether the system meets business requirements.

s

Determine whether the system meets return on investment (ROI).

 Q181} When reviewing the functionality of an intrusion detection system (IDS), the IS auditor
should be MOST concerned if:

detected events have increased.

actual attacks have not been identified.

false positives have been reported.

legitimate packets blocked by the system have increased.

Q182} Which of the following should be of MOST concern to an IS auditor reviewing the
information systems acquisition, development, and implementation process?

Data owners are not trained on the use of data conversion tools.

A post-implementation lessons-learned exercise was not conducted.

System deployment is routinely performed by contractors.

There is no system documentation available for review.

Q183} An organization has decided to migrate its underlying technology, and an enterprise
architect is tasked with proposing the blueprint for the future state architecture. Which of the

Reducing the number of unsupported systems

Aligning the business IT architecture with industry standards

Ensuring IT enables the business strategy

Ensuring technology cost reductions

 Q184} Which of the following is the BEST preventive control to protect the confidentiality of
data on a corporate smartphone in the event it is lost?

Password for device authentication

Remote data wipe program

Encryption of the data stored on the device

Biometric authentication for the device

Q185} Which of the following applications should an IS auditor consider to be the HIGHEST
priority when reviewing disaster recovery planning (DRP) tests for an e-commerce company?

An application for financial management

An application for IT performance monitoring

An application for traffic load balancing

An application for HR management

Q186} An e-commerce transaction stopped during processing due to a sudden power outage.
Which of the following principles ensures transactions can be rolled back appropriately?

Atomicity

Durability

Integrity

Consistency
 Q187} When planning an internal penetration test, which of the following is the MOST
important step prior to finalizing the scope of testing?

Agreeing on systems to be excluded from the testing scope with the IT department

Notifying the IT security department regarding the testing scope

Ensuring the scope of penetration testing is restricted to the test environment

Obtaining management's consent to the testing scope in writing

Q188} Which of the following applications has the MOST inherent risk and should be prioritized
during audit planning?

An onsite application that is unsupported

A decommissioned legacy application

An outsourced accounting application

An internally developed application

Q189} Which of the following would provide the BEST evidence of the effectiveness of
mandated annual security awareness training?

Results of a third-party penetration test

Trending of social engineering test results

Surveys completed by randomly selected employees

Number of security incidents

 Q190} Which of the following is MOST important for an IS auditor to validate when auditing
network device management?

All devices are located within a protected network segment.

All devices have current security patches assessed.

Backup policies include device configuration files.

Devices cannot be accessed through service accounts.

Q191} An IS auditor discovers that due to resource constraints, a database administrator (DBA) is
responsible for developing and executing changes into the production environment. Which of
the following should the auditor do FIRST?

Report a potential segregation of duties violation.

Ensure a change management process is followed prior to implementation.

Determine whether another DBA could make the changes.

Identify whether any compensating controls exist.

Q192} Which of the following is an IS audit professional ethics violation?

Providing confidential information in response to a legal request

Making multiple errors in performing audit work

Disagreeing with management's assertions

m Withholding facts that affect audit conclusions

 Q193}Which of the following areas is MOST important for an IS auditor to focus on when
reviewing the maturity model for a technology organization?

Business resiliency

Standard operating procedures

Service level agreements (SLAs)

Roles and responsibility matrix

Q194} The objectives of business process reengineering (BPR) should PRIMARILY include:

system improvements.

organizational structure changes.

performance efficiencies.

incremental changes in productivity.

Q195} Which of the following should be the MOST important consideration in IT portfolio
management?

Selecting IT investment projects that align with corporate strategy

Aligning IT portfolio processes with corporate objectives

Determining the opportunity cost of IT investment projects

Increasing the budget and resources allocated for IT investments

 Q196} Which of the following would be an auditor's GREATEST concern when reviewing data
inputs from spreadsheets into the core finance system?

Undocumented code formats data and transmits directly to the database.

Spreadsheets are accessible by all members of the finance department.

The department data protection policy has not been reviewed or updated for two years

There is not a complete inventory of spreadsheets, and file naming is inconsistent.

Q197} Which of the following would BEST help an IS auditor identify Software as a Service (SaaS)
applications that are operating outside of an organization's cloud governance?

Reviewing access logs provided by SaaS application service providers

Obtaining third-party cloud compliance reporting

Assessing financial records to detect recent cloud service purchases

Reviewing reports produced by a cloud access security broker (CASB)

Q198} An organization is migrating its HR application to an Infrastructure as a Service (laaS)

model in a private cloud. Who is PRIMARILY responsible for the security configurations of the
deployed application's operating system?

IS The cloud provider

The cloud provider's external auditor

The operating system vendor

The organization
 Q199} An organization is concerned with meeting new regulations for protecting data
confidentiality and asks an IS auditor to evaluate their procedures for transporting data. Which
of the following would BEST support the organization's objectives?

Dedicated lines

Cryptographic hashes

Encryption

0
Virtual local area network (VLAN)

Q200} Which of the following is an IS auditor's BEST recommendation to protect an organization

from attacks when its file server needs to be accessible to external users?

Enforce a secure tunnel connection.

Implement a secure protocol.

Set up a demilitarized zone (DMZ).

Enhance internal firewalls.

0
Q201} Which of the following would be MOST important to include in an IS audit report?

Specific technology solutions for each audit observation

Observations not reported as findings due to inadequate evidence

The level of unmitigated risk along with business impact

0

The roadmap for addressing the various risk areas

 Q202} Which of the following risks is BEST mitigated by implementing an automated three-way
match?

Inaccurate customer records

Inaccurate customer discounts

Purchase order delays

Invalid payment processing

Q203} One advantage of monetary unit sampling is the fact that:

large-value population items are segregated and audited separately.

it increases the likelihood of selecting material items from the population.

results are stated in terms of the frequency of items in error.

it can easily be applied manually when computer resources are not available.

Q204} During a follow-up audit, an IS auditor finds that senior management has implemented a
different remediation action plan than what was previously agreed upon. Which of the
following is the auditor's BEST course of action?

Report the deviation by the control owner in the audit report.

Evaluate the implemented control to ensure it mitigates the risk to an acceptable level

Request justification from management for not implementing the recommended control

Cancel the follow-up audit and reschedule for the next audit period.
 Q205} As part of a follow-up of a previous year's audit, an IS auditor has increased the expected
error rate for a sample. What is the impact?

Required sample size increases

Residual risk decreases

Standard deviation decreases

Degree of assurance increases

Q206} As part of a follow-up of a previous year's audit, an IS auditor has increased the expected
error rate for a sample. What is the impact?

Required sample size increases

Residual risk decreases

Standard deviation decreases

Degree of assurance increases

Q207} Attribute sampling is BEST suited to estimate:

the total error amount in the population.

standard deviation from the mean.

the true monetary value of a population.

the degree of compliance with approved procedures.

 Q208} Once a security policy is approved by key stakeholders, the NEXT step should be to:

validate it against security standards.

integrate it into the security awareness program.

update it according to schedule.

share it with external auditors.

Q209} Which of the following should be the PRIMARY objective of an organization's incident
management program?

Closing incidents in accordance with service level agreements (SLAs)

Reducing the number and severity of security incidents throughout the organization

Enabling the organization to resume normal business operations

Preventing recurrence of similar incidents in the future

Q210} An IS auditor is reviewing the service management of an outsourced help desk. Which of
the following is the BEST indicator of how effectively the service provider is performing this

Call transcript reviews

HI Average ticket age

Customer satisfaction ratings

Number of calls worked

 Q211} Which of the following should be used as the PRIMARY basis for prioritizing IT projects
and initiatives?

Expected business value

Estimated cost and time

Available resources

Level of risk reduction

Q212} An organization is migrating its HR application to an Infrastructure as a Service (laaS)

model in a private cloud. Who is PRIMARILY responsible for the security configurations of the
deployed application's operating system?

The operating system vendor

The cloud provider's external auditor

The organization

The cloud provider

Q213} Which of the following would a digital signature MOST likely prevent?

Repudiation

Unauthorized change

Corruption

Disclosure
 Q214} An organization's database administrator (DBA) has implemented native database
auditing. Which of the following is the GREATEST concern with this situation?

Production database performance may be negatively affected.

Development of supplementary tools for database monitoring may be required

Configuration management resilience may be impaired.

Policy-driven event logging may be impaired.

Q215} An IS auditor engaged in developing the annual internal audit plan learns that the chief
information officer (CIO) has requested there be no IS audits in the upcoming year, as more time
is needed to address a large number of recommendations from the previous year. Which of the
following should the auditor do FIRST?

19 Notify the chief operating officer (COO) and discuss the audit plan risks.
Exclude IS audits from the upcoming year's plan

Increase the number of IS audits in the plan.

Escalate to audit management to discuss the audit plan.

Q216} A new system development project is running late against a critical implementation
deadline. Which of the following is the MOST important activity?

19 Perform user acceptance testing (UAT).

Ensure that code has been reviewed.

Perform a pre-implementation audit.

Document last-minute enhancements.

 Q217} An IS auditor has identified potential fraud activity perpetrated by the network
administrator. What should the auditor do FIRST?

Review the audit finding with the audit committee prior to any other discussions

Share the potential audit finding with the security administrator.

Notify the audit committee to ensure a timely resolution

Perform more detailed tests prior to disclosing the audit results.

Q218} An IS auditor observes that a large number of departed employees have not been
removed from the accounts payable system. Which of the following is MOST important to

The ability of departed employees to actually access the system

The frequency of intrusion attempts associated with the accounts payable system

The process for terminating access of departed employees

The frequency of user access reviews performed by management

Q219} Which of the following is the BEST way to reduce the risk of vulnerabilities introduced by
rapid deployment of applications?

Review change management policies and procedures.

Review a sample of historical production changes to identify abnormalities.

Perform security audits during the development life cycle.

Conduct a post-deployment security audit to identify vulnerabilities.

 Q220} Which of the following is an example of a preventive control for physical access?

Implementing a centralized logging server to record instances of staff logging into workstations

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

Keeping log entries for all visitors to the building

Implementing a fingerprint-based access control system for the building

Q221} An IS auditor requests direct access to data required to perform audit procedures instead
of asking management to provide the data. Which of the following is the PRIMARY advantage of
this approach?

Data confidentiality

Audit efficiency

Professionalism

Audit transparency

Q222}An organization is concerned about duplicate vendor payments on a complex system

with a high volume of transactions. Which of the following would be MOST helpful to an IS
auditor to determine whether duplicate vendor payments exist?

Computer-assisted technique

Statistical sampling

Process walk-through

Stratified sampling
 Q223} Which of the following is the MOST important consideration for an IS auditor when using
sampling techniques?

Quantify the probability of error..

Quantify the level of risk.

Apply professional judgment

Consider each item for selection.

Q224} The following findings are the result of an IS auditor's post-implementation review of a
newly implemented system. Which of the following findings is of GREATEST significance?

Monthly dashboards did not always contain deliverables.

Measurable benefits were not defined.

The project's 10% budget overrun was not reported to senior management.

A lessons-learned session was never conducted.

Q225}Which of the following is the BEST way for an organization that is using a Software as a
Service (SaaS) application to reduce its risk associated with the collection and protection of
personal information?

Only allow remote access to personal information from an alternate site.

Limit the amount of personal information collected to the minimum required

Encrypt personal information held by the organization

Limit the amount of personal information collected to industry standards.

 Q226} An IS auditor finds that application servers had inconsistent security settings leading to
potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Perform a penetration test

Perform a configuration review.

Improve the change management process.

Establish security metrics.

Q227} When an organization conducts business process improvements, the IS auditor should be
MOST concerned with the:

metrics used to evaluate key operating segments.

lack of version control over process documentation

adequacy of reporting to senior management.

adequacy of the controls in the redesigned process

Q228} Due to technical limitations, an organization is not able to implement encryption of

credit card details in the customer database. Which of the following would provide the BEST

Data masking of credit card details on screen

Encryption of credit card details in transit

Tokenization of credit card details

Multi-factor authentication to access the database

 Q229} Which of the following is the MOST likely reason that local area network (LAN) servers can
contribute to the rapid distribution of viruses?

The server's file-sharing function facilitates distribution of files.

Server software is the first to be infected.

The server exchanges data with each workstation at logon time.

Users of a server often load the same programs.

Q230} Rather than decommission an entire legacy application, an IT department is replacing

specific modules while maintaining those still relevant. Which of the following artifacts is MOST
important for an IS auditor to review?

Application provider contract

Future state architecture and requirements

Applicable licensing agreements for the application

IT service management catalog and service level requirements

Q231} Which of the following would aid an IS auditor reviewing the integrity of program
changes migrated into production?

Operating system log data

Tape management system

Database schema

E Configuration management system

 Q232} Which of the following is the BEST way to prevent a virus from spreading throughout a
local area network (LAN)?

Prohibiting user access to the Internet.

Having a memory resident virus-scanning program on network servers

Scanning the hard disks in the network for viruses on a daily basis

Disabling the ability to download executable files

Q233} Which of the following is the ULTIMATE objective of performing a phishing simulation
test?

HI To improve the level of security awareness

To reduce the likelihood of cyber incidents

To identify the occurrence of cyber events

To remove the need to install spam filtering

Q234} Which of the following BEST protects evidence in a forensic investigation?

Rebooting the affected system

Powering down the affected system

m Imaging the affected system

Protecting the hardware of the affected system
 Q235} Which of the following can only be provided by asymmetric encryption?

Information privacy

Data availability

Nonrepudiation

256-bit key length

Q236} Which of the following should be considered when examining fire suppression systems
as part of a data center environmental controls review?

Insite replacement availability

Installation manuals

Insurance coverage

Maintenance procedures

Q237} One advantage of monetary unit sampling is the fact that

it increases the likelihood of selecting material items from the population.

large-value population items are segregated and audited separately

results are stated in terms of the frequency of items in error.

it can easily be applied manually when computer resources are not available
 Q238} Which of the following should be the GREATEST concern to an IS auditor reviewing an
organization's method to transport sensitive data between offices?

The method relies exclusively on the use of digital signatures.

The method relies exclusively on the use of asymmetric encryption algorithms

The method relies exclusively on the use of public key infrastructure (PKI).

The method relies exclusively on the use of 128-bit encryption.

Q239} An organization using a cloud provider for its online billing system requires the website
to be accessible to customers at all times. What is the BEST way to verify the organization's

Agree on periodic performance discussions with the vendor.

Monitor the service level agreement (SLA) with the vendor.

Require the vendor to report any outages longer than five minutes.

Invoke the right-to-audit clause.

HDD
Q240} Which of the following metrics is MOST helpful for evaluating the effectiveness of
problem management practices?

The percentage of incidents resolved within a service level agreement (SLA)

The number of incidents investigated and diagnosed

The number of recurring incidents that cause downtime

®

The average time to detect and prioritize an incident

When developing customer-facing IT applications. in which stage ^
of the system development ife cycle <$QLC) is it MOST henef i to consider date privacy principles ?

Software selection and acquisition

o Systems design atxi architecture

[5] Requirements definition

User acceptance testing (UAT )

Aft organnation prodxe$ control reports with a desktop application that accesses data m the control production database Which of ihe following ^/ou < oi gwe an $ audits concern acor me reliability of iitese repods ?
t
'

^ 3 The report definitions file is not included in routine backups

The reports aie puntad hy the same person who rev ay/s lltairt

The refxirts available to ait eix ! itsars

O Tlw report refinilions can be mortified by end users

Which of the following is (ho PRIMARY advantage of u $ mg an automated security log monitonng too instead of conducting a manual review to monitor the use of privileged access?
*

: Case of storing and maintaining fog file

0 increased likelihood of detecting suspicious activity

O Case of tog retrieval for aud t purposes

Reduced costs associated vwth automat ng me review

Which of me following is the MAIN r SK associated with adding a now system functionality cunng the development phase without follow ng a project change management process^

O The project may go over budget.

0 The now functionalit may not moot requ moments

.

O The project may fail to moot the established deadline

The added functionality has net boon documented

Which of the following is the PRIMARY advantage of using an automated secunty log monitonng toot nsteac of corvducting a manual review to monitor the use of privileged access^

Case of stonng and maintaining log file

Q increased liketihooc of detecting suspicious activity

o Case of log retneva for aud t purposes

Reduced costs associated with automat ng the review

Which of the following BEST describes the role of the IS auditor m a control self- assessment (CSA)?

Approver

Reviewer

0 facilitator
implementor
An IT governance body wants to determine whether IT service delivery is based on consistently elective processes Winch of the following is the BEST approach?

0 evaluate Key performance indicators KPis)

(

Conduct a gap analysis

Develop a maturity trod*

O implement a control sff assessment (CSA )
Which of tho following is the GREATEST benefit of adopting an Agile audit methodology '
)

O Annual cost savings

0 Redjced documentation requirements

0 Getter ability to address key nsks

G Less frequent client interact on
Which of the following shook) be an IS auditor's GREATEST concern when reviewing a reciprocal disaster recovery agreement between two organizations'*

Right to temunate the agreement

Dfferences in IT policies and procedures

0 Trecuency of system testing

Maintenance of hardware and software compatibility
Which of the following provides the BEST evidence of an IT strategy committee s effectiveness'5

The IT strategy committee charier

Business unit satisfaction survey results

0 Increase tn the number of strategic objectives

.
Alignment of IT artivibes v ith corporate objectives
if a recent release of a prog'am has to t>e backed out of production, the corresponding changes within the delta version of the code should be

0 eUnt naled from the source code that refects the version in production

O applied to the source code that reflects the version in production

r reinstated when replacing the version back into production

.

filed in production for future reference in researching the proMem

Which of the following win BEST ensure tnat arch vod electronic information of permanent imporance rema ns accessible over t me 0

Acquiring applications that emulate old software

Pe -rodtcally backing up archived data

0 Regularly migrating data to current technology

Performing preventive maintenance on old hardware
Mach of the following t* MOST important for an IS auditor to evaluate when auditng proposed investments for fe acunfton of an enterprise wde appacaoon?

0 Wtiefoer them are multiple business units interested m foe aoptrcabon

Whether business umts have approved user acceptance testing (UAT ) (or the application

Whether there are mdepenoent case studies regarding use o» foe ape
*canon
Whether management has approved a busness case tor the appucabon
Which of the tllowtng * MOST important tor an IS auditor to evaluate when auditing proposed investments for the acosrron of an enterprise wde application?
'

Whether there are miApie txjswess unrs reresred m the aopecaeon

Whether business units have approved user acceptance testing (OAT ) lor the apptcabcn

'Whether there are mdeoencent case studies regarong use of the appicaaon

0 Whether management has approved a busmess case lor the apptcabon

&
A checksum is classified as wfwch 'ype of control^

0 Correct * contra
*
0 Preventive control

C Detective contro

0 AdnvnrsJ aTive ccntrot

'
Which of the following provides the MOST useful n'ormaticn for performing a bus ness impact anatysis (BIA ?
>

Results of business resumption planning efforts

0 Inventory of relevant business processes

Pn tries for business pronirement

nocnmentation of application configurations

 *
Which of the following audit procedures would provide the BEST assurance that an application program ts functioning as designed *

Using a continuous auditing module

|»J Reviewing program documentation

Confirming accounts

Interviewing business management

An IS auditor fnds mat irregularities have occurred ard that auditee management has chosen to ignore them If reporting to external authorities is required, which of the following is the BEST action for the IS auditor to take ?
-

Obtain approval from auditee management to release the report

Submit the report to appropriate regulators mmerhately

9 Obtain approval from audit management

[ to submit the report

Obtain approval from both audit and auditee management to release the report
Following a merger a revtew of an internal cnai organization determines the IT stoerng committee s decisions co not extend to regional offices as required m the consolidated IT operat ng model. Which of the folkwwng is the iS auditor's
,

BEST recommendation?

tngage an 11 governance consultant

3 Crcato regional centers ot cxccllcnoc

Update tlvo 11 steering committee's lormal charter

g )
Cicato icgwnai 11 steonng comnulloes
When auditing the adequacy of a cooling system for a dat8 center which of the following is MOST important for the IS auditor to review'*
,

Disaster recovery plan (DRP) testing results

0 environmental performance metrics

Geographical iccation of the data center

Q facilities maintenance records

An IS auditor s verifying the adequacy of an organization’s internal controls and is concerned about potential circumvention of regulations Which of the following is the BEST samp mg method to use?

Vlanabie sampling

Attnbute sampling

O Cluster sampling

• Random sampling
The purpose of a checksum on an amount field m an electronic data interchange (EDI ) communication of financial transactions is to ensure

0 integrity
authorization

authenticity

nonrepudation
Which of the following is the BEST reason to implement a data retention policy?

To assign responsibility and ownership for data protection outside 1 T

( 3 To limit the liability associated with storing and protecting information

'

J To establish a recovery po nt objective (RPO ) for disaster recovery procedures

To document business objectives for processing data within the organization

The PRIMARY oenefit of automating application testing is to

reduce the time to review code

O provide more flexibility

• provide test consistency

O replace al manual test processes

Management is concerned about sensitive nfoTnation oemg intentionally or unintentionally emailed as attachments outside the organization by emoloyees VVhat is mo MOST important task before implementing any associated emad
controls'?

Develop an acceptable use policy tor end user computing (tUC )

0 Develop an information classification scheme

Provide notification to omoloyees about possible ema momtonng
l

KOUJIMJ ail ompioycos to sign nondisclosure agreements (NDAs )

Which of the foUowmg win provide ire GREATEST assurance to IT management that a Quality management system (QMS) is effective0

^ A high percentage ot stakeholders satisfy wilh the Quality of IT

o A high percentage of IT employees attending quality tracing

O A high percentage of IT processes reviewed by quality assurance (QA)

o A high percentage of incidents being quickly resolved

Who is PRIMARILY responsible for the desrgn of IT controls tc meet control objectives?

o internal auditor

O IT manager

O RISK management

[ *] Business management

0
in which phase of me internal audit process is contact established with the individuals responsible for the easiness processes in scope for review?

O Selection phase

O execution phase

5] Planning phase
[

O follow - up phase
Which of me following technology has me SMALLEST max < ouirr reoge
> for data transmisston between devices?

Ne8 ' fiefdcomnr>unicatio

g ?J
^ NrC)
-
(

O Long- term evolution ( LTD

Wi - H
O Dluetooth
to is audit manager temporarily tasked wlh supervising a project manager assigned to the organization s peyro application upgrade upon returning to m audit department
'
l the audit manager nas Peen asked to perform an audit to
What is me BEST
,

validate the implementation ot me payroll application . The audit manager is inc only one in me audit department win I protect management oxponenoe cejrse OT action?

0 ransfer me assignment :o a dittcrcru audit manager despite &ck ot 11 project management experience.
l

Have a senior is auditor manage live preiect with the is audit manager performing imai rcv. cw

Manage the audn since mere is no one etso with the appropnale experience

^ outsource the audit to mdepcnconf and qualified resouices.

The iterations team of an organization has reported an is seounty attack Wh oh of the fofowmg sooufd t>e the FIRST step for the secunty incident response team ’
,
1

( 3 Perform a damage assessment

.
;
: Prioritize resources for corrective action.

Document lessons loomed

Report results to management.

Durng a project assessment an is auditor finds mt business owners have been removed
, f' oen me project initiation phase Which of me following should be me auditor s GREATEST concern with th s situation?
'
^

Unreaiite milestones

0 madeouate deitverabfes
Incomplete requirements

Unclear benefits
Which of the following is MOST imporant to include in forensic data collection one preservanon procedures ?

D Preserving data imegrity

0 Maintaining chain of custody

Determining toots o be used
1

Assuring the physics 1

security of devices
Which Of WO following is mo PRIMARY OtjOCiK O of enforpr SO architecture (FA)?
'

Maintaining detailed system documentaUcn

* Managi eg e hd piannmg for ITinvestmonto

enforcing the IT poncy across The organization

executing customizes development and delivery of proects
Art extera attacker spoofng an internal imemei Protocol (IP) address can BEST &o detected t> y which of m ?
following

Comparing Ihe souice address to the domain oarne server ( DNS ) enlry

O Using a slate lahla to compere Ihe message slates oreach packet as il enters Ihe system

Using slalin IP addresses for identification

'

O Comparing the source address to the interface used as the entry pntnl
An oxtcma attacks ^ goofng an internal internet Protocol ( IP) eddroi* can BEST b& detected t> y v/hich or
:
mo following?

Comparing he source address to the domain name server (DNS) enlry

Q Using a slate lahfe to compare Ihe message slates or each packet as 11 enters Ihe system

Q Using sialic IP addresses for rrenti frst

[|] Comparing the source address to the interface userl as the entry pnml
Which of tno follower constitutes on effective detective control in a distrbuted processing environment ?

Users RTH required to request additional access via an electronic mail system

O A disaster recovery plan (URP) is in pfnoe for Ihe entile system

* A log of piivdaged aorounr use is IRVIS AWI -

O User IDs are suspended afer three mooned passwords have been entereti
Ar is auditor roving a network diagram wh oh of the following wojid do the BEST location for piaoermnt of a fiew# ?
i

0 Al hootrs of network segments with different security levels

Q Between virtual local area networks (VI ANs)

:: Between earth host and the local network switcMhub

O Injwrt the demilitarized / one ( 0 M7)

When reviewing past results of a recurring annual ay<m , an iS auditor notes the; findings may not nave been reported and independence may not have oeen maintained Which of tf 'ie flowing is me editor s BEST course of action ?
'

: Re perform past audits to ensure independence

O inform senior management ,

£ 3 Infonr audit management

Reevaluate internet controls

IT £K v 0roance *
> tuld driven by

policies * MK! slardarcis

busiwwtmrl imtiehves

0 oroem^fttfNwl stMteow* £ >

tvdumed soorerjvrs
Which of we following data provides th * MOST useful mout when performing a business impact analyse ( OiA)?

0 expected costs for recovering the business

. . Cost- benefit analysis of running the current business

O Cost of regulatory compliance

Projected cost of goods sold

An is audito ' ' $ evaluating the log
management system for an organization win devices and systems in multiple geographic locations winch of the following is MOST mportam for the auditor to venfy ?

I og li es are encrypted and digitally signed

O I og fres are reviewed in rmilli|sie locations

* I og rues of the serve 's are synchronized

O I og fries are concurrently updated

Which of we following is mo GREATESTADVANTAGE cf maintaining on internal is audit function within on organization ?

Getter understanding of the business and processes

[ *] Inueyseti independence
UIKJ impartiality of recommendations

ASiflily to negotiate recon? memlaiions vnth management

increased l 5 audit start visr&hiy and availability throughout Uw year

Which of we following is a threat to is auditor independence
?

internal auditors design remediation pens to address control gaps identified by internal audit.

internal auditors attend IT steerng committee meetings.

Interna auditors recommend appropriate controls tor systems n development

' ;

* interna auditors share me audit plan and control test plans vnlh management prior to audit commencement.
'
An IS auditor is flawing a data conversion project wncfi of thetoifowing is ihe audtods BEST reccmncencation prior to go t/ e?
-

Auio rieto file

'
test scripts

* Conduct & nccf conversion tst

'

rpsttid : from Changina cer niri values within rpr

allow tiseis if fork nth = rs out of ( heir ft as

-
TI>o record-loccing of> ! sn of a OStOss®
,
managemm $y$i* m DBM$) $ * $s :
( rv 10

allow clathiise administrators (DBAs) to

-
« cor < i the a ; i vitiesof users

3 dim rrle tie iisk of concuif»nt updatas lo a

( record

restrict nsfris from chatting cerviiti values within records

allow users lo look others out of iliair ( ss

f
Which of the following applicates has iho MOST inherent r $ K ang shou ^ bo pwioritized Ourtng audit plowing?

£] An internally developed applicate

AO outsourced accounting app&cation

An onsite application llvat is unsupported

A eecommtssofted legacy application

i
) an IT organization where many r $ por& htie* ar‘
i ; snared . which of The following $
i the BEST contrl far detecting , r eythonjed data tenges?

U = «r $ am rquired to
periodically relate resjxlsitoltlies

Data changes ira

: togond m an outsift afrpllcalion

Segryation of duties oonf ids am perodical y rev pwad

• Qaln dwivjes ana independanily reviewed by another group

An ts auditO ' is conducting a physical security audit of a Healthcare facility and finds otosec circuit television (CCTV systems located in a patent cans area Which of we following is we GREATE ST coi ^em ?
>

H Thera are no notices indicating recording is in progress.

o The retention penod for video readings is undefned

Cameras are not monitored 24 /7

There are no backups of the videos

Audit frameworks can assist the IS audit function by :

O providing details on how to execute the audit program .

O outlining the specific steps needed to complete audits.

fU providing direction and information regarding the performance of audits.

O defining the authority and responsibility of the IS audit function.

An is audits finds me: me cos ? of developing an application is now prsjoctod to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management ?

Noncompliance with project methodology

& Inability to achieve expected benefits

r Project abandnnmen:

'

Increased staff turnover

An organisation s sensitive date is stored in a cloud computing environment and $ encrypted
'
i
Which of mo foiiowng findings should be of GREATEST concer to an is auditor ?

[5] Date encryption keys ar accessib e to the service provider

-
7) The cloud vendor does not have multi regional presence

The encryption keys are noi kept unde' dual control

Symiretnc keys are used for encryption .

Which of we fllowing is mo BEsr ideation that mote are potential problems within an organization s
'
IT service desk function?

Lack of segregation of duties

c Lack of m perormance indicators KPI$ )

<

£ ] An excessive backlog ol user requests

Undocumented operating procedures

Which of following i$ mo MOSTs^ nifcani risk whan ao oppf cstior' j $ e$ ncrviduel c id
user aoacgivs to access the jndoiiysng database ?

; £ Users may be able

|
: t: < monwerl application controls

User accounts may remain sottve after a lerminnlion

Multiple cowifrcls to the database are used and Slow the process

Application may not captnr » a complete audit trail

Af organization $ business continuity pfan ( 0CP) should oe
'

( 3 updated based on changes to personne and environments

tested after an intrusion attempt into the onganizatoo s hot site.
’

tested whenever new apol cations are m pi amen tec

updated before an independent audit wew

<
.
An audito' rviewing on infionnation processing environment decides to candid extern e penetration tolling . Which of the following is MOST appropriate to include in mo audit scope for the crgeni ^eiion to distinguish between mo
auditors penetration attacks and actual attacks?

@ Source IP addresses ci simulated attacks

0 l tmtng of simulated attacks

Restricted host IK add 'esses ct simulated attacks

losing
techniques 01 simulated attacks
Which of the following cloud capeoii Ues BEST enables on organization to meet unexpectedly high service demand^

Alternate routing

O flexibility

0 Scaiabthty
>
I ligh availability
Which of we foiiowing is MOST imporant when implementing a date classification program?

'
Developing a privacy policy

Planning for secure storage capacity

Formalizing data ownership

d ] Understanding the data dassifica nn avels:

^
Following the sale of a business division, employees will be transferred ;o a new organization, but they will retain access tc IT equipment from the previous employer An IS auditor has recommended that both organizations agree to and
document an acceptable use policy for he equipment What type of control has boon recommended?
I

O Preventive control

Corrective oonircl

[* ] Directive control

O Uotcctive oonlrc
Which of me following is the BEST way to imrigaie 1h ?
<
impact
*
a rartsomware attack ^

Paying me ransom

0 Decking jp data fequently

Recrjtmg pesswon: changes ftr adnmrKSfetive accounts

invoking the d savr recovery ptar iOPP)

Who would pfCwKJo an is aucitor with the MOST helpful input dunng an interview to determine whether Dusmosa requirements ler an application ware met *
'

Q use management
*

Protect sponsors
C) Senior management
O Project management
Which of me following enters is MOST imperani for mo successful delivery of benefits from an IT preset ?

7) Quantifying me size of too so ftwo re cevetoDment effort required by the

project

Q involving key stakeholders Curing the development and OKacutron onase^ f lOo project

ensuring T »* IT project managers have ngn ott aothenty on To busrss case

Assess ng me impact of changes to ndivroueis and business unts vwthtn the organization
An organization is planning an acquisition end nas engaged an IS audits to evaluate the IT governance framework of the target company. Which of the following would be MOSTheoiu ' m determiniix
) the effectiveness o: the framework?

Seif assessment
-
report o ? IT capability and rnaturity

Current and previous internal IS audit reports

g ] Recent third-party IS audit reports

IT performance benchmarking reports wm competitors

Which of in* following BEST dowries an audit nsk ?

The company is
being sued for false accusations

Q The financial report may comtf undetected material errors

O Onpteyees have been misaparopnating funds
Key employes have not taken vacation for two years
Which of me following is the MOST appropriate control to ensure ( he identity of an email sender!

Automatic return receipt

0 D^ itat signature

Mut factor authentication MT A

-
( )

Tianspo i Uye* Secjnty ( TLS)

-
Which of the following is the MAIN rsk associated with adding a new system functionality cunng the development phase without fofiow ng a pro,iect change management process?
.

The project may 90 over budget

[5] The new functionality may not meet requirements.

The proje « may tail to meet the established deadline

The added functionality has net been documented.

When developing customer facing U apphcations in which stage of
, the
system development ife cycle { SOLO is n MOST Denef c ai to consider cate privacy phncpies?
>

Softv/are selection and acquisition

Systems design and architecture

0 Requirements definition
User acceptance testing UAT )
;
An organize on produces conurol reports with a desktop epp icotion
! ,
the ; accesses data in ihe cohtrs pnoauciion riiatep & so Which of me following would g ve as IS audits concern eocur me
-
rc ieeihiv of mese Spors?
'

£ £ )
Th ;
report rtfiiitons file s not included in mutino backups

The reports are pr nted by ( he Mime parson who rev 6 ws Ihsm

‘

The rapnrfs ers avarlHble to nl and iiSF* rs

The raport refinTlionH cso be modified by end LiSers

Which of the following is he PRIMARY advantage of using ah automated security log rrtoniionng tocJ nsteac of conducting a manual raw* to monitor the use or privileged access ?
(

Case of storing and maintaining tog file

[5] increased likotihooc of detect mg suspicious activity

:) Case of log retneva for aud t purposes

^

Rod joed costs associated with automat ng the review

>
£
Which of iho fllowing BEST describes (ho role of me i 5 auditor tn ^nent
e oonifoi seifaese fCSAp

Approve^
~
Reviewer

Ci facilitator

o impomeruer
An IT goverance body wants to determine wnetner IT servroe delivery is fosed on consistently effective processes wnicb of the following +$ the BESTapproecJV
?

g] evaluate key performance indicators (KPIs ).

Conduct a gap analysis

Develop a matenty model.

implement
a control self -assessment (C 5A).
A credit card company has decided to outsource me prtiMing of customer statements .,
rt is MOST important for the company to vrify v/nenw :

0 the contract includes compensation for deficient service levels

o the providers information security controls are aligned with the company's
>
the provider adheres to the company's data retention polices

the provider has alternate service locations

Dunng an nfomation secunty review an IS aud tor lerns an organizational pol cy requirs all employees to attoixt information secunty tra nmg during the f rst week a* oach new year Wha* is the auditor's BEST recommendation to ensu'o
.

employees hired after January receive adcouate guidance rcga'ding security awareness'?

[3 Hoviso the policy to include security training cunno ortooardmg

tnsure new employees read S '
id sign acknowledgment ot the acceptable use policy

Koa Jire management ol vcw employees to provide an overview ol socunty awareness

Koviso the policy to teguiro socunty tiamng ovey six months oi ai employees
‘
Which of the following is the MOST effective audit approach to verfy whether tno projected benefits descroed m an IT project's business case are realistic"?

Review of mitigation plans against bus ness risk

( 3 Review of the cost-beneft analysis performed by managemen '

interviews with business stakeholders

Oompanson against industry business practices

A web application is developed in house by an organization Which o' the following would provide the BEST evidence to an IS auditor that the application Is secure from external attack ’
'

Web application firewall (WAF implementation

;

Code review by a third party

* Pe -wt aiion test retails

'

Database application mnnltnring logs

Which of the following presents tho GREATEST nsk associated with end -user computing <EUC) appications over financial reporting?

Lack of portability for users

Loss of time due to manual processes

inability to quickly modify and deploy a solution

0 Calculation errors m spreadsheets

Which of the following is MOST important to define wtthm a disaster recovery plan (DRPT5

0A comprenensive list o< disaster recovery scenarios and pnonties

O Business cont nulty plan DCP)

;

O Test results for backup data restoration

r. Roles and responsibilities for recovery team members

To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following^

O Sender 's private key

O Recipient's private key

0 Recipient s public key

'

Sender 's ptMc key

Which type of risk would MOST influence the seection of a sampling methodology?

inherent

0 Detection
Residual

O Control
An IT strategic plan that BEST leverages IT m achieving organizational goals will include

a risk-based ranking of projects

IT budgets linked In the organization's budget

0 enterprise architecture (FA mparts

)

O a comparison of future needs against current capabilities

To ensure adequate security and controls in e-commerce applications, which of the following manages the certificate We cycle of putt c key pairs?

Certification practice statement {CPS)

Certification revocation list (CRI )

@ Certification authority (CA )

Registration authority (RA)

Which type of data analytics can be used to identify mva id data, extreme values , or linear correlations between data elements'’

G Descnptive

* Prescnptive

G Predictive

G exploratory
Which of the following would MOST effectively help to reduce the number of repeated incidents in an organization?

Training incident management teams on current incident trends

j Test ng incident response plans with a wide range of scenanos

Pnontizing incdents after impact assessment

Q Link ng modems to problem management actrvities

Management receives information mdicat ng a hgh level of rsk associated with ootental flooding near the organization s data center within the next few years As a reufl. a decision has been made to move data center opemtions to
’

wiotnc
' facility
on higher ground Which approach has been adopted?

0 WISH reduction
His* acceptance
"

Kisx avoidance

O Kisx transfer
Which type of tveat can mice a large group of automated social media accounts to steal data, send spam or launch distributed denial of service (DDoS) attacks0

Malware shanng

O Phishing attempt

0 Ootnet attack
Data mming
Which of the following should be an IS auditors GREATEST concern when assessing an IT service oonfguretion database ?

The database is executable for all users

The database is not encrypted at rest

0 The database is write -accessible for at users

The database is read-accessb e for all users

 -
Dumg a follow-up audit an IS auditor loams that management has deferred the implementation of a previously agreed-upon recommendation What is the responsibility of the auditor *
,

Report the decision to defer the implementation to the steenng committee

Obtain commitment horn management to implement trie recommendations

Amend the final repon to reflect the deas on to defer the implementation

0 Assess the impact of any risks trie dec sion may peso to the organization
Which of the following would BEST prevent an arbitrary application of a patch?

Database access control

Network based access cont'ols

Established maintenance windows

[5] Change management

An IS auditor dentifies a process deficiency involving multiple departments None of the departments will accept ownership o< the def ciency or the remediation efforts What should the auditor do FIRST7
.

ft f acilitate a meeting with affected parties to discuss potent al cooperative remediation efforts

Document the defic ency m the audit report and et management determine who is responsible

Report each party's portion of the deficiency and their respect ve rented ation plans separately

Continue negotiations with both parties until ownership of the deficiency anc remediation s determined
Which of tno following should be to GREATEST conoorn to an IS auditc ' rev owing the -
.
nro maton secunty framov orX of an organization '
5

A list of cnt cat information assets was not inc uded in the information security policy

Senior management was not involved in the development of the information secuniy policy

The information security policy has not been updated in the last two years

3
[ The information security policy is not a gned with regulatory requirements
 .
Which of the following is the BEST recommendation to drive accountability for achieving the desired outcomes specified in a benefits realization piar for an IT project?

Fnsure that IT takes ownership for the delivery and tracking of all aspects of the benefits realization plan

Fnsure hat the project manager has formal authority for managing the benefits realization plan
I

Q Assign respons h ihes measures and timelines for each identified benefit within 'he pian
,

Document the dependencies between the project and other projects within tne same program
 "
Which of the following should be the MOST important consideration when conducting a review of IT portfolio management ’

0 Controls to minimize nsk and maximize value for the IT portfolio

Assignment of responsibility for each project to an IT team member

Trecuency of meetings where the business discusses the IT oortfoli o

Adherence to best practice and industry approved methodologies

Which of the following is the BEST preventive control to protect the confidentiality of data on a corporate smartphone in the event it is lost0

Password for device authentication

0 Fncryption of the data stored cn the device

Biometnr authentication for the device

Remote data /ape program

'
Which of the following is the BEST data integrity check?

Prepamg and running last data

0 Tracing data back to the point of origin

C Pedormrig a serpience check

Counting the transaction processed pe* day

*
The PRIMARY 'eason to assgn data ownership for protection of data is to etabfcsh

traceability

O reliability

0 accountably ,

authority.
Which of the following is the MOST mportant factor when an organization is developing information security policies and procedures'*

Consultation with security staff

Compliance with relevant regulations

Inclusion of mission and objectives

@ Alignment with an information security framework

Which of the following would be ot GREATEST concern to an IS auditor when a multi function pooler device is sent offsite for maintenance?

Maintenance costs exceed the value o» the device

3 The printout ms to he redaeded to another deparment

3 Internal rremnry does not aijlomalreHy

0 Ritsmess dunng the maartenanre pannd

An IS audited s rev owing a bank's service leve agreement (SLA ) wrtn a third party prov der that hosts the bank's secondary data center Which o the following hnd ngs shook be of GREATEST concern to the aud tor'*
-
!

The St A has not teen reviewed in more than a year

The recovery po n' objective (RPO) has a shorter duration than donumenled in the disaster recovery plan (DRP)

0 The recovery time objective RTQ) has a longer duration than documented
( in the disaster recovery plan (DRP)

Backup data ts hosted online only

Which of the following BEST enables ar IS auditor to confirm the batch processing to post transactions from an input source s successful'?

0 Crror log review

0 i lash totals

O Total number of items

Aggregate monetary amount

r\
 .
An IS audito' nas been asked tc advise on measures to improve IT governance wrth n the organization Which of the following is the BEST roccmmendation?

Oenchmanr organizational performance against ndustry peers

implement annual third-paly audits

Require executive management to draft U strategy

0 implement key performance indicators (KPIs)

A post implementation review was conducted by ssumg a survey to users Which of tne following should be of CREATE ST concern to an IS auditor^

The survey was issued to employees a month after Nnpteentafton

The survey toon template 4d not alow aittonat feedback to be provided

r. The survey rsufts were not presented r detart to management

>

0 The survey questions H not address the scope of the busmess case
<
An organization is modernizing its technoogy policy framewor* to demonstrate compliance with external mcusiry standards Which of the following would be MOST useful to an IS auCitor for validating the outcome ?

Benchmarking of internal standards against peer organizations

inventory of the organization s approved policy exceptions

0 Mapping of relevant standards against the organizaton s controls

Policy recommendations from a leading external consulting agency
A computer forensic audit . 5 MOST relevant m which at tne following situations?

O inadequate controls m tie IT

environment

0 Os * ts
* * due to hacking of servers
O M smetches m transaction data

Musing server patches

 RAID ty* 5 devices

3 Clustered wrrintertiire
A mmofed M** « t another locution
>
A security review focused on data loss prevention (DLP) revealed the organ zation has no visibility tc data stored in trie cloud What is the IS auditor's BE ST recommendation to address this issue?

implement a hie system scanner to discover data stored n the cloud

nance the firewall at the network penmeter

0 Employ a cloud access security ^oker (CASG).

Utrize a DLP toe on desktops to monitor user activities
Which of the following would BEST amp to ensure that potential secunty iss jes are considered by the development team as part o‘ tnc'omental changes to Agiledeveloped software?
'

0 Include a mandatory step to analyze the security impact when making changes
Mandate that the change aralyses are documented in a standard format

Dep ay changes in a ran rolled environment and observe for secunty ce'ents
I

Assign the security rsk analysts to a specially teamed member of the project management office
WTtcM of » following environments
tr is BEST used for copying data and transformation into a compatible data warohouse formal

Test ng

0 Stngng
Which of the following reliably associates users with met ' public keys 8nd includes attnoutes that uniquely identify the users?

encryption

Multi-factor authentication (MfA)

0 Digital certificate
Non'epudiatton
in order to be useful a key performance
,
indicator (KPl ) MUST

0 b® changed frequently lo reflect organisational

strategy

be approved by management

0 have a target value

be measurable in percen’ages
Which of the following is an analytical rev ew procoOu'e for a payroll system"*

Fvaiiialmg the performance of the payroll system us ng benchmarking software

O Test ng hours reported on time sheets

Pe'forming penetration ahempts on the oayrnll system

0 Pe forming reasonableness tests by

' mil liply ng the number of emplnyees by the average v/age rate
An IT asset management rev ew *inc)s that routors and switches are net sanitized bofro disposal What s the CREATE 8 T concern with this situation'’
<

Staff are not following the organization's sanitization bokoes and procedures

'
Samtizat on is not pad of (he IT department's security awareness tranmg program

0 Configuration hies may DO extracted from tie devices and compromise a network's security

Confidential data hies may be extracted *rom the devices and result n a privacy breach
Which of the following is the BEST disposal method for flash dnves that previously stored confidential dat8?

E Destruction
O Overwriting

Cryptographic erasure

Degaussing
An IS auditor observes that a business critical application does not currently have any leva of fau1 ’olerance Which of ihe following is the GREATEST concern with this situation?

Single point of failure

Limited tolerance for damage

Deg'adatwn of services

3
£ Decreased mean time between failures (MTOT)
Which of the following provides the BEST evidence that all elements of a business continuity plan (BCP) are operating effectively**

Simulation test results

0 rull ooerationai test results

O Walk through test results

O Tabletop test results

An IS auditor earns that a business owner violated the organization s secunty policy by creating a web page with access to production data Tho auditor's NEXT step should be to

determine if sufficient access controls exist

Q escalate to senior management

assess the snsrtivry of the production data

shut down the v vb page

.
A senior IS auditc' suspects that a PC may have been used to perpetrate fraud in a finance department The auditor sooutd FIRST roport this suspicion to

the audit comm ittee

audit managemen'

0 the police

auditee fine management

Which of the following practices is MOST helpf JI in eliminating potential bias dunng the veneer proposal review process'?

The project sponsor is available to an vendors to explain proposal requirements

O internal software development teams are not permitted to provide proposa s to the project

O The services of an m:ern8l or external auditor are available when vendor proposals are rev ewee

0 A proouremen professional
: is the point of contact fer al
venders responding with proposals
Which or the following should be ’he FIRST step when develoong a data loss prevention (OLP ) section for a large organization?

0 Conduct a data inver lory and classification exercise

Create the Dl P polioes and templates

Identify approved data workflows across the enterprise

Conduct a threat analysis against sensitive data usage

Which of tho following should be an IS auditors GREATEST concern when reviewing an organization's security controls tor policy compliance'!

Cnd users are net reomrec to acknowledge socurry pokey training

Security pohey documents are ave latte on a pjMcdomar «et*e

0 Secunty ponces are not aopheabe across e* business units

O The secunty poicy has »wt been >ev*ewed wsren the pes: year
 ’
Which of the following is the MOST mportant outcome of the data classification process'

Cmanced data access logs

0 identification of ^
le s of protect on

An access control matrix for data

A comprehensive inventory of data assets

A new system development project is running iate against a cntical impiocnon'eton deadline Which of trie followitig is the MOST important activity ’

Pi'form a pre-implementanon audit

Oocument last-minute enhancements

0 Pe form user acceptance testing tJAT

-
( )

Fnsure that code has been -ev ewed

Which of the following shoM be 'ho FIRST stop > n a data migration protect?

O Croat ng data convorsion scripts

0 Understanding the new system's data structure

Completing data cleanup in the current database to eliminate inconsistencies

Reviewing decis ons on how ousmess p'ocesses should he conducted in the new system
Which of the following provxtos the BEST method for maintaining the security of corporate applications poshed to employee owned mobile devices'*

0 Implementing mobile device management MDM ( )

DfsaNevj unnecesvry netcrtc ronoertvtty options

3 Reqjmg security mwveness treeing far mobde users

Fnetting remote dele resfn rtnn cepaNMies

Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time ?

O IT nsk reg ster

IT mcdent log

0 Maturity model
Denchmadcmg studies
Which of the following components of a nsk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Control self assessment (CSA)

RISK identification

0 RISK classification
impact assessment
An organization is ready to implement a new'
. IT solution consisting of multiple modules. The last module updates tne processed data into the dataoase Which of the ‘ollowmg findings should be of MOS T concern to the IS auditor?

Use of weak encryption

0 Lack of input validation

Lack of a data dictionary

Absence of a formal change approval process

The waterfall life cycle model of software development is BEST suited for which cf the following situations?

The project intends to apply an object-oriented design approach

The project is subject to time pressures

O The project will involve the use of new technology

0 The project requirements are well understood

Dunng winch orocess * testing MOST commonly used *
'
regression

Program development

• System modftcatmn

3 On testing
*
O Stress testing
An IS auditor noted that management authorized the implementation of patches cn IT infrastructure components without evaluation. The auditor's GREATEST concern should be tnat the patches worn not evaluated for

impact on operational costs

alignment ’with the data reference model

0 impact on the current IT environment

compliance with release management
An IS auditor s reviewing a protect that nvoives creating a secure mooi e aop tor claims processing As pan of a security *1 development model tor the program, threat modeling should begin dunog which protect phased

0 Architectural revew
Requirements definition

O Testing

Coding
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization's data cooler?

employees working m the data center have not been trained m the use of fire extinguishers

O The data center has a wet-pipe sprmkter system

employees wonong m the data center are not trained on emergency evacuation procedures

0 The data center is in a high flood zqy

Which of the following fire suppression methods is MOST effective for use in a data center?

O Dry chemical compounds

0 Inert gases
. '
. Vet-pipe water spnkte' system

Dry-pipe water sprinkler system

When budding or upgrading enterprise cryptographic infrastructure which of the following is the MOST critical requirement for growing business environments?
,

Network tnrotthg

0 Scalable architectures and systems

Sennce discovery

Backup and restotabon caoaCMties

Which of the following is MOST important to cons dor when selecting 8 n automated fire suppression system for an unmanned data center?

Potential damage to equipment

Maintenance costs

Ons te support by the vendor

0 Uke ihood of fires at the data center

What should be the PRIMARY focus during a review of a business process approvement p 'oject'*

Business project plan

0 Business intact

O Continuous monitoring plans

The cost of new controts

 .
A firewall has been installed on the company s web server Which concern does the f 'ov all address *
'

O Availability of the information

Connectrvily to the Internet

0 Una.ithon/ed mndfioat nn of information by internal users

Accessing information by the outside world
An organization is permanently transitioning from onsite to folly remote business operations When should the existing business impact analysis ( DlA ) be reviewed*?

During Tie next scheduled review

As soon as the new operating model is in place

3
[ As soon as the cecis on about the transition s ayiounced

At east one year after the transition

An organization is shifting to a remote wotcforce in preparation, the IT department is perform ng st'ess and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Detective

O Compensating

0 Pe^ntive
O Deective
Data from a system of sensors located outside of a network ts reoerved by the open ports on a server Which of the following ts tne BEST way to ensure the integrity of the data being collected from the sensor system?

Route the traffic from the sensor system th'ougn a proxy server

Transmit the sensor data via a virtual private network ( VPN) to the server

implement network address translation on the sensor system

13
l lash the data tgpt is transmitted from the sensor system
An IS auditor observes an undocumented open port within tbe corporate firewall that is in conflict with 1ho baseline firewall configuration Which of the following is the BEST recommendation to prevent recurrence?

0 follow change management

initiate ncident response

Perform a risk assessment

Dprcy updated patches

Mitch of me following practices associated with capacity planning provides the GREATEST assurance that tuture ircidents related to existing server performance will oe prevented'
'

Dup icatmg existing cisk drive systems to improve redundancy and data storage

£] Performing a root cause analysts for past performance incidents

Reviewing results from simulated high-demand stress test scenarios

Anticipating current service level agreements ( SLAs) wilt remain unchanged

Which of the following would MOST effectively ensure the integrity of data transmitted over a network^

Message encryption

0 Message digest
Certificate authority (CA)

Sleganngraphy
Foilowirvg an IT audit management has decided to accept the nsk highlighted in the audit report Which erf the following would provide the MOST assurance to the IS auditor that management is adequate v balancing the needs of the
business 'with the need to manage risk?

A communication plan exists fix uifoirnuig parlies impacted by Mie nsk

Identified nsk is reported into Uie oryawalicn's nsk comnut .ee

• Established citeria exist ur accepting aid appioving nsk

(

Potential impact and likelihood are adequately documented

The remed ation process related :o a high nsk audit finding involves a mutti step action ptan by management and may not be competed by the next audit cycle VVh cb of the following is tne BEST way ‘or an IS auditor to follow up cm the
activities?

0 Kcvtcw the progress ot remediation on a cguiar basis

'

Schedule a review or the controls after tho projected remediation date

continue to audit the triod contiols according to tho audit schedule

0 Perform more substantive testing until tho remodialicn otan is implemented

Which of the following is MOST important for an IS auditor to verify when conducting a review of a potential th rd- party se vice provider?
-

0 Whether required security controls have been established

Whether a strategy for the use of third-pady providers is established

Whelher service level agreements ( SI As) are in place

Whether a business impact anaiys s (RIA ) has been completed

Who is
acojntafro fc
'
an organization's ontorpnso nsk m anagerrient ( CRM ; program?

Fxecutive management

0 Chief risk o 'fre ’ (CRO)

Steering rommittee

0 Board of directors
Mitch of the following
'
is the BEST way to prevent social engineering incidents?

Include security responsibilities in jab descriptions and require signed acknowledgment

0 Maintain an onboardmg and annual seajnty awareness program

Fnforce strrt email security gateway controls

Ensure user workstations are mnn ng the most recent version of anttviors software
Capacity management tools aro PRIMARILY usee to ensure that

concurrent use by a large numbe of users Is enabled

-

avw able 'esorrens are used efficiently and effectively

*
proposed hardware acquisitions meet rapacity requirements

C comp,its " systems are used In their maximum capacity most of the time
Which of the following is an effective way to ensure the integrity of file transfers in a peer to peer (P2P) computing
environment?

Cnsure the fi es are transferred through an intrusion detection system (IDS).

0 Associate a message authentication code with each tile transferred

O Connect the client computers n the environment to a jump server

f. Cncrypt the packets shared between peers within the environment