CISA Dump - Updated

Isaca
CISA
Certified Information
Systems Auditor
Version: 33.0
Web: www.dumpscollection.com [ Total Questions: 577]
Email: support@dumpscollection.com
IMPORTANT NOTICE
Feedback
We have developed quality product and state-of-art service to ensure our customers interest. If you have any
suggestions, please feel free to contact us at feedback@dumpscollection.com
Support
If you have any questions about our product, please provide the following items:
exam code
screenshot of the question
login id/email
please contact us at support@dumpscollection.com and our technical experts will provide support within 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently. Any unauthorized
changes will inflict legal punishment. We reserve the right of final explanation for this statement.
Dumps Q&A Isaca - CISA
Question #:1
An organization is within a jurisdiction where new regulations have recently been announced to restrict
cross-border data transfer of personally identifiable information (PIl). Which of the following IT decisions will
MOST likely need to be assessed in the context of this?
A. Hiring IT consultants from overseas
B. Purchasing cyber insurance from an overseas insurance company
C. Applying encryption to databases hosting PII data
D. Hosting the payroll system at an external cloud service provider
Answer: D
Question #:2
Which of the following is the MOST effective way to identify anomalous transactions when performing a
payroll fraud audit?
A. Substantive testing of payroll files
B. Data analytics on payroll data
C. Observation of payment processing
D. Sample-based review of pay stubs
Answer: B
Question #:3
An organization decides to establish a formal incident response capability with clear roles and responsibilities
facilitating centralized reporting of security incidents. Which type of control is being implemented?
A. Corrective control
B. Compensating control
C. Preventive control
D. Detective control
Answer: A
Success Guaranteed, 100% Valid 1 of 180

Question #:4
Which of the following strategies BEST optimizes data storage without compromising data retention
practices?
A. Moving emails to a virtual email vault after 30 days
B. Limiting the size of file attachments being sent via email
C. Automatically deleting emails older than one year
D. Allowing employees to store large emails on flash drives
Answer: B
Question #:5
What is the purpose of a hypervisor?
A. Monitoring the performance of virtual machines
B. Cloning virtual machines
C. Deploying settings to multiple machines simultaneously
D. Running the virtual machine environment
Answer: D
Question #:6
Which of the following is MOST influential when defining disaster recovery strategies?
A. Annual loss expectancy
B. Maximum tolerable downtime
C. Data classification scheme
D. Existing server redundancies
Answer: A
Question #:7
During a review of operations, it is noted that during a batch update, an error was detected and the database

initiated a roll-back. An IT operator stopped the roll-back and re-initiated the update. What should the operator
have done PRIOR to re-initiating the update?
A. Determined the cause of the error
B. Obtained approval before re-initiating the update
C. Allowed the roll-back to complete
D. Scheduled the roll-back for a later time
Answer: C
Question #:8
To protect information assets, which of the following should be done FIRST?
A. Encrypt data.
B. Restrict access to data.
C. Back up data.
D. Classify data.
Answer: D
Question #:9
Which of the following is found in an audit charter?
A. Audit objectives and scope
B. Required training for audit staff
C. The process of developing the annual audit plan
D. The authority given to the audit function
Answer: A
Question #:10
When aligning IT projects with organizational objectives, it is MOST important to ensure that the:
A. percentage of growth in project intake is reviewed.

B. overall success rate of projects is high.
C. business cases have been clearly defined for all projects.
D. project portfolio database is updated when new systems are acquired.
Answer: C
Question #:11
Which of the following Is the MOST effective way for an IS auditor to evaluate whether an organization is
well positioned to defend against an advanced persistent threat (APT)?
A. Verify that the organization has adequate levels of cyber insurance
B. Verify that the organization is using correlated data for security monitoring
C. Review the validity of external Internet Protocol (IP) addresses accessing the network
D. Assess the skill set within the security function
Answer: B
Question #:12
The use of symmetric key encryption controls to protect sensitive data transmitted over a communications
network requires that.
A. public keys be stored in encrypted form.
B. encryption keys at one end be changed on a regular basis
C. primary keys for encrypting the data be stored in encrypted form
D. encryption keys be changed only when a compromise is detected at both ends
Answer: C
Question #:13
During a systems development project, participation in which of the following activities would compromise
the IS auditor's independence?
A. Participating in weekly project management team presentations
B. Making design decisions related to automated controls
C. Recommending which reports are required to be converted
D.

D. Reviewing process for each program specification
Answer: B
Question #:14
When reviewing an organization's data protection practices, an IS auditor should be MOST concerned with a
lack of:
A. a security team.
B. data classification.
C. training manuals.
D. data encryption.
Answer: B
Question #:15
Management has decided to include a compliance manager in the approval process for a new business that
may require changes to tie IT infrastructure. Which of the following is the GREATEST benefit of this
approach?
A. Process accountabilities to external stakeholders are improved
B. Security breach incidents can be identified in early stages
C. Fewer views are needed when updating the IT compliance process
D. Regulatory risk exposures can be identified before they materialize
Answer: D
Question #:16
A data center's physical access log system captures each visitor's identification document numbers along with
the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor
conducting compliance testing for the effectiveness of the system?
A. Haphazard sampling
B. Attribute sampling
C. Variable sampling
D.

D. Quota sampling
Answer: A
Question #:17
The FIRST course of action an investigator should take when a computer is being attacked is to:
A. copy the contents of the hard drive.
B. disconnect it from the network.
C. terminate all active processes
D. disconnect the power source.
Answer: C
Question #:18
Which of the following BEST indicates that an organization has effective governance in place?
A. The organization regularly updates governance-related policies and procedures
B. The organizations board of directors executes on the management strategy
C. The organization is compliant with local government regulations
D. The organization's board of directors reviews metrics for strategic initiatives
Answer: C
Question #:19
Which of the following should an IS auditor recommend to reduce the likelihood of potential intruders using
social engineering?
A. Prohibit the use of social networking platforms
B. Deploy a security awareness program
C. Perform simulated attacks
D. Implement an intrusion detection system (IDS)
Answer: B

Question #:20
Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
A. To develop and integrate its applications
B. To install and manage operating systems
C. To establish a network and security architecture
D. To operate third-party hosted applications
Answer: A
Question #:21
An IT governance framework provides an organization with:
A. assurance that there are surplus IT investments
B. assurance that there will be IT cost reductions
C. a basis for directing and controlling IT.
D. organizational structures to enlarge the market share through IT
Answer: C
Question #:22
An organization is deciding whether to outsource its customer relationship management systems to a provider
located in another country. Which of the following should be the PRIMARY influence in the outsourcing
decision?
A. Time zone differences
B. The service provider's disaster recovery plan
C. Cross-border privacy laws
D. Current geopolitical conditions
Answer: C
Question #:23
Which of the following MOST effectively mitigates the risk of disclosure of sensitive data stored on

company-owned smartphones?
A. Secure containers
B. Data leakage prevention (DLP) tools
C. Mobile device management (MDM)
D. Physical device tagging
Answer: B
Question #:24
An IS auditors independence with respect to the audit of an application system is MOST likely to be impaired
if the auditor
A. designed an embedded audit module for the application
B. knows that the application contains the auditors personal transactions
C. reports to an individual responsible ta the application
D. performed a development review of the application.
Answer: C
Question #:25
Which of the following would be the MOST effective method to identify high risk areas in the business to be
included in the audit plan?
A. Review external audit reports of the business.
B. Review industry reports to identify common risk areas
C. Validate current risk from poor internal audit findings.
D. Engage with management to understand the business.
Answer: D
Question #:26
An IS auditor evaluating a three-tier client/server architecture observes an issue with graphical user interface
(GUI) tasks. Which layer should the auditor recommend the client address?
A. Presentation layer
B.

B. Application layer
C. Storage layer
D. Transport layer
Answer: A
Question #:27
Which of the following technologies has the SMALLEST maximum range for data transmission between
devices?
A. Near-field communication (NFC)
B. Long-term evolution (LTE)
C. Bluetooth
D. Wi-Fi
Answer: A
Question #:28
A third-party service provider is hosting a private cloud for an organization. Which of the following findings
during an audit of the provider poses the GREATEST risk to the organization?
A. 2% of backups had to be rescheduled due to backup media failures.
B. The organization’s virtual machines share the same hypervisor with virtual machines of other clients.
C. Two different hypervisor versions are used due to the compatibility restrictions of some virtual
machines.
D. 5% of detected incidents exceeded the defined service level agreement (SLA) for
escalation.
Answer: B
Question #:29
A large insurance company is about to replace a major financial application. Which of the following is the IS
auditor's PRIMARY focus when conducting the pre-implementation review?
A. Procedure updates

B. Migration of data
C. System manuals
D. Unit testing
Answer: B
Question #:30
Which of the following should be of MOST concern to an IS auditor during the review of a quality
management system?
A. The quality management system includes training records for IT personnel.
B. Indicators are not fully represented in the quality management system.
C. There are no records to document actions for minor business processes.
D. Important quality checklists are maintained outside the quality management system.
Answer: B
Question #:31
An organization has established hiring policies and procedures designed specifically to ensure network
administrators are well qualified. Which type of control is in place?
A. Detective
B. Directive
C. Corrective
D. Preventive
Answer: A
Question #:32
Which of the following is MOST important to ensure when planning a black box penetration test?
A. The test results will be documented and communicated to management.
B. Diagrams of the organization s network architecture are available.
C.

C. The environment and penetration test scope have been determined.
D. The management of the client organization is aware of the testing.
Answer: C
Question #:33
Which of the following is the MOST effective way to reduce risk to an organization from widespread use of
unauthorized web-based communication technologies?
A. Incorporate web-based communications into the enterprise security architecture.
B. Block access from user devices to unauthorized sites that allow web-based
C. communication. 1 Monitor unauthorized staff usage of web-based communication and notify the IT
security department of violations.
D. Publish an enterprise-wide policy outlining acceptable use of web-based communication technologies
Answer: D
Question #:34
An organization's IT security policy requires annual security awareness training for all employees. Which of
the following would provide the BEST evidence of the training's effectiveness?
A. Results of a social engineering lest
B. Interviews with employees
C. Decreased calls to the incident response team
D. Surveys completed by randomly selected employees
Answer: A
Question #:35
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an
audit of a virtual server farm for potential software vulnerabilities?
A. A variety of guest operating systems operate on one virtual server.
B. The hypervisor is updated quarterly.
C. Antivirus software has been implemented on the guest operating system only.

D. Guest operating systems are updated monthly
Answer: C
Question #:36
The BEST way to validate whether a malicious act has actually occurred in an application is to review.
A. change management logs.
B. segregation of duties
C. activity logs
D. access controls
Answer: C
Question #:37
Which of the following is the PRIMARY purpose of quality assurance (QA) within an IS audit department?
A. To ensure conclusions are reliable and no false assurance is given
B. To regularly assess and improve audit methodology
C. To enforce audit policies and identify any deviations
D. To confirm audit practice is aligned with industry standards and benchmarks
Answer: B
Question #:38
An IS auditor's PRIMARY objective when examining problem reports should be to help ensure:
A. problems are resolved in a cost-effective manner.
B. every problem is classified appropriately.
C. problems are only escalated to senior management when necessary.
D. every problem is assigned to an individual for resolving.
Answer: B

Question #:39
Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development
and design of a privacy program?
A. Information security and incident management practices
B. Industry practice and regulatory compliance guidance
C. Data governance and data classification procedures
D. Policies and procedures consistent with privacy guidelines
Answer: D
Question #:40
The decision to accept an IT control risk related to data quality should be the responsibility of the:
A. information security team.
B. chief information officer (CIO).
C. business owner.
D. IS audit manager.
Answer: C
Question #:41
Which of the following can help ensure that IT deliverables are linked to business goals and that appropriate
performance criteria are in place?
A. Business process reengineering (BPR)
B. Service level management
C. Quality assurance (QA) practices
D. Benchmarking
Answer: B
Question #:42

chain management processes Customer orders are not being fulfilled in a timely manner, and the inventory in
the warehouse does not match the quantity of goods in the sales orders. Which of the following is the auditor's
BEST recommendation?
A. Require the sales representative to verify inventory levels prior to finalizing sales orders.
B. Require the warehouse manager to send updated inventory levels on a periodic basis.
C. Revise the order fulfillment procedures in collaboration with the e-commerce team.
D. Implement an automated control to verify inventory levels prior to finalizing sales orders.
Answer: D
Question #:43
MOST effective way to determine if IT is meeting business requirements is to establish:
A. a capability model.
B. industry benchmarks
C. key performance indicators (KPls).
D. organizational goals.
Answer: C
Question #:44
When evaluating an IT organizational structure, which of the following is MOST important to ensure has been
documented?
A. Human resources (HR) policy on organizational changes
B. Provisions for cross-training
C. Succession and promotion plans
D. Job functions and duties
Answer: C
Question #:45
An organization has recently converted its infrastructure to a virtualized environment. The GREATEST

benefit related to disaster recovery is that virtualized servers:
A. eliminate the manpower necessary to restore the server.
B. decrease the recovery time objective (RTO).
C. reduce the time it takes to successfully create backups.
D. can be recreated on similar hardware faster than restoring from backups.
Answer: A
Question #:46
Which of the following would BEST enable an IS auditor to perform an audit that requires testing the full
population of data?
A. Expertise in statistical sampling of data
B. Proficiency in the use of data analytics tools
C. Experience in database administration
D. Proficiency in programming and coding
Answer: B
Question #:47
When using a wireless device, which of the following BEST ensures confidential access to email via web
mail?
A. Wired equivalent privacy (WEP)
B. Hypertext transfer protocol secure (HTTPS)
C. Simple object access protocol (SOAP)
D. Extensible markup language (XML)
Answer: A
Question #:48
Which of the following is the BEST source of information for an IS auditor when planning an audit of a
business application's controls?

A. Process flow diagrams
B. User documentation
C. Access control lists
D. Change control procedures
Answer: A
Question #:49
To ensure efficient and economic use of limited resources in supporting a local area network (LAN)
infrastructure, it is advisable to:
A. periodically rotate vendors to obtain the best price-to-performance ratio
B. standardize on a limited number of device models and software applications.
C. quickly upgrade to the latest hardware and software versions to take advantage of new features
D. recommend a variety of products so that user effectiveness and flexibility can be maximized.
Answer: B
Question #:50
Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Define the testing scope.
C. Determine reporting requirements for vulnerabilities
D. Obtain management consent for the testing
Answer: D
Question #:51
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce
the risk of data leakage?
A. Ensure that paper documents arc disposed security.
B.

B. Implement an intrusion detection system (IDS).
C. Verify that application logs capture any changes made.
D. Validate that all data files contain digital watermarks
Answer: D
Question #:52
Which of the following observations should be of GREATEST concern to an IS auditor reviewing a large
organization's virtualization environment?
A. An unused printer has been left connected to the host system.
B. Guest tools have been installed without sufficient access control,
C. A rootkit was found on the host operating system
D. Host inspection capabilities have been disabled
Answer: B
Question #:53
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient
manner Which of the following is the auditor s BEST recommendation?
A. Upgrade hardware to newer technology.
B. Increase the capacity of existing systems.
C. Build a virtual environment
D. Hire temporary contract workers for the IT function.
Answer: C
Question #:54
When deploying an application that was created using the programming language and tools supported by the
cloud provider, the MOST appropriate cloud computing model for an organization to adopt is:
A. Platform as a Service (PaaS).
B. Software as a Service (SaaS).
C. Infrastructure as a Service (laaS).

D. Identity as a Service (IDaaS).
Answer: A
Question #:55
Which of the following should be the PRIMARY consideration for IT management when selecting a new
information security tool that monitors suspicious file access patterns?
A. Integration with existing architecture
B. Ease of support and troubleshooting
C. Data correlation and visualization capabilities
D. Ability to contribute to key performance indicator data
Answer: A
Question #:56
Which of the following should be of MOST concern lo an IS auditor reviewing the public key infrastructure
(PKI) for enterprise email?
A. The certificate revocation list has not been updated.
B. The private key certificate has not been updated.
C. The PKI policy has not been updated within the last year.
D. The certificate practice statement has not been published.
Answer: A
Question #:57
Which of the following should be included in a business impact analysis (BIA)
A. identification of IT resources that support key business processes
B. Recovery strategy for significant business interruptions
C. Support documentation for the recovery alternative
D. Roles and responsibilities for the business continuity process
Answer: A

Question #:58
Which of the following should be included in emergency change control procedures?
A. Use an emergency ID to move production programs into development.
B. Request that the help desk make the changes.
C. Update production source libraries to reflect changes.
D. Obtain user management approval before implementing the changes.
Answer: D
Question #:59
Which of the following is the BEST way for an IS auditor to ensure the completeness of data collected for
advanced analytics during an audit?
A. Perform additional quality control steps after selecting the samples
B. Review the query or parameters used to download the data before selecting samples
C. Obtain access to the quality assurance (QA) system to independently download the information
D. Request the data owner to verify and approve the information
Answer: B
Question #:60
Which of the following would an IS auditor PRIMARILY review to understand key drivers of a project?
A. Earned value analysis (EVA)
B. Project risk matrix
C. IT strategy and objectives
D. Business case
Answer: D
Question #:61
What is the BEST population to select from when testing that programs are migrated to production with proper
approval?
A. List of changes provided by application programming managers
B.

B. Change advisory board meeting minutes
C. Completed change request forms
D. List of production programs
Answer: D
Question #:62
Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
A. Data security requirements are not considered.
B. The business units want IT to be responsible for maintenance costs
C. Corporate procurement standards are not followed
D. System inventory becomes inaccurate.
Answer: D
Question #:63
During the post-implementation review of an application that was implemented six months ago which of the
following would be MOST helpful in determining whether the application meets business requirements?
A. Project closure report and lessons-learned documents from the project management office (PMO)
B. User acceptance testing (UAT) results and sign-off from users on meeting business requirements
C. Comparison between expected benefits from the business case and actual benefits after implementation
D. Difference between approved budget and actual project expenditures determined post implementation
Answer: C
Question #:64
The MOST important function of a business continuity plan (BCP) is to.
A. provide procedures for evaluating tests of the BCP
B. provide a schedule of events that has to occur if there is a disaster
C. ensure that the critical business functions can be recovered
D.

D. ensure that all business functions are restored
Answer: C
Question #:65
A bank recently experienced fraud where unauthorized payments were inserted into the payments transaction
process. An IS auditor has reviewed the application systems and databases along the processing chain but has
not identified the entry point of the fraudulent transactions. Where should the auditor look NEXT?
A. Operating system patch levels
B. Interfaces between systems
C. Change management repository
D. System backup and archiving
Answer: D
Question #:66
When engaging services from external auditors, which of the following should be established FIRST?
A. Termination conditions agreements
B. Nondisclosure agreements
C. Service level agreements
D. Operational level agreements
Answer: B
Question #:67
An IS auditor has completed an audit of an organization's accounts payable system. Which of the following
should be rated as the HIGHEST risk in the audit report and requires immediate remediation?
A. Lack of segregation of duty controls for removal of vendor records
B. Lack of segregation of duty controls for reconciliation of payment transactions
C. Lack of segregation of duty controls for reversing payment transactions
D. Lack of segregation of duty controls for updating the vendor master file
Answer: D

Question #:68
Which of the following is the MOST important operational aspect for an IS auditor to consider when assessing
an assembly line with quality control sensors accessible via wireless techno
A. Known vulnerabilities
B. Resource utilization
C. Device security
D. Device updates
Answer: C
Question #:69
When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:
A. determine EUC materiality and complexity thresholds.
B. evaluate EUC threats and vulnerabilities.
C. obtain an inventory of EUC applications.
D. evaluate the organization's EUC policy.
Answer: D
Question #:70
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be
the auditor s NEXT course of action?
A. Report the security posture of the organization.
B. Report the mitigating control
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall
Answer: D
Question #:71
Which of the following BEST enables alignment of IT with business objectives?
A.

A. Completing an IT risk assessment
B. Leveraging an IT governance framework
C. Developing key performance indicators (KPIs)
D. Benchmarking against peer organizations
Answer: C
Question #:72
Which of the following BEST guards against the risk of attack by hackers?
A. Tunneling
B. Message validation
C. Encryption
D. Firewalls
Answer: C
Question #:73
Which of the following BEST enables an IS auditor to detect incorrect exchange rates applied to outward
remittance transactions at a financial institution?
A. Developing computer-assisted audit techniques (CAATs) during transaction audits
B. Performing sampling tests on transactions processed at the end of each day
C. Running continuous auditing scripts at the end of each day
D. Using supervised machine learning techniques to develop a regression model to predict incorrect input
Answer: A
Question #:74
UESTION NO: 3
The CIO of an organization is concerned that the information security policies may not be comprehensive.
Which of the following should an IS auditor recommend be performed FIRST?
A. Determine if there is j process to handle exceptions to the policies

B. Establish a governance board to track compliance with the policies
C. Obtain a copy of their competitor's policies
D. Compare the policies against an industry framework.
Answer: D
Question #:75
Which of the following is necessary for effective risk management in IT governance?
A. Risk management strategy is approved by the audit committee
B. Risk evaluation is embedded in management processes.
C. Local managers are solely responsible for risk evaluation
D. IT risk management is separate from corporate risk management
Answer: B
Question #:76
Which of the following is the BEST way to detect system security breaches?
A. Conducting frequent vulnerability scans
B. Conducting continuous monitoring with an automated system security tool
C. Ensuring maximum interoperability among systems throughout the organization
D. Performing intrusion tests on a regular basis
Answer: B
Question #:77
Tunneling provides additional security for connecting one host to another through the Internet by:
A. providing end-to-end encryption.
B. facilitating the exchange of public key infrastructure (PKI) certificates
C. preventing password cracking and replay attacks

D. enabling the use of stronger encryption keys
Answer: C
Question #:78
An organization has outsourced its data leakage monitoring to an Internet service provider (ISP). Which of the
following is the BEST way for an IS auditor to determine the effectiveness of this service?
A. Review the data leakage clause in the SLA.
B. verify the ISP has staff to deal with data leakage.
C. Simulate a data leakage incident.
D. Review the ISP's external audit report
Answer: C
Question #:79
Which type of control is in place when an organization requires new employees to complete training on
applicable privacy and data protection regulations?
A. Preventive control
B. Directive control
C. Detective control
D. Corrective control
Answer: B
Question #:80
Which of the following should be of GREATEST concern to an IS auditor conducting a security review of a
point-of-sale (POS) system?
A. POS systems are not integrated with accounting applications for data transfer
B. Management of POS systems is outsourced to a vendor based in another country.
C. An optical scanner is not used to read bar codes for generating sales invoices
D. Credit card verification value (CW) information is stored on local POS systems
Answer: D

Question #:81
Which of the following provides an IS auditor the MOST assurance that an organization is compliant with
legal and regulatory requirements?
A. Senior management has provided attestation of legal and regulatory compliance
B. Controls associated with legal and regulatory requirements have been identified and tested
C. There is no history of complaints or fines from regulators regarding noncompliance
D. The IT manager is responsible for the organization s compliance with legal and regulatory requirements.
Answer: B
Question #:82
Which of the following network management toots should an IS auditor use to review the type of packets
flowing along a monitored link'?
A. Response time reports
B. Network monitors
C. Protocol analyzers
D. Online monitors
Answer: B
Question #:83
In a situation where the recovery point objective (RPO) is 0 for an online transaction processing system, which
of the following is MOST important for an IS auditor to verify?
A. The application has a clustered architecture to ensure high availability
B. Synchronous data mirroring is implemented between the data centers
C. IT is able to recover system functionality in the shortest possible time frame
D. Daily backups are created and backup media are verified
Answer: B

Question #:84
Which of the following should be done FIRST to effectively define the IT audit universe for an entity with
multiple business lines?
A. Identify aggregate residual IT risk for each business line.
B. Obtain a complete listing of the entity's IT processes
C. Obtain a complete listing of assets fundamental to the entity's businesses.
D. Identify key control objectives for each business line's core processes
Answer: C
Question #:85
Which of the following observations should be of GREATEST concern to an IS auditor reviewing a hosted
virtualized environment where each guest operating system (OS) is r
A. There are file shares between the host OS and the guest OS
B. Access to virtualization utilities and tools in the host is not restricted
C. The test environment of the applications is in a separate guest OS
D. All virtual machines are launching an application backup job at the same time
Answer: B
Question #:86
Which of the following BEST demonstrates the degree of alignment between IT and business strategy?
A. Number of IT projects driven by business requirements
B. Percentage of users aware of information security policies
C. Number of IT policies that refer directly to business goals
D. Percentage of IT value drivers mapped to business value drivers
Answer: D
Question #:87
Which of the following is an example of a preventative control in an accounts payable system?

A. The system produces daily payment summary reports that staff use to compare against invoice totals.
B. Policies and procedures are clearly communicated to all members of the accounts payable department.
C. The system only allows payments to vendors who are included in the system's master vendor list.
D. Backups of the system and its data are performed on a nightly basis and tested periodically.
Answer: C
Question #:88
An IT organization's incident response plan is which type of control?
A. Detective
B. Directive
C. Preventive
D. Corrective
Answer: D
Question #:89
Which of the following is the BEST indication of the completeness of interface control documents used for the
development of a new application?
A. All documents have been reviewed by end users.
B. All inputs and outputs for potential actions are included.
C. Both successful and failed interface data transfers are recorded.
D. Failed interface data transfers prevent subsequent processes.
Answer: B
Question #:90
Which of the following MUST be completed before selecting and deploying a biometric system that uses
facial recognition software?
A. Privacy impact analysts
B.

B. Vulnerability assessment
C. Image interference review
D. False acceptance testing
Answer: D
Question #:91
While conducting a system architecture review, an IS auditor learns of multiple complaints from field agents
about the latency of a mobile thin client designed to provide information during site inspections Which of the
following is the BEST way to address this situation?
A. Upgrade the processors in the field agents' mobile devices
B. Deploy a middleware application to improve messaging between application components.
C. Switch to a thick-client architecture that does not require a persistent fetwork connectio.
D. Upgrade the thin-client software to provide more informative error messages during application loading
Answer: B
Question #:92
Which of the following should be the FIRST step in an organization's forensics process to preserve evidence?
A. Create the forensics analysis reporting template
B. Determine which forensic tools to use
C. Perform analytics on digital evidence obtained using forensic methods
D. Duplicate digital evidence and validate it using a hash function
Answer: D
Question #:93
Which of the following would be of GREATEST concern to an IS auditor evaluating governance over open
source development components?
A. The software is not analyzed for compliance with organizational requirements
B. The open source development components do not meet industry best practices
C. Existing open source policies have not been approved in over a year

D. The development project has gone over budget and time
Answer: A
Question #:94
A month after a company purchased and implemented system and performance monitoring software reports
were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to
A. evaluate replacement systems and performance monitoring software
B. re-install the system and performance monitoring software
C. restrict functionality of system monitoring software to security-related events
D. use analytical tools to produce exception reports from the system and performance monitoring software
Answer: C
Question #:95
Which of the following is the GREATEST advantage of application penetration testing over vulnerability
scanning?
A. Penetration testing can be conducted in a relatively short time period.
B. Penetration testing creates relatively smaller risks to application availability and integrity
C. Penetration testing provides a more accurate picture of gaps in application controls
D. Penetration testing does not require a special skill set to be executed.
Answer: C
Question #:96
To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should review the:
A. test plan and results of past tests.
B. plans and procedures in the business continuity plan
C. capacity of backup facilities.
D. hardware and software inventory.
Answer: A

Question #:97
The GREATEST benefit of using a prototyping approach in software development is that it helps to:
A. minimize scope changes to the system
B. conceptualize and clarify requirements
C. decrease the time allocated for user testing and review
D. improve efficiency of quality assurance (QA) testing.
Answer: B
Question #:98
An organization has agreed to perform remediation related to high-risk audit findings. The remediation process
involves a complex reorganization of user roles as well as the Implementation of several compensating
controls that may not be completed within the next audit cycle Which of the following is the BEST way for an
IS auditor to follow up on their activities?
A. Provide management with a remediation timeline and verity adherence
B. Schedule a review of the controls after the projected remediation date
C. Review the progress of remediation on a regular basis
D. Continue to audit the failed controls according to the audit schedule
Answer: A
Question #:99
An IS auditor has been asked to assess the security of a recently migrated database system that contains
personal and financial data for a bank's customers. Which of the following controls is MOST important for the
auditor to confirm is in place?
A. The default configurations have been changed.
B. The default administration account is used after changing the account password.
C. The service port used by the database server has been changed.
D. All tables in the database are normalized.
Answer: A
Question #:100
Which of the following is the MOST important factor when an organization is developing information security
policies and procedures?

A. Compliance with relevant regulations
B. Consultation with security staff
C. Alignment with an information security framework
D. Inclusion of mission and objectives
Answer: A
Question #:101
An IS auditor has assessed a payroll service provider’s security policy and finds significant topics are missing.
Which of the following is the auditor’s BEST course of action?
A. Recommend the service provider update their policy
B. Report the risk to internal management
C. Notify the service provider of the discrepancies.
D. Recommend replacement of the service provider
Answer: B
Question #:102
Which of the following is MOST important for the successful establishment of a security vulnerability
management program?
A. A comprehensive asset inventory
B. A tested incident response plan
C. An approved patching policy
D. A robust tabletop exercise plan
Answer: C
Question #:103
Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?
A. To assess evidence for management reporting

B. To validate the correctness of reported findings
C. To validate remediation efforts
D. To assess the risk of the audit environment
Answer: C
Question #:104
Which of the following is a preventive control related to change management?
A. Implementation of managed change approval processes
B. Log review of managed changes
C. Debugging of implemented changes
D. Audit of implemented changes for the period under review
Answer: A
Question #:105
The PRIMARY benefit of using secure shell (SSH) to access a server on a network is that it:
A. provides confidentiality of transmitted data
B. prevents man-in-the-middle attacks
C. provides better session reliability
D. facilitates communication across platforms.
Answer: A
Question #:106
An organization s audit charter PRIMARILY:
A. formally records the annual and quarterly audit plans
B. documents the audit process and reporting standards
C. describes the auditors' authority to conduct audits
D. defines the auditors' code of conduct

Answer: C
Question #:107
In the risk assessment process, which of the following should be identified FIRST?
A. Impact
B. Threats
C. Assets
D. Vulnerabilities
Answer: C
Question #:108
An IS auditor finds that a document related to a client has been leaked. Which of the following should be the
auditor's NEXT step?
A. Report data leakage finding to regulatory authorities
B. Determine the classification of data leaked
C. Report data leakage finding to senior management
D. Notify appropriate law enforcement.
Answer: B
Question #:109
An IS auditor is using data analytics in an audit and has obtained the data to be used for testing. Which of the
following is the MOST important task before testing begins?
A. Verify data analytics test scripts
B. Select the analytical sampling model
C. Document the method used to obtain the data
D. Verify the completeness and accuracy of the data
Answer: C

Question #:110
What is the MOST important business concern when an organization is about to migrate a mission-critical
application to a virtual environment?
A. Adequacy of the fallback procedures
B. Adequacy of the virtual architecture
C. The organization's experience with virtual applications
D. Confidentiality of network traffic
Answer: B
Question #:111
Regression testing should be used during a system development project to ensure that:
A. system testing will address high-probability errors.
B. the test plan is based on an analysis of the impact of past testing
C. the results of testing are statistically vsalid
D. errors have not been introduced to the system during modification
Answer: D
Question #:112
The PRIMARY focus of audit follow-up reports should be to:
A. assess if new risks have developed.
B. determine if audit recommendations have been implemented.
C. verify the completion date of the implementation.
D. determine if past findings are still relevant.
Answer: B
Question #:113
Which of the following control testing approaches is BEST used to evaluate a control's ongoing effectiveness
by comparing processing results to independently calculated data?
A.

A. Embedded audit modules
B. Sample-based re-performance
C. Integrated test facility (ITF)
D. Statistical sampling
Answer: C
Question #:114
A database audit reveals an issue with the way data ownership for client data is defined. Which of the
following roles should be accountable for this finding?
A. Business management
B. Database administrator
C. Information security management
D. Privacy manager
Answer: A
Question #:115
A 5 year audit plan provides for general audits every year and application audits on alternating years. To
achieve higher efficiency, the IS audit manager would MOST likely:
A. Alternate between control self-assessment (CSA) and general audits every year.
B. Have control self-assessments (CSAs) and formal audits of application on alternating years
C. Implement risk assessment criteria to determine audit priorities
D. Proceed with the plan and integrate all new applications
Answer: C
Question #:116
Which of the following would provide the BEST evidence for use in a forensic investigation of an employee's
hard drive?
A. Prior backups
B. Bit-stream copy of the hard drive

C. A file level copy of the hard drive
D. Memory dump to an external hard drive
Answer: B
Question #:117
Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?
A. Number of false negatives
B. Legitimate traffic blocked by the system
C. Number of false positives
D. Reliability of IDS logs
Answer: C
Question #:118
An organization plans to launch a social media presence as part of a new customer service campaign. Which of
the following is the MOST significant risk from the perspective of potential litigation?
A. Approved employees can use personal devices to post on the company $ behalf
B. There is a lack of dear procedures for responding to customers on social media outlets
C. Access to corporate-sponsored social media accounts requires only single-factor authentication.
D. The policy stating what employees can post on the organization s behalf is unclear.
Answer: D
Question #:119
An IS auditor attempts to sample for variables in a population of items with wide differences in values but
determines that an unreasonably large number of sample items must be selected to produce the desired
confidence level. In this situation, which of the following is the BEST audit decision?
A. Allow more time and test the required sample
B.

B. Select a judgmental sample
C. Select a stratified sample
D. Lower the desired confidence level
Answer: C
Question #:120
Which of the following should be the FIRST step when drafting an incident response plan for a new
cyber-attack scenario?
A. Create a new incident response team.
B. Identify relevant stakeholders.
C. Schedule response testing.
D. Create a reporting template.
Answer: B
Question #:121
Which of the following control checks would utilize data analytics?
A. Evaluating configuration settings for the credit card application system
B. Reviewing credit card applications submitted in the past month for blank data fields
C. Attempting to submit credit card applications with blank data fields
D. Reviewing the business requirements document for the credit card application system
Answer: B
Question #:122
Which of the following is the BEST way to achieve high availability and fault tolerance for an e-business
system?
A. Secure offsite backup storage
B. Storage area network
C. Robust systems architecture

D. Network diversity
Answer: C
Question #:123
Which of the following is a detective control that can be used to uncover unauthorized access to information
systems?
A. Requiring long and complex passwords for system access
B. Implementing a security information and event management (SIEM) system
C. Requiring internal audit to perform periodic reviews of system access logs
D. Protecting access to the data center with multif actor authentication
Answer: B
Question #:124
Which of the following is the BEST justification for deferring remediation testing until the next audit?
A. The auditor who conducted the audit
B. Management's planned actions are sufficient given the relative importance of the observations
C. The audit environment has changed significantly
D. Auditee management has accepted all observations reported by the auditor.
Answer: D
Question #:125
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following
controls is I to assess m the audit?
A. Segregation of duties between receiving invoices and setting authorization limits
B. Management review and approval of purchase orders
C. Segregation of duties between issuing purchase orders and making payments
D. Management review and approval of authorization tiers
Answer: C

Question #:126
Which of the following is the MOST important step in the development of an effective IT governance action
plan?
A. Setting up an IT governance framework for the process
B. Conducting a business impact analysis (BIA)
C. Measuring IT governance key performance indicators (KPIs)
D. Preparing a statement of sensitivity
Answer: A
Question #:127
Within the context of an IT-related governance framework, which type of organization would be considered
MOST mature?
A. An organization in which processes are repeatable and results periodically reviewed
B. An organization m a state of dynamic growth with continuously updated policies and procedures
C. An organization with established sets of documented standard processes
D. An organization with processes systematically managed by continuous improvement
Answer: D
Question #:128
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively
in the event of a major disaster?
A. Regularly update business impact assessments
B. Prepare detailed plans for each business function.
C. Involve staff at all levels in periodic paper walk-through exercises
D. Make senior managers responsible for their plan sections.
Answer: C
Question #:129

Which of the following is a directive control?
A. Establishing an information security operations team
B. Updating data loss prevention software
C. Implementing an information security policy
D. Configuring data encryption software
Answer: C
Question #:130
An IS auditor noted that a change to a critical calculation was placed into the production environment without
being tested. Which of the following is the BEST way to obtain assurance that the calculation functions
correctly?
A. Check regular execution of the calculation batch job.
B. Obtain post-change approval from management.
C. Perform substantive testing using computer-assisted audit techniques (CAATs).
D. Interview the lead system developer.
Answer: A
Question #:131
Which of the following is the MAIN risk associated with adding a new system functionality during the
development phase without following a project change management process?
A. The new functionality may not meet requirements
B. The added functionality has not been documented
C. The project may go over budget.
D. The project may fail to meet the established deadline
Answer: B
Question #:132
Due to a global pandemic, a health organization has instructed its employees to work from home as much as
possible. The employees communicate using instant messaging Which of the following is the GREATEST risk
in this situation?

A. Home office setups may not be compliant with workplace health and safety requirements.
B. Employee productivity may decrease when working from home.
C. The capacity of servers may not allow all users to connect simultaneously
D. Employees may exchange patient information through less secure methods.
Answer: D
Question #:133
While reviewing similar issues in an organization s help desk system, an IS auditor finds that they were
analyzed independently and resolved differently This situation MOST likely indicates a deficiency in:
A. problem management
B. IT service level management
C. change management
D. configuration management
Answer: D
Question #:134
Which of the following practices BEST ensures that archived electronic information of permanent importance
is accessible over time?
A. Acquire applications that emulate old software.
B. Periodically test the integrity of the information.
C. Regularly migrate data to current technology.
D. Periodically backup the archived data.
Answer: C
Question #:135
Capacity management enables organizations to:
A. establish the capacity of network communication links.
B. forecast technology trends.

C. determine business transaction volumes.
D. identify the extent to which components need to be upgraded.
Answer: C
Question #:136
When evaluating the management practices at a third-party organization providing outsourced services, the IS
auditor considers relying on an independent auditors report. The IS auditor.....
A. determine if recommendations have been implemented
B. review the objectives of the audit
C. examine the independent auditor's workpapers.
D. discuss the report with the independent auditor
Answer: C
Question #:137
An IS auditor is conducting a pre-implementation review to determine a new system's production readiness.

The auditor's PRIMARY concern should be whether:
A. benefits realization has been evidenced
B. there are unresolved high-risk items
C. the project adhered to the budget and target date.
D. users were involved in the quality assurance (QA) testing.
Answer: B
Question #:138
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit
This evidence indicates that a procedural control may have failed and could contradict a conclusion of the
audit. Which of the following risks is MOST affected by the oversight?
A. Operational
B. Audit
C. Inherent
D.

D. Financial
Answer: C
Question #:139
Upon completion of audit work, an IS auditor should:
A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Answer: B
Question #:140
Which of the following is an IS auditor's BEST recommendation to help an organization increase the
efficiency of computing resources?
A. Overclocking the central processing unit (CPU)
B. Virtualization
C. Real-time backups
D. Hardware upgrades
Answer: D
Question #:141
A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed
after the auditee said they corrected the problem. Which of the following is the senior auditor's MOST
appropriate course of action?
A. Have the finding reinstated
B. Ask the auditee to retest
C. Refer the issue to the audit director
D. Approve the work papers as written
Answer: B

Question #:142
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to
evaluate the:
A. future compatibility of the design.
B. controls incorporated into the system specifications.
C. proposed functionality of the application.
D. development methodology employed.
Answer: B
Question #:143
What is the BEST control to address SOL injection vulnerabilities?
A. Input validation
B. Unicode translation
C. Secure Sockets Layer (SSL) encryption
D. Digital signatures
Answer: C
Question #:144
Which of the following should be the PRIMARY concern of an IS auditor during a review of an external IT
service level agreement (SLA) for computer operations?
A. Changes in services are not tracked
B. Vendor has exclusive control of IT resources
C. Lack of software escrow provisions
D. No employee succession plan
Answer: A
Question #:145

When reviewing a contract for a disaster recovery hot site, which of the following would be the MOST
significant omission?
A. Equipment provided
B. Testing procedures
C. Audit rights
D. Exposure coverage
Answer: C
Question #:146
An IS audit manager finds that data manipulation logic developed by the audit analytics team leads to incorrect
conclusions This inaccurate logic is MOST likely an indication of lich of the following?
A. Poor change controls over data sets collected from the business
B. The team's poor understanding of the business process being analyzed
C. Poor security controls that grant inappropriate access to analysis produced
D. Incompatibility between data volume and analytics processing capacity
Answer: B
Question #:147
When evaluating database management practices, which of the following controls would MOST effectively
support data integrity?
A. User access controls
B. System edit checks
C. System-generated duplicate transaction reports
D. System processing output balanced to control totals
Answer: B
Question #:148
internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of
control is the auditor recommending?

A. Directive
B. Detective
C. Preventive
D. Corrective
Answer: C
Question #:149
Which of the following would be a result of utilizing a top-down maturity model process?
A. Identification of older, more established processes to ensure timely review
B. Identification of processes with the most improvement opportunities
C. A means of comparing the effectiveness of other processes within the enterprise
D. A means of benchmarking the effectiveness of similar processes with peers
Answer: B
Question #:150
Which of the following should be the PRIMARY objective of a migration audit?
A. Data integrity
B. Business continuity
C. System performance
D. Control adequacy
Answer: A
Question #:151
Which of the following represents a potential single point of failure in the virtualized environment that could
result in a compromise with greater scope and impact?
A. Underlying hardware on the guest operating system
B. Dual operating system
C.

C. The host operating system
D. Applications installed on the guest operating system
Answer: C
Question #:152
After an employee termination, a network account was removed, but the application account remained active.
To keep this issue from recurring, which of the following is the BEST recommendation?
A. Leverage shared accounts for the application.
B. Perform periodic access reviews.
C. Retrain system administration staff.
D. Integrate application accounts with network single sign-on.
Answer: D
Question #:153
Which of the following is the MOST significant risk associated with peer-to-peer networking technology?
A. Reduction in staff productivity
B. Loss of information during transmission
C. Lack of reliable internet network connections
D. Lack of central monitoring
Answer: D
Question #:154
An IS auditor is reviewing the change management process in a large IT service organization. Which of the
following observations would be the GREATEST concern?
A. Emergency software releases are not fully documented after implementation
B. User acceptance testing (UAT) can be waived in case of emergency software releases
C. Code is migrated manually into production during emergency software releases
D. A senior developer has permanent access to promote code for emergency software releases
Answer: D

Question #:155
An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message
between the parties. Which of the following audit responses is correct in this situation?
A. No audit finding is recorded as it is normal to distribute a key of this nature in this manner
B. An audit finding is recorded as the key should be asymmetric and therefore changed
C. No audit finding is recorded as the key can only be used once
D. An audit finding is recorded as the key should be distributed in a secure manner
Answer: D
Question #:156
Which of the following factors constitutes a strength in regard to the use of a disaster recovery planning
reciprocal agreement?
A. Reciprocal agreements may not be formally established in a contract.
B. The two companies might share a need for a specialized piece of equipment
C. Changes to the hardware or software environment by one company could make the agreement
ineffective or obsolete.
D. A disaster could occur that would affect both companies.
Answer: B
Question #:157
Which of the following is the BEST way for an IS auditor to maintain visibility of a new system
implementation project when faced with resource limitations
A. Review the target control environment
B. Assess user acceptance test (UAT) results.
C. Attend steering committee meetings.
D. Evaluate the project plan and milestones
Answer: D

Question #:158
An IS auditor is following up on prior period items and finds management did not address an audit finding.
Which of the following should be the IS auditor's NEXT course of action?
A. Interview management to determine why the finding was not addressed
B. Recommend alternative solutions to address the repeat finding
C. Conduct a risk assessment of the repeat finding
D. Note the exception in a new report as the item was not addressed by management
Answer: A
Question #:159
Which of the following would be of GREATEST concern to an IS auditor reviewing backup and recovery
controls?
A. Backups are stored in an external hard drive
B. Restores from backups are not periodically tested
C. Backup procedures are not documented
D. Weekly and monthly backups are stored onsite
Answer: B
Question #:160
During business process reengineering (BPR) of a bank's teller activities, an IS auditor should evaluate:
A. the impact of changed business processes.
B. the cost of new controls.
C. BPR project plans
D. continuous improvement and monitoring plans.
Answer: A
Question #:161
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if
the individual who performs the related tasks also has approval authority?

A. Purchase requisitions and purchase orders
B. Vendor selection and statements of work
C. Invoices and reconciliations
D. Goods receipts and payments
Answer: A
Question #:162
A company converted its payroll system from an external service to an internal package Payroll processing in
April was run in parallel. To validate the completeness of data after the conversion, which of the following
comparisons from the old to the new system would be MOST effective?
A. Turnaround time for payroll processing
B. Employee counts and year-to-date payroll totals
C. Cut-off dates and overwrites for a sample of employees
D. Master file employee data to payroll journals
Answer: B
Question #:163
Which of the following observations should be of GREATEST concern to an IS auditor reviewing a large
organization's IT steering committee?
A. Resource and priority conflict resolution has been delegated to the project management office
B. The committee does not include any current system administrators.
C. Business executives are not represented on the committee.
D. The committee has not formally approved the enterprise’s IT architecture.
Answer: C
Question #:164
An organization has suffered a number of incidents in which USB flash drives with sensitive data have been
lost. Which of the following would be MOST effective in preventing loss of sensitive data?
A. Issuing encrypted USB flash drives to staff

B. Implementing a check-in/check-out process for USB flash drives
C. Increasing the frequency of security awareness training
D. Modifying the disciplinary policy to be more stringent
Answer: A
Question #:165
Which of the following is the BEST sampling method when performing an audit test to determine the number
of access requests without approval signatures?
A. Attribute sampling
B. Judgment sampling
C. Stratified sampling
D. Stop-or-go sampling
Answer: A
Question #:166
A financial institution has a system interface that is used by its branches to obtain applicable currency
exchange rates when processing transactions Which of the following should be the PRIMARY control
objective for maintaining the security of the system interface?
A. Preventing unauthorized access to the data via malicious activity
B. Preventing unauthorized access to the data via interception
C. Ensuring the integrity of the data being transferred
D. Ensuring the availability of the data being transferred
Answer: C
Question #:167
Which of the following should be reviewed FIRST when assessing the effectiveness of an organization's
network security procedures and controls?
A. Vulnerability remediation
B.

B. Inventory of authorized devices
C. Malware defenses
D. Data recovery capability
Answer: B
Question #:168
An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If
approved, which of the following should be the FIRST control required before implementation''
A. Device registration
B. An acceptable use policy
C. Device baseline configurations
D. An awareness program
Answer: B
Question #:169
Which of the following is MOST critical to include when developing a data loss prevention (DIP) policy?
A. Identification of enforcement actions
B. Identification of the relevant network channels requiring protection
C. Identification of the users, groups, and roles to whom the policy will apply
D. Identification of the content to protect
Answer: D
Question #:170
Which of the following is a corrective control?
A. Reviewing user access rights for segregation of duties
B. Executing emergency response plans
C. Verifying duplicate calculations in data processing
D.

D. Separating equipment development, testing, and production
Answer: C
Question #:171
Post-implementation testing is an example of which of the following control types?
A. Directive
B. Deterrent
C. Preventive
D. Detective
Answer: D
Question #:172
A sales representative is reviewing the organization's feedback blog and gets redirected to a site that sells
illegal prescription drugs. The blog site is MOST likely susceptible to which of the following types of attacks?
A. Directory harvesting
B. Phishing attack
C. Cross-site scripting
D. SQL injection
Answer: C
Question #:173
Which of the following is the MOST effective control to ensure electronic records beyond their retention
periods are deleted from IT systems?
A. Build in system logic to trigger data deletion at predefined times.
B. Perform a sample check of current data against the retention schedule.
C. Review the record retention register regularly to initiate data deletion.
D. Execute all data deletions at a predefined month during the year.
Answer: A

Question #:174
Which of the following is the PRIMARY reason for an IS auditor to select a statistical sampling method?
A. Statistical sampling methods enable the auditor to objectively quantify the probability of error.
B. Statistical sampling methods are the most effective way to avoid sampling risk.
C. Statistical sampling methods must be used to mitigate audit risk.
D. Statistical sampling methods help the auditor to determine the tolerable error rate.
Answer: B
Question #:175
An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business
cases. Which of the following should be of GREATEST concern to the organization?
A. Vendor selection criteria are not sufficiently evaluated
B. Project costs exceed established budgets
C. Business resources have not been optimally assigned o
D. Business impacts of projects are not adequately analyzed
Answer: A
Question #:176
An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability than the primary
site. Based on this information, which of the following presents the GREATEST risk?
A. Network firewalls and database firewalls at the DR site do not provide high availability.
B. No disaster recovery plan (DRP) testing has been performed during the last six months.
C. The DR site is in a shared location that hosts multiple other enterprises.
D. The DR site has not undergone testing to confirm its effectiveness.
Answer: D
Question #:177

Which of the following controls will BEST ensure that the board of directors receives sufficient information
about IT?
A. The CIO reports on performance and corrective actions in a timely manner.
B. Board members are knowledgeable about IT and the CIO is consulted on IT issues.
C. The CIO regularly sends IT trend reports to the board.
D. Regular meetings occur between the board the CIO and a technology committee
Answer: B
Question #:178
Which of the following would be MOST important to update once a decision has been made to outsource a
critical application to a cloud service provider?
A. IT budget
B. Business impact analysis (BIA)
C. IT resource plan
D. Project portfolio
Answer: B
Question #:179
Which of the following is the MAIN purpose of data classification?
A. Defining parameter requirements for security labels
B. Ensuring integrity of sensitive information
C. Applying the appropriate protective measures
D. Ensuring the segregation of duties
Answer: C
Question #:180
An IS auditor is planning to audit an organization's infrastructure for access, patching, and change
management. Which of the following is the BEST way to prioritize the systems?
A.

A. Complexity of the environment
B. Criticality of the system
C. System hierarchy within the infrastructure
D. System retirement plan
Answer: B
Question #:181
In a high-volume, real-time system, the MOST effective technique by which to continuously monitor and
analyze transaction processing is:
A. transaction tagging
B. parallel simulation.
C. integrated test facility (ITF)
D. embedded audit modules.
Answer: C
Question #:182
Which of the following metrics is MOST useful to an IS auditor when evaluating whether IT investments are
meeting business objectives?
A. Realized return on investment (ROI) versus projected ROI
B. Actual return on investment (ROI) versus industry average ROI.
C. Actual versus projected customer satisfaction
D. Budgeted spend versus actual spend
Answer: C
Question #:183
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Availability of the site in the event of multiple disaster declarations
B. Coordination with the site staff in the event of multiple disaster declarations
C.

C. Reciprocal agreements with other organizations
D. Complete testing of the recovery plan
Answer: A
Question #:184
During an exit interview senior management disagrees with some of the facts presented in the draft audit
report and wants them removed from the report Which of the following would be the auditor's BEST course of
action?
A. Gather evidence to analyze senior management's objections
B. Finalize the draft audit report without changes
C. Revise the assessment based on senior management's objections.
D. Escalate the issue to audit management
Answer: A
Question #:185
An organization's enterprise architecture (EA) department decides to change a legacy system's components
while maintaining its original functionality Which of the following is MOST important for an IS auditor to
understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system.
B. The proposed network topology to be used by the redesigned system
C. The data flows between the components to be used by the redesigned system
D. The database entity relationships within the legacy system
Answer: A
Question #:186
Which of the following is MOST important lo have in place for he continuous improvement of process
maturity within a large IT support function?
A. Performance metrics dashboard
B. Control self-assessments (CSAs)
C. Regular internal audits

D. Project management
Answer: A
Question #:187
Which of the following implementation strategies for new applications presents the GREATEST risk during
data conversion and migration from an old system to a new system?
A. Pilot implementation
B. Phased implementation
C. Direct cutover
D. Parallel simulation
Answer: C
Question #:188
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a
business application development project?
A. Quality assurance (QA) review
B. Expected deliverables meeting project deadlines
C. Sign-off from the IT team
D. Ongoing participation by relevant stakeholders
Answer: D
Question #:189
A company is using a software developer for a project. At which of the following points should the software
quality assurance (QA) plan be developed?
A. Prior to acceptance testing
B. During the feasibility phase
C. As part of software definition
D. As part of the design phase

Answer: D
Question #:190
The PRIMARY advantage of object-oriented technology is enhanced:
A. management of sequential program execution for data access
B. management of a restricted variety of data types for a data object
C. grouping of objects into methods for data access
D. efficiency due to the re-use of elements of logic
Answer: C
Question #:191
During data migration, which of the following BEST prevents integrity issues when multiple processes within
the migration program are attempting to write to the same table in the databases?
A. Authentication controls
B. Concurrency controls
C. Normalization controls
D. Database limit controls
Answer: B
Question #:192
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to
processes and tools related to an organization's business continuity plan (BCP)?
A. Updated Inventory of systems
B. Full test results
C. Completed test plans
D. Change management processes
Answer: B

Question #:193
Which of the following is MOST appropriate for measuring a batch processing application's system
performance over time?
A. System utilization
B. Idle time
C. Throughput
D. Uptime
Answer: C
Question #:194
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering
adjustments of either damaged or lost stock items to the inventory system Which control would have BEST
prevented this type of fraud in a retail environment?
A. Statistical sampling of adjustment transactions
B. Unscheduled audits of lost stock lines
C. An edit check for the validity of the inventory transaction
D. Separate authorization for input of transactions
Answer: D
Question #:195
Which of the following evidence-gathering techniques will provide the GREATEST assurance that procedures
are understood and practiced?
A. Survey end users.
B. Review procedures for alignment to policies.
C. Interview process owners.
D. Observe processes.
Answer: D
Question #:196

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed.
A. Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end users and evaluate for authorization.
C. Verify management's approval for this exemption.
D. Report this control process weakness to senior management.
Answer: B
Question #:197
An organization with high availability resource requirements is selecting a provider for cloud computing.
Which of the following would cause the GREATEST concern to an IS auditor? The provider:
A. hosts systems for the organization's competitor.
B. does not store backup media offsite.
C. is not internationally certified for high availability.
D. deploys patches automatically without testing.
Answer: D
Question #:198
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of
an organization's data loss prevention (DLP) controls?
A. Review data classification levels based on industry best practice.
B. Verify that confidential files cannot be transmitted to a personal USB device.
C. Conduct interviews to identify possible data protection vulnerabilities.
D. Verify that current DLP software is installed on all computer systems.
Answer: D
Question #:199
The BEST way to preserve data integrity through all phases of application containerization is to ensure which
of the following?
A.

A. Developers are educated about how their roles relate to application security best practices.
B. The development team performs regular patching of application containers.
C. Segregation of duties is developed and maintained in the application container environment.
D. Information security roles are defined and communicated in the information security policy.
Answer: C
Question #:200
Reconciliations have identified data discrepancies between an enterprise data warehouse and a revenue system
for key financial reports. What is the GREATEST risk to the organization in this situation?
A. Financial reports may be delayed.
B. Undetected fraud may occur.
C. The key financial reports may no longer be produced.
D. Decisions may be made based on incorrect information
Answer: D
Question #:201
The PRIMARY objective of IT service level management is to.
A. satisfy customer requirements.
B. manage computer operations activities.
C. improve IT cost control
D. increase awareness of IT services
Answer: A
Question #:202
Which of the following is the BEST way to enforce the principle of least privilege on a server containing data
with different security classifications?
A. Applying access controls determined by the data owner
B. Limiting access to the data files based on frequency of use
C.

C. Using scripted access control lists to prevent unauthorized access to the server
D. Obtaining formal agreement by users to comply with the data classification policy
Answer: A
Question #:203
An organization developed a comprehensive three-year IT strategic plan Halfway into the plan a major
legislative change impacting the organization is enacted Which oi the following should be management's
NEXT course of action?
A. Develop specific procedural documentation related to the changed legislation
B. Perform a risk assessment of the legislative changes
C. Assess the legislation to determine whether changes are required to the strategic
D. IT plan Develop a new IT strategic plan that encompasses the new legislation
Answer: B
Question #:204
Which of the following is MOST important to include in a contract to outsource data processing that involves
customer personally identifiable information (Pit)?
A. The vendor must comply with the organization is legal and regulatory requirement.
B. The vendor must provide an independent report of its data processing facilities.
C. The vendor must compensate the organization if nonperformance occurs.
D. The vendor must sign a nondisclosure agreement with the organization.
Answer: A
Question #:205
The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?
A. Technology risk
B. Inherent risk
C. Control risk
D.

D. Detection risk
Answer: D
Question #:206
An application used at a financial services organization transmits confidential customer data to downstream
applications using a batch process. Which of the following controls would protect this information?
A. Header record with timestamp
B. Record count
C. Control file
D. Secure File Transfer Protocol (SFTP)
Answer: D
Question #:207
A new privacy regulation requires a customer's privacy information to be deleted within 72 hours, if requested.
Which of the following would be an IS auditor's GREATEST concern regarding compliance to this
regulation?
A. Outdated online privacy policies
B. Incomplete backup and retention policies
C. End user access to applications with customer information
D. Lack of knowledge of where customers' information is saved
Answer: D
Question #:208
A banking organization has outsourced its customer data processing facilities to an external service provider.
Which of the following roles is accountable for ensuring the security of customer data?
A. The service provider’s data privacy officer
B. The bank’s vendor risk manager
C. The service provider's data processor
D. The bank's senior management

Answer: D
Question #:209
Which of the following should be a concern to an IS auditor reviewing a digital forensic process for a security
incident?
A. The media with the original evidence was not write-btocked.
B. The forensic expert used open-source forensic tools.
C. The affected computer was not immediately shut down after the incident.
D. Analysis was performed using an image of the original media.
Answer: A
Question #:210
Which of the following is the MOST important difference between end-user computing (EUC) applications
and
traditional applications?
A. Traditional application documentation is typically less comprehensive than EUC application

documentation.
B. Traditional applications require roll-back procedures whereas EUC applications do not.
C. Traditional applications require periodic patching whereas EUC applications do not.
D. Traditional application input controls are typically more robust than EUC application input controls.
Answer: D
Question #:211
Which of the following is MOST important to ensure when reviewing a global organization's controls to
protect data held on its IT infrastructure across all of its locations?
A. Relevant data protection legislation and regulations for each location are adhered to.
B. Technical capabilities exist in each location to manage the data and recovery operations
C. The capacity of underlying communications infrastructure in the host locations is sufficient.
D. The threat of natural disasters in each location hosting infrastructure has been accounted for.

Answer: A
Question #:212
Which of the following BEST helps to identify errors during data transfer?
A. Decrease the size of data transfer packets.
B. Test the integrity of the data transfer.
C. Review and verify the data transfer sequence numbers.
D. Enable a logging process for data transfer.
Answer: C
Question #:213
Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?
A. Integrity of records
B. Confidentiality of records
C. Availability of records
D. Distribution of records
Answer: A
Question #:214
During an audit of a data classification policy, an IS auditor finds that many documents are inappropriately
classified as confidential. Which of the following is the GREATEST concern?
A. Information may be underprotected.
B. Data integrity issues may occur.
C. Industry security best practices are violated.
D. Information may generally be overprotected.
Answer: D
Question #:215

Of the following, who should approve a release to a critical application that would make the application
inaccessible for 24 hours?
A. Business process owner
B. Data custodian
C. Project manager
D. Chief information security officer (CISO)
Answer: A
Question #:216
Which of the following sampling techniques is BEST to use when verifying the operating effectiveness of
internal controls during an audit of transactions?
A. Attribute sampling
B. Statistical sampling
C. Judgmental sampling
D. Stop-or-go sampling
Answer: B
Question #:217
Which of the following is the GREATEST risk associated with the use of instant messaging (IM)?
A. Data leakage
B. Loss of employee productivity
C. Internet Protocol (IP) address spoofing
D. Excess bandwidth consumption
Answer: A
Question #:218
An auditor is creating an audit program in which the objective is to establish the adequacy of personal data
privacy controls in a payroll process. Which of the following would be MOST important to include?
A.

A. Approval of data changes
B. User access provisioning
C. Segregation of duties controls
D. Audit logging of administrative user activity
Answer: D
Question #:219
An IS auditor reviewing a purchase accounting system notices several duplicate payments made for the
services rendered. Which of the following is the auditor's BEST recommendation for preventing duplicate
payments?
A. Implement a configuration control to enable sequential numbering of invoices.
B. Request vendors to attach service acknowledgment notices to purchase orders.
C. Implement a system control that determines if there are corresponding invoices for purchase orders.
D. Perform additional supervisory reviews prior to the invoice payments.
Answer: C
Question #:220
Which of the following is an example of a control that is both detective and preventive at the same lime?
A. A payment order to a sanctioned country is detected in the system before the payment is actually made.
B. Detective fraud controls performed on past transactions prevent legal action being taken against the
organization.
C. Detection of unauthorized activity in a database prevents further manipulation by the database

administrator (DBA).
D. A misconfiguration of an operating system is detected and future recurrence can successfully be

prevented.
Answer: C
Question #:221
Which of the following should be an IS auditor's GREATEST concern when a security audit reveals the
organization's vulnerability assessment approach is limited to running a vulnerability scanner on its network?
A.

A. A scanner does not exploit the vulnerability in the systems.
B. External risks in the organization's environment may go undetected.
C. Some of the vulnerabilities discovered may be false positives.
D. System performance may be degraded by the scanner.
Answer: B
Question #:222
During an IT operations audit multiple unencrypted backup tapes containing sensitive credit card information
cannot be found Which of the following presents the GREATEST risk to the organization?
A. Reputational damage due to potential identity theft
B. Business disruption if a data restore cannot be completed
C. The cost of recreating the missing backup tapes
D. Human resource cost of responding to the incident
Answer: B
Question #:223
An IS auditor wants to understand the collective effect of the preventive, detective, and corrective controls for
a specific business process. Which of the following should the auditor focus on FIRST?
A. The formal documentation of the process and how adherence is measured
B. Whether the existence of preventive controls causes corrective controls to become unnecessary
C. Whether segregation of duties is in place when two controls are applied simultaneously
D. The various points in the process where controls are exercised
Answer: D
Question #:224
Which of the following would provide the BEST evidence of the effectiveness of mandated annual security
awareness training?
A. Number of security incidents
B. Trending of social engineering test results
C. Surveys completed by randomly selected employees

D. Results of a third-party penetration test
Answer: D
Question #:225
Which of the following should an IS auditor expect to find when reviewing IT security policy?
A. Virus protection Implementation strategies
B. An inventory of information assets
C. A risk-based classification of systems
D. Assigned responsibility for safeguarding company assets
Answer: C
Question #:226
An IS auditor notes that help desk personnel are required to make critical decisions during major service
disruptions. Which of the following is the auditor's BEST recommendation to address this situation?
A. Introduce classification of disruptions by risk category.
B. Provide historical incident response information for the help desk
C. Implement an incident response plan
D. Establish shared responsibility among business peers.
Answer: C
Question #:227
Which of the following findings should be of GREATEST concern to an IS auditor reviewing system
deployment tools for a critical enterprise application system?
A. Change requests do not contain backout plans.
B. There are no documented instructions for using the tool.
C. Access to the tool is not approved by senior management.
D. Access to the tool is not restricted.
Answer: A

Question #:228
Which of the following is the BEST IS audit strategy?
A. Limit audits to new application system developments
B. Conduct general control audits annually and application audits in alternating years
C. Perform audits based on Impact and probability of error and failure.
D. Cycle general control and application audits over a two-year period
Answer: C
Question #:229
To ensure the integrity of a recovered database, which of the following would be MOST useful?
A. Database defragmentation tools
B. Application transaction logs
C. A copy of the data dictionary
D. Before-and-after transaction images
Answer: D
Question #:230
Data analytics tools and techniques are MOST helpful to an IS auditor during which of the following audit
activities?
A. Audit follow-up
B. Walk-through testing
C. Substantive testing
D. Audit and resource planning
Answer: C
Question #:231
Which of the following is the MAIN purpose of an information security management system?
A.

A. To reduce the frequency and impact of information security incidents
B. To identify and eliminate the root causes of information security incidents
C. To keep information security policies and procedures up-to-date
D. To enhance the impact of reports used to monitor information security incidents
Answer: A
Question #:232
Which of the following analytical methods would be MOST useful when trying to identify groups with similar
behavior or characteristics in a large population?
A. Random sampling
B. Classification
C. Deviation detection
D. Cluster sampling
Answer: D
Question #:233
Which of the following group is MOST likely responsible for the implementation of IT projects?
A. IT steering committee
B. IT strategy committee
C. IT compliance committee
D. IT governance committee
Answer: A
Question #:234
An IS auditor reviewed the business case for a proposed investment to virtualize an organization's server
infrastructure. Which of the following is MOST likely to be included among the benefits in the project
proposal?
A. Fewer operating system licenses
B. Better efficiency of logical resources

C. Less memory and storage space
D. Reduced hardware footprint
Answer: D
Question #:235
Which of the following application input controls would MOST likely detect data input errors in the customer
account number field during the processing of an accounts receivable transaction?
A. Reasonableness check
B. Validity check
C. Parity check
D. Limit check
Answer: A
Question #:236
Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an
organization's incident response process?
A. Past incident response actions
B. Results from management testing of incident response procedures
C. Incident response staff experience and qualifications
D. Incident response roles and responsibilities
Answer: B
Question #:237
During an audit, the client learns that the IS auditor has recently completed a similar security review at a
competitor. The client inquires about the competitor's audit results. What is the BEST way for the auditor to
address this inquiry?
A. Explain that it would be inappropriate to discuss the results of another audit client
B. Escalate the question to the audit manager for further action.
C. Discuss the results of the audit omitting specifics related to names and products.

D. Obtain permission from the competitor to use the audit results as examples for future clients.
Answer: A
Question #:238
A client/server configuration will:
A. keep track of all the clients using the IS facilities of a service organization.
B. limit the clients and servers relationship by limiting the IS facilities to a single hardware system.
C. enhance system performance through the separation of front-end and back-end processes.
D. optimize system performance by having a server on a front-end and clients on a host.
Answer: C
Question #:239
An internal audit department recently established a quality assurance (QA) program as part of its overall audit
program. Which of the following activities is MOST important to include as part of the QA program
requirements?
A. Analyzing user satisfaction reports from business lines
B. Benchmarking the QA framework to international standards
C. Reporting OA program results to the audit committee
D. Conducting long-term planning for internal audit staffing
Answer: A
Question #:240
To help determine whether a controls-reliant approach to auditing financial systems r a company should be
used which sequence of IS audit work is MOST appropriate'
A. Review of application controls followed by a test of key business process controls
B. Review of major financial applications followed by a review of IT governance processes
C. Review of the general IS controls followed by a review of the application controls
D. Detailed examination of financial transactions followed by review of the general ledger
Answer: A

Question #:241
An IS auditor finds that terminated users have access to financial applications. Which of the following is the
auditor's MOST important course of action when assessing the impact?
A. Inquire of management whether the terminated users left the organization on
good terms.
B. Inspect the logs to determine whether the users accessed the applications after termination.
C. Review requests In the ticketing tool for removal of identified access.
D. Inspect the terminated employees' corporate email accounts.
Answer: B
Question #:242
Which sampling method should an IS auditor employ when the likelihood of exceptions existing in the
population is low''
A. Discovery sampling
B. Random sampling
C. Interval sampling
D. Unit sampling
Answer: A
Question #:243
Disciplinary policies are BEST classified as.
A. compensating controls
B. preventive controls.
C. directive controls
D. corrective controls
Answer: C

Question #:244
An IS auditor is reviewing an enterprise database platform. The review involves statistical methods. Benford
analysis, and duplicate checks. Which of the following computer-assisted audit technique (CAAT) tools would
be MOST useful for this review''
A. Continuous and intermittent simulation (CIS)
B. Generalized audit software (GAS)
C. Audit hooks
D. Integrated test facility (ITF)
Answer: B
Question #:245
At what point in software development should the user acceptance test plan be prepared?
A. Feasibility study
B. Transfer into production
C. Requirements definition
D. Implementation planning
Answer: C
Question #:246
Which of the following is MOST helpful for an IS auditor to review when determining the appropriateness of
controls relevant to a specific audit area?
A. Control implementation methods
B. Control self-assessment (CSA)
C. Enterprise architecture (EA) design
D. Business impact analysis (BIA)
Answer: C
Question #:247

The recovery time objective (RTO) is normally determined on the basis of the:
A. acceptable downtime of the alternate site,
B. risk of occurrence.
C. criticality of the systems affected.
D. cost of recovery of all systems.
Answer: C
Question #:248
During a privileged access review, an IS auditor observes many help desk employees have privileges within
systems not required for their job functions. Implementing which of the following would have prevented this
situation?
A. Multi-factor authentication
B. Separation of duties
C. Least privilege access
D. Privileged access reviews
Answer: C
Question #:249
Which of the following BEST minimizes performance degradation of servers used to authenticate users of an
e-commerce website?
A. Configure each authentication server and ensure that the disks of each server form part of a duplex.
B. Configure each authentication server and ensure that each disk of its RAID is attached to the primary
controller.
C. Configure a single server as a primary authentication server and a second server as a secondary
authentication server.
D. Configure each authentication server as belonging to a cluster of authentication servers.
Answer: D
Question #:250
Which of the following BEST measures project progress?
A.

A. Earned-value analysis (EVA)
B. Project plan
C. SWOT analysis
D. Gantt chart
Answer: A
Question #:251
Which of the following provides an IS auditor with the BEST evidence that a system has been assessed for
known exploits?
A. Patch cycle report
B. Vulnerability scanning report
C. Black box testing report
D. White box testing report
Answer: B
Question #:252
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed
and updated. The GREATEST concern to the IS auditor is that p......
A. incorporate changes to relevant laws.
B. reflect current practices
C. include new systems and corresponding process changes
D. be subject to adequate quality assurance (QA).
Answer: A
Question #:253
What information within change records would provide an IS auditor with the MOST assurance that
configuration management is operating effectively?
A. Affected configuration items and associated impacts
B. Implementation checklist for release management

C. Post-implementation review documentation
D. Configuration management plan and operating procedures
Answer: A
Question #:254
The maturity level of an organization s problem management support function is optimized when the function
A. has formally documented the escalation process.
B. proactively provides solutions
C. resolves requests in a timely manner
D. analyzes critical incidents to identify root cause.
Answer: B
Question #:255
Which of the following is the PRIMARY purpose of using data analytics when auditing an enterprise resource
planning (ERP) system for a large organization?
A. To determine recovery point objectives (RPOs)
B. To identify business processing errors
C. To select sampling methods
D. To identify threats to the ERP
Answer: B
Question #:256
During an audit of a financial application, it was determined thai many terminated users' accounts were not
disabled. Which of the following should be the IS auditors NEXT step?
A. Conclude that IT general controls are ineffective.
B. Perform a review of terminated users' account activity.
C. Communicate risks to the application owner.
D. Perform substantive testing of terminated users' access rights.
Answer: B

Question #:257
Which of the following demonstrates the use of data analytics for a loan origination process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing system
B. Validating whether reconciliations between the two systems are performed and discrepancies are
investigated
C. Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure
D. Comparing a population of loans input in the origination system to loans booked on the servicing system
Answer: B
Question #:258
An IS auditor is evaluating a virtual server environment and learns that the production server, development
server, and management console are housed in the same physical host. What should be the auditor's
PRIMARY concern?
A. The physical host is a single point of failure
B. The management console is a single point of failure.
C. The development server and management console share the same host
D. The development and production servers share the same host
Answer: B
Question #:259
An IS auditor is testing employee access to a large financial system and must select a sample from the current
employee list provided by the auditee. Which of the following is the MOST reliable sample source to support
this testing1?
A. Previous audit reports generated by a third party
B. A system-generated list of accounts with access levels
C. Human resources (HR) documents signed by employees' managers
D. A system access spreadsheet provided by the system administration.
Answer: B

Question #:260
Which of the following findings should be of GREATEST concern to an IS auditor reviewing the
effectiveness of an organization's problem management practices?
A. Problem records are prioritized based on the impact of incidents
B. Some incidents are closed without problem resolution.
C. Root causes are not adequately identified
D. Problems are frequently escalated to management for resolution
Answer: C
Question #:261
For an organization that has plans to implement web-based trading, it would be MOST important for an IS
auditor to verify the organization's information security plan includes:
A. security training prior to implementation.
B. security requirements for the new application.
C. the firewall configuration for the web server.
D. attributes for system passwords.
Answer: B
Question #:262
Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP
(VoIP) communications?
A. Nonrepudiation
B. Continuity of service
C. Homogeneity of the network
D. Identity management
Answer: C
Question #:263
An IS auditor is examining a front-end sub ledger and a main ledger Which of the following would be the
GREATEST concern if there are flaws in the mapping of accounts between the two systems?
A.

A. Double-posting of a single journal entry
B. Inaccuracy of financial reporting
C. Unauthorized alteration of account attributes
D. inability to support new business Transactions
Answer: B
Question #:264
Which of the following is the MOST important consideration when incorporating data analytics into an audit?
A. Ability of the auditor to perform complex analysis
B. Availability and cost of the tools
C. Complexity of the data and related audit process
D. Availability and quality of data
Answer: C
Question #:265
During a review of an application system, an IS auditor identifies automated controls designed to prevent the
entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?
A. Implement periodic reconciliations.
B. Review quality assurance (QA) test results.
C. Use generalized audit software for seeking data corresponding to duplicate transactions.
D. Enter duplicate transactions in a copy of the live system.
Answer: D
Question #:266
Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?
A. Invest in current technology
B. Create a technology watch team that evaluates emerging trends.
C. Make provisions In the budgets for potential upgrades.

D. Create tactical and strategic IS plans
Answer: D
Question #:267
When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al)
system, the IS auditor should be MOST concerned with the impact At will have on:
A. task capacity output
B. employee retention
C. future task updates
D. enterprise architecture (EA).
Answer: D
Question #:268
Which of the following is the MOST important reason to use statistical sampling?
A. The results can reduce error rates.
B. It reduces time required for testing.
C. The results are more defensible •
D. It ensures that all relevant cases are covered.
Answer: D
Question #:269
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population
of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the
population data?
A. There is no privacy information in the data.
B. The data is taken directly from the system.
C. The data can be obtained in a timely manner.
D. The data analysis tools have been recently updated.
Answer: B

Question #:270
An IS auditor learns the organization has experienced several server failures in its distributed environment.
Which of the following is the BEST recommendation to limit the potential Impact of server failures in the
future?
A. Failover power
B. Clustering
C. Parallel testing
D. Redundant pathways
Answer: C
Question #:271
An internal audit department recently established a quality assurance (QA) program. Which of the following
activities is MOST important to include as part of the OA program requirements?
A. Periodic external assessments of the program
B. Analysis of user satisfaction reports from business lines
C. Long-term internal audit resource planning for the program
D. Feedback from internal audit staff
Answer: A
Question #:272
In assessing the priority given to systems covered in an organization’s business continuity plan (BCP), an IS
auditor should FIRST:
A. Review the backup and restore process
B. Verify the criteria for disaster recovery site selection
C. Validate the recovery time objectives and recovery point objectives
D. Review results of previous business continuity plan (BCP) tests
Answer: C
Question #:273

To help ensure the accuracy and completeness of end-user computing output it is MOST important to include
strong:
A. documentation controls.
B. change management controls.
C. access management controls
D. reconciliation controls
Answer: D
Question #:274
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been
performed The auditor should FIRST.
A. evaluate the impact on current disaster recovery capability.
B. issue an intermediate report to management
C. conduct additional compliance testing
D. perform business impact analysis
Answer: A
Question #:275
Which of the following is an IS auditor's BEST course of action upon learning that preventive controls have
been replaced with detective and corrective controls'
A. Report the issue to management as the risk level has increased.
B. Evaluate whether new controls manage the risk at an acceptable level.
C. Verify the revised controls enhance the efficiency of related business processes.
D. Recommend the implementation of preventive controls in addition to the other controls.
Answer: B
Question #:276
Which of the following is the GREATEST benefit of utilizing data analytics?

A. Improved communication with management due to more confidence with data results
B. Better risk assessments due to the identification of anomalies and trends
C. Higher-quality audit evidence due to more representative audit sampling
D. Expedient audit planning due to early identification of problem areas and incomplete data
Answer: B
Question #:277
Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?
A. Potentially fraudulent invoice payments originating within the accounts payable department
B. Completion of inappropriate cross-border transmission of personally identifiable information (Pll)
C. Unauthorized salary or benefit changes to the payroll system generated by authorized users
D. Issues resulting from an unsecured application automatically uploading transactions to the general
ledger
Answer: A
Question #:278
Which of the following BEST facilitates the management of assets dunng the implementation of an
information system?
A. Configuration management database (CMDB)
B. Quality management controls
C. Decision support system
D. Asset procurement system
Answer: A
Question #:279
When an organization introduces virtualization into its architecture, which of the following should be an IS
auditor's PRIMARY area of focus to verify adequate protection?
A. Shared storage space

B. Host operating system configuration
C. Maintenance cycles
D. Multiple versions of the same operating system
Answer: B
Question #:280
An IS auditor has obtained a large complex data set for analysis. Which of the following activities will MOST
improve the output from the use of data analytics tools?
A. Data classification
B. Data preparation
C. Data masking
D. Data anonymization
Answer: B
Question #:281
What is the MOST critical finding when reviewing an organization's information security management?
A. No periodic assessments to identify threats and vulnerabilities
B. No dedicated security officer
C. No employee awareness training and education program
D. No official charter for the information security management system
Answer: C
Question #:282
Which of the following should be the PRIMARY audience for a third-party technical security assessment
report?
A. Operational IT management
B. Board of directors
C. Legal counsel
D. External regulators

Answer: B
Question #:283
Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?
A. Inability to obtain customer confidence
B. Inability to manage access to private or sensitive data
C. Failure to comply with data-related regulations
D. Failure to prevent fraudulent transactions
Answer: C
Question #:284
An airlines online booking system uses an automated script that checks whether fares are within the defined
threshold of what is reasonable before the fares are displayed on the website. Which type of control is in
place?
A. Preventer control
B. Corrective control
D. Compensating control
Answer: A
Question #:285
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data
stored unencrypted on virtual machines?
A. Restrict access to images and snapshots of virtual machines
B. Limit creation of virtual machine images and snapshots
C. Monitor access To stored images and snapshots of virtual machines
D. Review logical access controls on virtual machines regularly
Answer: C
Question #:286

Which of the following should an IS auditor expect to see in a network vulnerability assessment?
A. Misconfiguration and missing updates
B. Malicious software and spyware
C. Zero-day vulnerabilities
D. Security design flaws
Answer: A
Question #:287
Which of the following would be the MOST significant factor when choosing among several backup system
alternatives with different restoration speeds?
A. Recovery point objective (RPO)
B. Mean time between failures (MTBFs)
C. Maximum tolerable outages (MTOs)
D. Recovery time objective (RTO)
Answer: D
Question #:288
Which of the following is the PRIMARY objective of implementing privacy-related controls within an
organization"?
A. To comply with legal and regulatory requirements
B. To provide options to individuals regarding use of their data
C. To prevent confidential data loss
D. To identify data at rest and data in transit for encryption
Answer: B
Question #:289
Which of the following approaches would utilize data analytics to facilitate the testing of a new account
creation process?

A. Review new account applications submitted in the past month for invalid dates of birth
B. Evaluate configuration settings for the date of birth field requirements.
C. Review the business requirements document for date of birth field requirements.
D. Attempt to submit new account applications with invalid dates of birth
Answer: A
Question #:290
Which of the following is the role of audit leadership in ensuring the quality of audit and engagement
performance?
A. Ensuring audit customers remain highly satisfied with the quality of audit performance
B. Reviewing identified risks to ensure associated processes are included in the audit program
C. Reviewing key performance results to ensure process improvements are implemented
D. Ensuring the scope of peer quality assurance (QA) reviews is sufficient to address board concerns
Answer: C
Question #:291
An IS auditor intends to accept a management position in the data processing department within the same
organization. However, the auditor is currently working on an audit of a major application and has not yet
finished the report. Which of the following would be the BEST step tor the IS auditor to take?
A. Start in the position immediately.
B. Start in the position and inform the application owner of the job change.
C. Complete the audit without disclosure and then start in the position.
D. Disclose this issue to the appropriate parties.
Answer: D
Question #:292
Which of the following processes BEST addresses the risk associated with the deployment of a new
production system?
A. Release management

B. Configuration management
C. Change management
D. Incident management
Answer: C
Question #:293
An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings.
Which of the following would be the BEST recommendation?
A. Update the acceptable use policy for mobile devices.
B. Encrypt data between corporate gateway and devices.
C. Notify employees to set passwords to a specified length
D. Apply security policy to the mobile devices.
Answer: D
Question #:294
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed.
A. Report this control process weakness to senior management
B. Obtain a verbal confirmation from IT for this exemption.
C. Review the list of end-users and evaluate for authorization.
D. Verify managements approval for this exemption.
Answer: C
Question #:295
Which of the following presents the GREATEST concern when implementing data flow across borders?
A. Equipment incompatibilities
B. National privacy laws
C. Political unrest

D. Software piracy laws
Answer: B
Question #:296
Which of the following should be the FIRST step to help ensure the necessary regulatory requirements are
addressed in an organization's cross-border data protection policy?
A. Perform a business impact analysis (BIA).
B. Conduct stakeholder interviews.
C. Perform a gap analysis.
D. Conduct a risk assessment.
Answer: C
Question #:297
Which of the following is the MOST effective way to minimize the risk of a SQL injection attack?
A. Reconfiguring content filtering settings
B. Performing activity monitoring
C. Using secure coding practices
D. Implementing an intrusion detection tool
Answer: C
Question #:298
An organization that has suffered a cyber attack is performing a forensic analysis of the affected users'
computers Which of the following should be of GREATEST concern for the IS editor reviewing this process?
A. Audit was only involved during extraction of the information.
B. The legal department has not been engaged.
C. The chain of custody has not been documented
D. An imaging process was used to obtain a copy of the data from each computer.

Answer: C
Question #:299
Due to budget restraints, an organization is postponing the replacement of an in-house developed mission
critical application. Which of the following represents the GREATEST risk?
A. Inability to virtualize the server
B. Eventual replacement may be more expensive
C. Inability to align to changing business needs
D. Maintenance costs may rise
Answer: C
Question #:300
An accounts receivable data entry routine prevents the entry of the same customer with different account
numbers. Which of the following is the BEST way to test if this programmed control is effective?
A. Implement a computer-assisted audit technique (CAAT).
B. Compare source code against authorized software.
C. Review a sorted customer list for duplicates.
D. Attempt to create a duplicate customer.
Answer: D
Question #:301
Which of the following is the PRIMARY reason an IS auditor should use an IT-related framework as a basis
for scoping and structuring an audit?
A. It provides a foundation to recommend certification of the organization's compliance with the

framework.
B. It simplifies audit planning and reduces resource requirements to complete an audit.
C. It demonstrates to management whether legal and regulatory requirements have been met.
D. It helps ensure comprehensiveness of the review and provides guidance on best practices.
Answer: D
Question #:302

ION NO: 955
An IS auditor is planning on utilizing attribute sampling to determine the error rate for health care claims
processed. Which of the following factors will cause the sample size to decrease?
A. Tolerable error rate increase
B. Acceptable risk level decrease
C. Expected error rate increase
D. Population size increase
Answer: C
Question #:303
The MOST important reason why an IT risk assessment should be updated on a regular basis is to:
A. comply with risk management policies
B. comply with data classification changes.
C. react to changes in the IT environment.
D. utilize IT resources in a cost-effective manner.
Answer: C
Question #:304
Which of the following is the BEST compensating control for a lack of proper segregation of duties in an IT
department?
A. Audit trail reviews
B. System activity logging
C. Authorization forms
D. Control self-assessment (CSA)
Answer: A
Question #:305

Which of the following will BEST help to ensure that an in-house application in the production environment is
current?
A. Version control procedures
B. Change management
C. Production access control
D. Quality assurance
Answer: A
Question #:306
The PRIMARY role of a control self-assessment (CSA) facilitator Is to:
A. provide solutions for control weaknesses.
B. report on the internal control weaknesses.
C. focus the team on internal controls.
D. conduct interviews to gam background information
Answer: C
Question #:307
An IS auditor reviewing a high-risk business application has identified the need to strengthen controls for
reporting malfunctions to management Which of the following would BEST facilitate timely reporting?
A. Change prioritization
B. Security event logging
C. Performance monitoring
D. Incident management procedures
Answer: C
Question #:308
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party
service provider. Which of the following would be the BEST way to prevent accepting bad data?

A. Appoint data quality champions across the organization
B. Obtain error codes indicating failed data feeds
C. Purchase data cleansing tools from a reputable vendor
D. Implement business rules to reject invalid data
Answer: D
Question #:309
Which of the following is the GREATEST concern when an organization allows personal devices to connect
to its network?
A. It is difficult To enforce the security policy on personal devices
B. It is difficult to maintain employee privacy.
C. IT infrastructure costs will increase.
D. Help desk employees will require additional training to support devices.
Answer: A
Question #:310
Which of the following is the BEST way to mitigate the risk associated with a document storage application
that has a syncing feature that could allow malware to spread to other machines in the network?
A. User behavior modeling and analysis should be performed to discover anomalies in user behavior.
B. Content inspection technologies should be used to scan files for sensitive data.
C. All files should be scanned when they are uploaded to and downloaded from the application.
D. An audit should be conducted to detect shadow data and shadow IT in the network.
Answer: C
Question #:311
To develop a robust data security program, the FIRST course of action should be to:
A. perform an inventory of assets.
B. implement data loss prevention controls.
C. interview IT senior management.

D. implement monitoring, controls
Answer: A
Question #:312
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
A. Developing and communicating test procedure best practices to audit teams
B. Centralizing procedures and implementing change control
C. Developing and implementing an audit data repository
D. Decentralizing procedures and implementing periodic peer review
Answer: B
Question #:313
After the release of an application system, an IS auditor wants to verify that the system is providing value to
the organization. The auditor’s BEST course of action would be to:
A. Quantify improvements in client satisfaction
B. Perform a gap analysis against the benefits defined in the business case
C. Review the results of compliance testing
D. Confirm that risk has declined since the application system release
Answer: B
Question #:314
Which of the following provides the MOST assurance over the completeness and accuracy of loan application
processing with respect to the implementation of a new system?
A. Comparing code between old and new systems
B. Loading balance and transaction data to the new system
C. Running historical transactions through the new system
D. Reviewing quality assurance (QA) procedures
Answer: C

Question #:315
Data analytics Tools are BEST suited for which of the following purposes?
A. Identifying business process errors
B. Quantifying business impact analysis (BIA) results
C. Examining low-frequency business transactions
D. Analyzing the effectiveness of risk assessment processes
Answer: C
Question #:316
Which of the following would BEST facilitate the detection of internal fraud perpetrated by an individual?
A. Mandatory leave
B. Flexible time
C. Corporate fraud hotline
D. Segregation of duties
Answer: A
Question #:317
An organization's business function wants to capture customer data and must comply with global data
protection regulations. Which of the following should be considered FIRST?
A. The location of data storage
B. The encryption method for the data
C. The attributes of collected data
D. The legal basis for collecting the data
Answer: D
Question #:318
An IS audit manager has been asked to perform a quality review on an audit that the same manager also

supervised. Which of the following is (he manager's BEST response to this situation?
A. Discuss with the audit team to understand how conclusions were reached.
B. Determine whether audit evidence supports audit conclusions.
C. Escalate the situation to senior audit leadership.
D. Notify the audit committee of the situation.
Answer: D
Question #:319
servDuring an internal audit review of a human resources (HR) recruitment system implementation the IS
auditor notes that several defects were unresolved at the time the system went live Which of the following is
the auditor's MOST important task prior to formulating an audit opinion?
A. Review the initial implementation plan for timelines.
B. Confirm the project plan was approved.
C. Review the user acceptance test (UAT) results for defects
D. Confirm the seventy of the identified defects.
Answer: D
Question #:320
A software development organization with offshore personnel has implemented a third-party virtual
workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?
A. Team collaboration sessions are not monitored.
B. The team's work products are not properly classified as intellectual property.
C. The virtual workspace is configured to interface with other applications.
D. Exfiltration of data could occur through the virtual workspace.
Answer: D
Question #:321
Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things
(loT) devices?
A. Verify access control lists to the database where collected data is stored.
B.

B. Determine how devices are connected to the local network.
C. Confirm that acceptable limits of data bandwidth are defined for each device.
D. Ensure that message queue telemetry transport (MQTT) is used.
Answer: B
Question #:322
During a post-implementation review, a step in determining whether a project met user requirements is to
review the:
A. completeness of user documentation.
B. integrity of key calculations.
C. effectiveness of user training.
D. change requests initiated after go-live.
Answer: D
Question #:323
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure
that
A. security parameters are set in accordance with the organizations policies
B. security parameters are set in accordance with the manufacturer's standards
C. a detailed business case was formally approved prior to the purchase.
D. the procurement project invited tenders from at least three different suppliers.
Answer: A
Question #:324
Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing'?
A. The testing process can be automated to cover large groups of assets
B. Network bandwidth is utilized more efficiently.
C.

C. Custom-developed applications can be tested more accurately
D. The testing produces a lower number of false positive results
Answer: B
Question #:325
An organization's security policy mandates that all new employees must receive appropriate security
awareness training. Which of the following metrics would BEST assure compliance with this policy?
A. Percentage of new hires who report incidents
B. Number of reported incidents by new hires
C. Percentage of new hires that have completed the training .
D. Number of new hires who have violated enterprise security policies
Answer: D
Question #:326
Which of the following should an IS auditor review FIRST when evaluating a business process for auditing?
A. Competence of the personnel performing the process
B. Design and implementation of controls
C. Evidence that IS-related controls are operating effectively
D. Assignment of responsibility for process management
Answer: B
Question #:327
An organization is developing a web portal using some external components. Which of the following should
be of MOST concern to an IS auditor?
A. Some of the developers are located in another country.
B. The organization has not reviewed the components for known exploits.
C. Open-source components were integrated during development.
D. Staff require additional training in order to perform cede review.

Answer: B
Question #:328
While conducting a review of project plans related to a new software development, an IS auditor finds the
project initiation document (PID) is incomplete. What is the BEST way for the auditor to proceed?
A. Meet with the project sponsor to discuss the incomplete document.
B. Prepare a finding for the audit report.
C. Inform audit management of possible risks associated with the deficiency.
D. Escalate to the project steering committee.
Answer: A
Question #:329
Which of the following is MOST important to ensure during computer forensics investigations?
A. The contents of digital evidence are preserved in their original form.
B. The analysis is performed against the original digital evidence.
C. Personnel undertaking the investigation process are certified to collect digital evidence.
D. Effective backup schemes are in place to preserve digital evidence.
Answer: A
Question #:330
Which of the following should occur EARLIEST in a business continuity management lifecycle?
A. Defining business continuity procedures
B. Carrying out a threat and risk assessment
C. Developing a training and awareness program
D. Identifying critical business processes
Answer: D
Question #:331
An IS auditor is reviewing environmental controls and finds extremely high levels of humidity in the data

center. Which of the following is the PRIMARY risk to computer equipment from this condition?
A. Corrosion
B. Static electricity
C. Brownout
D. Fire
Answer: A
Question #:332
When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not
exceed which of the following?
A. Service level objective (SLO)
B. Recovery time objective (RTO)
C. Maximum acceptable outage (MAO)
D. Recovery point objective (RPO)
Answer: D
Question #:333
Which of the following is an IS auditor's BEST guidance regarding the use of IT frameworks?
A. To ensure consistency throughout the organization, management should adopt a single comprehensive
framework.
B. Frameworks provide standards that enable management to benchmark against peer organizations.
C. Frameworks encourage efficiency, provide a way to measure effectiveness, and allow for improvements
D. Industry-specific frameworks, when available, are preferred over the more generic comprehensive
frameworks.
Answer: C
Question #:334
One advantage of monetary unit sampling is the fact that:
A. it increases the likelihood of selecting material items from the population,

B. large-value population items are segregated and audited separately
C. it can easily be applied manually when computer resources are not available
D. results are stated in terms of the frequency of items in error
Answer: A
Question #:335
Which of the following is the BEST way for an IS auditor to reduce sampling risk when performing audit
sampling to verify the adequacy of an organization's internal controls?
A. Lower the sample standard deviation
B. Decrease the sampling size
C. Outsource the sampling process.
D. Use a statistical sampling method
Answer: A
Question #:336
The application systems quality assurance (QA) function should:
A. assist programmers in designing and developing applications.
B. design and develop quality applications by employing system development methodology.
C. ensure adherence of programs to standards.
D. compare programs to approved system changes.
Answer: B
Question #:337
Which of the following cloud deployment models would BEST meet the needs of a startup software
development organization with limited initial capital?
A. Community
B. Public

C. Hybrid
D. Private
Answer: B
Question #:338
During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data
quality?
A. Built-in data error prevention application controls
B. Industry standard business definitions
C. Input from customers
D. Validation of rules by the business
Answer: D
Question #:339
An emergency power-off switch should:
A. not be identified.
B. be illuminated.
C. be protected
D. not be in the computer room
Answer: B
Question #:340
Which of the following is the PRIMARY reason an IS auditor should discuss observations with management
before delivering a final report?
A. Identify business risks associated with the observations
B. Validate the audit observations.
C. Assist the management with control enhancements.
D. Record the proposed course of corrective action.

Answer: A
Question #:341
A security company and service provider have merged and the CEO has requested one comprehensive set of
security policies be developed for the newly formed company. The IS auditor s BEST recommendation would
be to:
A. implement the service provider's policies
B. implement the security company s policies,
C. adopt an industry standard security policy
D. conduct a policy gap assessment
Answer: D
Question #:342
A post-implementation review of a development project concludes that several business requirements were not
reflected in the software requirement specifications. Which of the following should an IS auditor recommend
to reduce this problem in the future?
A. Appoint a business unit representative.
B. Write test cases from the user requirements.
C. Trace the changes to requirements back to all affected products.
D. Set up a configuration control board.
Answer: A
Question #:343
Which of the following BEST describes the relationship between vulnerability scanning and penetration
testing?
A. The scope of both is determined primarily by the likelihood of exploitation
B. For entities with regulatory drivers, the two tests must be the same.
C. Both utilize a risk-based analysis that considers threat scenarios
D. Both are labor-intensive in preparation, planning and execution
Answer: C

Question #:344
A legacy application is running on an operating system that is no longer supported by vendor, if the
organization continues to use the current application, which of the application should be the IS auditor’s
GREATEST concern?
A. Inability to use the operating system due to potential licence issues
B. Increased cost of maintaining the system
C. Inability to update the legacy application database
D. Potential exploitation of zero-day vulnerabilities in the system
Answer: D
Question #:345
An IS auditor previously worked in an organization s IT department and was involved with the design of the
business continuity plan (BCP). The IS
auditor has now been asked to review this same BCP. The auditor should FIRST.
A. document the conflict in the audit report.
B. decline the audit assignment.
C. communicate the conflict of interest to the audit manager prior to starting the assignment.
D. communicate the conflict of interest to the audit committee prior to starting the assignment
Answer: D
Question #:346
An organization transmits large amount of data from one internal system to another. The IS auditor is
reviewing quality of the data at the originating point. Which of the following should the auditor verify first?
A. The data has been encrypted
B. The data extraction process is completed
C. The data transformation is accurate
D. The source data is accurate
Answer: D

Question #:347
When determining which IS audits to conduct during the upcoming year, internal audit has received a request
from management for multiple audits of the contract division due to fraud findings during the prior year Which
of the following is the BEST basis for selecting the audits to be performed?
A. Select audits based on management's suggestion
B. Select audits based on the skill sets of the IS auditors.
C. Select audits based on collusion risk
D. Select audits based on an organizational risk assessment.
Answer: D
Question #:348
In an environment where most IT services have been outsourced, continuity planning is BEST controlled by:
A. IT management,
B. continuity planning specialists.
C. business management.
D. outsourced service provider management
Answer: B
Question #:349
Which of the following projects would be MOST important to review in an audit of an organizations financial
statements?
A. Automation of operational risk management processes
B. Resource optimization of the enterprise resource planning (ERP) system
C. Security enhancements to the customer relationship database
D. Outsourcing of the payroll system to an external service provider
Answer: D
Question #:350

An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and computer downtime
This is BEST zed as an application of.
A. risk framework
B. balanced scorecard
C. value chain analysis
D. control self-assessment (CSA)
Answer: B
Question #:351
Which of the following is the GREATEST concern when using a cold backup site?
A. Compatibility problems with existing equipment might exist.
B. Peripheral equipment might not be sufficient to handle critical applications.
C. It is difficult to test critical applications at the backup site
D. Physical security requirements at the backup site might not be met.
Answer: C
Question #:352
When evaluating a protect immediately prior to implementation, which of the following would provide the
BEST evidence that the system has the required functionality?
A. User acceptance testing (UAT) results
B. Quality assurance (QA) results
C. Integration testing results
D. Sign-off from senior management
Answer: B
Question #:353
Which of the following are BEST suited for continuous auditing?
A.

A. Manual transactions
B. Irregular transactions
C. Low-value transactions
D. Real-time transactions
Answer: D
Question #:354
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be
performed?
A. Attacks
B. Planning
C. Discovery
D. Reporting
Answer: C
Question #:355
The information security function in a large organization is MOST effective when:
A. partnered with the IS development team to determine access rights
B. decentralized as close to the user as possible
C. established at a corporate-wide level.
D. the function reports directly to the IS operations manager.
Answer: B
Question #:356
When measuring the effectiveness of a security awareness program, the MOST helpful key performance
indicator (KPI) is the number of:
A. employees who have signed the information security policy.
B. employees passing a phishing exercise.
C. employees attending security awareness training.
D.

D. security incidents detected by tools.
Answer: B
Question #:357
Which of the following physical controls will MOST effectively prevent breaches of computer room security?
A. Photo IDs
B. CCTV monitoring
C. Retina scanner
D. RFID badge
Answer: C
Question #:358
In planning a major system development project, function point analysis would assist in:
A. determining the business functions undertaken by a system or program.
B. estimating the size of a system development task
C. estimating the elapsed time of the project
D. analyzing the functions undertaken by system users as an aid to job redesign
Answer: D
Question #:359
Which of the following would be the GREATEST risk associated with a new chat feature on a retailer's
website?
A. Productivity loss
B. Reputational damage
C. System downtime
D. Data loss
Answer: A

Question #:360
An organization processing high volumes of financial transactions has implemented log file analysis on a
central log server to continuously monitor compliance with its fraud policy. Which of the following poses the
GREATEST risk to this control?
A. IT operations staff have the right to restart the log server.
B. Data entry staff have privileged access to the log server.
C. IT operations staff are able to stop the payment processing system.
D. Software developers have read access to the log server.
Answer: B
Question #:361
Which of the following is the PRIMARY protocol for protecting outbound content from tampering and
eavesdropping?
A. Transport Layer Security (TLS)
B. Secure Shell (SSH)
C. Point-to-Point Protocol (PPP)
D. Internet Key Exchange (IKE)
Answer: A
Question #:362
Which of the following focus areas is a responsibility of IT management rather than IT governance?
A. IT controls implementation
B. Risk optimization
C. IT resource optimization
D. Benefits realization
Answer: A
Question #:363
When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be

MOST concerned with inappropriate:
A. training
B. encryption
C. tuning
D. patching
Answer: C
Question #:364
What would be an IS auditors GREATEST concern when using a test environment for an application audit?
A. Test and production environments do not mirror each other
B. Developers have access to the best environment
C. Test and production environments lack data encryptions
D. Retention period of test data has been exceeded
Answer: A
Question #:365
An IS auditor reviewing a checkpoint/restart procedure should be MOST concerned if it is applied after:
A. an incremental data backup is performed.
B. a temporary hardware failure.
C. power loss to the data center.
D. an incorrect version of the program is executed.
Answer: D
Question #:366
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion
prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a
sequence of logged events that could indicate an error in the IPS configuration?
A. Sampling risk

B. Inherent risk
C. Detection risk
D. Control risk
Answer: C
Question #:367
Which of the following is the GREATEST concern with conducting penetration testing on an internally
developed application in the production environment?
A. The testing could create application availability issues.
B. The testing may identify only known operating system vulnerabilities.
C. The issues identified during the testing may require significant remediation efforts.
D. Internal security staff may not be qualified to conduct application penetration testing.
Answer: A
Question #:368
The risk of communication failure in an e-commerce environment is BEST minimized through the use of
A. a packet filtering firewall to reroute messages.
B. alternative or diverse routing
C. functional or message acknowledgments
D. compression software to minimize transmission duration.
Answer: C
Question #:369
An IS auditor begins an assignment and identifies audit components for which the auditor is not qualified to
assess. Which of the following is the BEST course of anion?
A. Exclude the related tests from the audit plan and continue the assignment.
B. Notify audit management for a decision on how to proceed
C. Complete the audit and give full disclosure in the final audit report
D. Complete the work assignment to the best of the auditor's Ability

Answer: B
Question #:370
Which of the following poses the GREATEST risk to a company that allows employees to use personally
owned devices to access customer files on the company's network?
A. The help desk might not be able to support all different types of personal devices.
B. The company's network might slow down, affecting response time.
C. Customer data may be compromised if the device is lost or stolen.
D. Employee productivity may suffer due to personal distractions
Answer: C
Question #:371
An audit has identified that business units have purchased cloud-based applications without ITs support. What
is [he GREATEST risk associated with this situation?
A. The applications could be modified without advanced notice.
B. The application purchases did not follow procurement policy.
C. The applications are not included in business continuity plans (BCPs).
D. The applications may not reasonably protect data.
Answer: C
Question #:372
An effective implementation of security roles and responsibilities is BEST evidenced across an enterprise
when:
A. reviews and updates of policies are regularly performed
B. policies are signed off by users.
C. operational activities are aligned with policies.
D. policies are rolled out and disseminated
Answer: C

Question #:373
Which of the following is the BEST way to ensure payment transaction data is restricted to the appropriate
users?
A. Implementing two-factor authentication
B. Using a single menu for sensitive application transactions
C. Implementing role-based access at the application level
D. Restricting access to transactions using network security software
Answer: C
Question #:374
Which of the following should be an IS auditor's BEST recommendation to prevent installation of unlicensed
software on employees' company-provided devices?
A. Enforce audit logging of software installation activities.
B. Remove unlicensed software from end-user devices.
C. Implement software blacklisting.
D. Restrict software installation authority to administrative users only.
Answer: D
Question #:375
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the
scope of an upcoming audit. What should the auditor consider the MOST significant concern?
A. There is a greater risk of system exploitation.
B. Technical specifications are not documented.
C. Disaster recovery plans (DRPs) are not in place.
D. Attack vectors are evolving for industrial control systems.
Answer: C

Question #:376
Which of the following is the MOST likely cause of a successful firewall penetration?
A. Use of a Trojan to bypass the firewall
B. Loophole m firewall vendor's code
C. Virus infection
D. Firewall misconfiguration by the administrator
Answer: D
Question #:377
An IS auditor is reviewing a banking mobile application that allows end users to perform financial
transactions. Which of the following poses a security risk to the organization?
A. Outdated mobile network settings
B. Application programming interface (API) logic faults
C. Lack of strong device passwords
D. Unpatched security vulnerabilities in the mobile operating system
Answer: D
Question #:378
Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and
objectives?
A. Business stakeholders are involved in approving the IT strategy.
B. IT strategies are communicated to all business stakeholders
C. Organizational strategies are communicated to the chief information officer (CIO)
D. The chief information officer (CIO) is involved in approving the organizational strategies
Answer: A
Question #:379
Which of the following is the BEST approach to identify whether a vulnerability is actively being exploited?
A.

A. Conduct a penetration test
B. Perform log analysis.
C. Review service desk reports.
D. Implement key performance indicators (KPIs).
Answer: B
Question #:380
A vulnerability in which of the following virtual systems would be of GREATEST concern to the IS auditor?
A. The virtual application server
B. The virtual machine management server
C. The virtual antivirus server
D. The virtual file server
Answer: B
Question #:381
When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor should FIRST
review:
A. the IT governance framework.
B. the IT processes and procedures.
C. Information security procedures.
D. the most recent audit results.
Answer: A
Question #:382
An IS auditor is reviewing security controls related to collaboration to unit responsible for intellectual property
and patents. Which of the following observations should be of MOST concern to the auditor?
A. Logging and monitoring for content filtering is not enabled.
B. Employees can share files with users outside the company through collaboration tools

C. The collaboration tool is hosted and can only be accessed via an Internet browser.
D. Training was not provided to the department that handles intellectual property and patents
Answer: D
Question #:383
Which of the following IS functions can be performed by the same group or individual while still providing
the proper segregation of duties?
A. Application programming and systems analysis
B. Computer operations and application Multiple versions of the same operating system programming
C. Security administration and application programming
D. Database administration and computer operations
Answer: A
Question #:384
Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA) workshop?
A. Assisting participants in evaluating risks and relevant controls
B. Gathering background information prior to the CSA workshop
C. Reporting results of the workshop and recommendations to management
D. Analyzing gaps between control design and control framework
Answer: A
Question #:385
Which of the following is an IS auditor s GREATEST concern when an organization does not regularly update
software on individual workstations in the internal environment?
A. The organization may be more susceptible to cyber-attacks.
B. The organization may not be in compliance with licensing agreement.
C. System functionality may not meet business requirements.
D. The system may have version control issues.
Answer: A

Question #:386
When performing a post-implementation review, the adequacy of the data conversion effort would BEST be
evaluated by performing a thorough review of the:
A. functional conversion rules
B. go-live conversion results.
C. conversion user acceptance testing (UAT) results.
D. detailed conversion approach templates
Answer: B
Question #:387
Which of the following is MOST likely to be included in computer operating procedures in a large data
center?
A. Guidance on setting security parameters
B. Procedures for resequencing source code
C. Procedures for utility configuration
D. Instructions for job scheduling
Answer: D
Question #:388
Due to a high volume of customer orders, an organization plans to implement a new application for customers
to use for online ordering Which type of testing is MOST important to ensure the security of the application
prior to go-live?
A. Stress testing
B. Vulnerability testing
C. Regression testing
D. User acceptance testing (UAT)
Answer: B
Question #:389
Which of the following BEST determines if a batch update job was successfully executed?

A. Obtaining process owner confirmation that the job was completed
B. Verifying the timestamp from the job log
C. Reviewing a copy of the script for the job
D. Testing a sample of transactions to confirm updates were applied
Answer: C
Question #:390
When an IS auditor evaluates key performance indicators (KPls) (or IT initiatives, it is MOST important that
the KPIs indicate.
A. IT solutions are within budget
B. IT objectives are measured
C. IT resources are fully utilized
D. IT deliverables are process driven.
Answer: B
Question #:391
A bank has implemented a new accounting system. Which of the following is the BEST lime for an IS auditor
to perform a post-implementation review?
A. After user acceptance testing (UAT) is completed
B. One full year after go-live
C. As close to go-live as possible
D. After the first reporting cycle
Answer: C
Question #:392
Which of the following is the BEST development methodology to help manage project requirements in a
rapidly changing environment?
A. Prototyping
B.

B. Iterative development process
C. Object-oriented system development
D. Waterfall development process
Answer: B
Question #:393
An IS auditor is assessing an organization’s data loss prevention (DLP) solution for protecting intellectual
property from insider theft. Which of the following would the auditor consider MOST important for effective
data protection?
A. Creation of DLP policies and procedures
B. Encryption of data copied to flash drives
C. Employee training on information handling
D. Identification and classification of sensitive data
Answer: D
Question #:394
Which of the following is MOST influential when defining disaster recovery strategies?
A. Annual loss expectancy
B. Maximum tolerable downtime
C. Data classification scheme
D. Existing server redundancies
Answer: A
Question #:395
Following the discovery of inaccuracies in a data warehouse, an organization has implemented data profiling,
cleansing, and handling filters to enhance the quality of data obtained from c
A. Detective control
B. Compensating control
C. Directive control

Answer: D
Question #:396
Which of the following validation techniques would BEST prevent duplicate electronic vouchers?
A. Sequence check
B. Edit check
C. Cyclic redundancy check
D. Reasonless check
Answer: A
Question #:397
Which of the following is the GREATEST benefit of implementing an incident management process?
A. Reduction in security threats
B. Opportunity for frequent reassessment of incidents
C. Reduction in the business impact of incidents
D. Reduction of cost by the efficient use of resources
Answer: C
Question #:398
Which of the following attacks would MOST likely result in the interception and modification of traffic for
mobile phones connecting to potentially insecure public Wi-Fi networks?
A. Man-in-the-middle
B. Phishing
C. Vishing
D. Brute force
Answer: A

Question #:399
The GREATEST risk of database denormalization is:
A. loss of database integrity.
B. decreased performance.
C. loss of data confidentiality.
D. incorrect metadata.
Answer: A
Question #:400
When deciding whether a third party can be used in resolving a suspected security breach, which of the
following should be the MOST important consideration for IT management?
A. Third-party cost
B. Incident priority rating
C. Data sensitivity
D. Audit approval
Answer: C
Question #:401
An IS auditor notes that IT and the business have different opinions on the availability of their application
servers Which of the following should the IS auditor review FIRST in order to understand the problem?
A. The regular performance-reporting documentation
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The exact definition of the service levels and their measurement
Answer: D
Question #:402
An organization wants to replace its suite of legacy applications with a new, in-house developed solution.
Which of the following is the BEST way to address concerns associated with migration of all mission-critical
business functionality?

A. Strengthen governance by hiring certified and qualified project managers for the migration.
B. Expedite go-live by migrating in a single release to allow more time for testing in production.
C. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.
D. Increase testing efforts so that all possible combinations of data have been tested prior to go-live.
Answer: C
Question #:403
During an audit of an access control system an IS auditor finds that RFID card readers are not connected via
the network to a central server Which of the following is the GREATEST risk associated with this finding?
A. Incidents cannot be investigated without a centralized log file
B. Card reader firmware updates cannot be rolled out automatically.
C. Lost or stolen cards cannot be disabled immediately.
D. The system is not easily scalable to accommodate a new device
Answer: C
Question #:404
Which of the following falls within the scope of an information security governance committee?
A. Selecting the organization's external security auditors
B. Approving access to critical financial systems
C. Reviewing content for information security awareness programs
D. Prioritizing information security technology initiatives
Answer: C
Question #:405
Which of the following situations would impair the independence of an IS auditor involved in a software
development project?
A. Determining the nature of implemented controls
B. Programming embedded audit modules

C. Being an expert advisor to the project sponsor
D. Defining end-user requirements
Answer: D
Question #:406
An employee has accidentally posted confidential data to the company's social media page. Which of the
following is the BEST control to prevent this from recurring?
A. Perform periodic audits of social media updates.
B. Implement a moderator approval process.
C. Require all updates to be made by the marketing director.
D. Establish two-factor access control for social media accounts.
Answer: B
Question #:407
An organization’s IT security policy states that user ID’s must uniquely identify individual’s and that user
should not disclose their passwords. An IS auditor discovers that several generic user ID’s are being used.
Which of the following is the MOST appropriate course of action for the auditor?
A. Recommend a change in security policy.
B. Include the finding in the final audit report.
C. Investigate the noncompliance.
D. Recommend disciplinary action.
Answer: A
Question #:408
Which of the following is the MAIN advantage of using one-time passwords?
A. Passwords are hardware/software generated.
B. An intercepted password would be of no use
C. The user does not need to remember passwords
D.

D. They are suitable for e-commerce authentication
Answer: C
Question #:409
The practice of periodic secure code reviews is which type of control?
A. Preventive
B. Compensating
C. Corrective
D. Detective
Answer: A
Question #:410
Compared to developing a system in-house, acquiring a software package means that the need for testing by
end users is:
A. eliminated.
B. increased.
C. reduced.
D. unchanged.
Answer: B
Question #:411
An organization recently implemented a data loss prevention (DLP) solution to control data in transit. Which
of the following would be the GREATEST risk related to the DLP implementation?
A. Scanning end-points during peak hours
B. Inadequate data classification
C. Improperly configured DLP modules
D. DLP false positive alerts
Answer: B
Question #:412
Which of the following is MOST important for an effective control self-assessment (CSA) program?

A. Understanding the business process
B. Performing detailed test procedures
C. Evaluating changes to the risk environment
D. Determining the scope of the assessment
Answer: A
Question #:413
Which of the following would provide an IS auditor with the MOST assurance when auditing the
implementation of a new application system?
A. Substantive testing
B. Statistical sampling
C. Sign-off by system owner
D. Attribute sampling
Answer: A
Question #:414
A new application will require multiple interfaces. Which of the following testing methods can be used to
detect interface errors early in the development life cycle1?
A. Bottom up
B. Acceptance
C. Top down
D. Sociability
Answer: D
Question #:415
What is the PRIMARY benefit of prototyping as a method of system development?
A. Reduces the need for testing.
B.

B. Minimizes the time the IS auditor has to review the system.
C. Increases the likelihood of user satisfaction.
D. Eliminates the need for documentation.
Answer: C
Question #:416
Which of the following is a benefit of the DevOps development methodology?
A. It leads to a well-defined system development life cycle (SDLC)
B. It enforces segregation of duties between code developers and release migrators.
C. It enables increased frequency of software releases to production.
D. It restricts software releases to a fixed release schedule
Answer: A
Question #:417
Which control type would provide the MOST useful input to a root cause analysis?
A. Compensating
B. Detective
C. Directive
D. Corrective
Answer: B
Question #:418
Which of the following is MOST important for an IS auditor to consider when reviewing documentation for an
organization's forensics policy?
A. Assigned roles and responsibilities
B. Notification processes
C. Access controls
D. Evidence preservation

Answer: D
Question #:419
Which of the following should be an IS auditor's GREATEST concern when reviewing an outsourcing
arrangement with a third-party cloud service provider to host personally identifiable data?
A. The data is not adequately segregated on the host platform.
B. Fees are charged based on the volume of data stored by the host.
C. The outsourcing contract does not contain a right-to-audit clause.
D. The organization's servers are not compatible with the third party's infrastructure
Answer: A
Question #:420
Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic
analysis following incidents of suspicious activities on a server?
A. Audit logs are not enabled on the server.
B. The server is outside the domain.
C. The server's operating system is outdated.
D. Most suspicious activities were created by system IDs.
Answer: A
Question #:421
A manager identifies active privileged accounts belonging to staff who have left the organization. Which of
the following is the threat actor In this scenario?
A. Hacktivists
B. Terminated staff
C. Deleted log data
D. Unauthorized access
Answer: D

Question #:422
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
A. A heat map with the gaps and recommendations displayed in terms of risk
B. Available resources for the activities included in the action plan
C. Supporting evidence for the gaps and recommendations mentioned in the audit report
D. A management response in the final report with a committed implementation date
Answer: D
Question #:423
Following a significant merger and acquisition, which of the following should the chief audit executive (CAE)
do FIRST to evaluate the performance of the combined internal audit function?
A. Conduct performance benchmarking.
B. Identify key performance indicators (KPIs).
C. Set process maturity levels.
D. Review internal audit department procedures.
Answer: D
Question #:424
An organization is running servers with critical business application that are in an area subject to frequent but
brief power outages. Knowledge of which of the following would allow the organization’s management to
monitor the ongoing adequacy of the uninterruptable power supply (UPS)?
A. Number of servers supported by the ups
B. Duration and interval of the power outages
C. Business impact of server downtime
D. Mean time to recover servers after failure
Answer: B
Question #:425

Both statistical and nonstatistical sampling techniques:
A. permit the auditor to quantify and fix the level of risk
B. permit the auditor to quantity the probability of error,
C. provide each item an equal opportunity of being selected.
D. require judgment when defining population characteristics
Answer: D
Question #:426
The activation of a pandemic response plan has resulted in a remote workforce situation. Which of the
following technologies poses the GREATEST risk to data confidentiality?
A. Remotely managed network switches
B. Rapid increase in the number of virtual private network (VPN) users
C. On-premise employee workstations left unattended
D. BYOD devices without adequate endpoint protection
Answer: D
Question #:427
A manufacturing company is implementing application software for its sales and distribution system. Which of
the following is the MOST important reason for the company to choose a centralized online database?
A. Elimination of multiple points of failure
B. Elimination of the need for data normalization
C. Enhanced data redundancy
D. Enhanced integrity controls
Answer: D
Question #:428
An IS auditor is reviewing a network diagram. Which of the following would be the BEST location for
placement of a firewall?
A.

A. Between virtual local area networks (VLANs)
B. At borders of network segments with different security levels
C. Between each host and the local network switch/hub
D. Inside the demilitarized zone (DMZ)
Answer: D
Question #:429
Which of the following is the BEST control to help prevent sensitive data leaving an organization via email?
A. Providing encryption solutions for employees
B. Conducting periodic phishing tests
C. Blocking outbound emails sent without encryption
D. Scanning outgoing emails
Answer: C
Question #:430
Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques
(CAATs)?
A. To efficiently test an entire population
B. To perform direct testing of production data
C. To conduct automated sampling for testing
D. To enable quicker access to information
Answer: A
Question #:431
Which of the following is MOST important for an IS auditor to verify when reviewing a critical business
application that requires high availability?
A. Algorithms are reviewed to resolve process ineffictencies.
B. Users participate in offsite business continuity testing.

C. There is no single point of failure.
D. Service level agreements (SlAs) are monitored.
Answer: C
Question #:432
Which of the following weaknesses would have the GREATEST impact on the effective operation of a
perimeter firewall?
A. Potential back doors to the firewall software
B. Use of stateful firewalls with default configuration
C. Ad hoc monitoring of firewall activity
D. Misconfiguration of the firewall rules
Answer: D
Question #:433
Which of the following is MOST important for an IS auditor to consider during a review of the IT governance
of an organization?
A. Funding allocation
B. Defined service levels
C. Risk management methodology
D. Decision making responsibilities
Answer: D
Question #:434
A company uses a standard form to document and approve all changes in production programs. To ensure that
the forms are properly authorized, which of the following is the MOST effective sampling method?
A. Random
B. Stratified
C. Attribute
D.

D. Variable
Answer: C
Question #:435
Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?
A. Software licensing does not support virtual machines
B. Applications have not been approved by the chief financial officer (CFO) .
C. Multiple users can access critical applications
D. Software has been installed on virtual machines by privileged users.
Answer: A
Question #:436
Which of the following is the PRIMARY reason for an organization's procurement processes to include an
independent party who is not directly involved with business operations and related decision-making'?
A. To ensure continuity of processes and procedures
B. To optimize use of business team resources
C. To avoid conflicts of interest
D. To ensure favorable price negotiations
Answer: C
Question #:437
Which of the following should be of GREATEST concern to an IS auditor testing interface controls for an
associated bank wire transfer process?
A. Data is not independently verified by a third party.
B. Data in the bank's wire transfer system does not reconcile with transferred data.
C. Customer-provided information does not appear to be accurate.
D. The wire transfer was not completed with the most recent secure protocol.
Answer: B

Question #:438
Which of the following should an IS auditor validate FIRST when reviewing the security of an organization’s
IT infrastructure as it relates to Internet of Things (loT) devices?
A. Identification and inventory of loT devices
B. Access control and network segmentation for loT devices
C. Strong password protection for loT devices
D. Physical security of loT devices
Answer: A
Question #:439
Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-banned IS audit
program?
A. Business processes
B. IT strategic plans
C. Portfolio management
D. Business plans
Answer: A
Question #:440
Following the sale of a business division, employees will be transferred to a new organization, but they will
retain access to IT equipment from the previous employer. An IS auditor has recommended that both
organizations agree to and document an acceptable use policy for the equipment. What type of control has
been recommended?
A. Detective control
C. Preventive control
Answer: A

Question #:441
A bank is relocating its servers to a vendor that provides data center hosting services to multiple clients. Which
of the following controls would restrict other clients from physical access to the bank servers?
A. Locking server cages
B. Biometric access at all data center entrances
C. 24-hour security guards
D. Closed-circuit television camera
Answer: A
Question #:442
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to
another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the
change?
A. Preserving the same data inputs
B. Preserving the same data interfaces
C. Preserving the same data classifications
D. Preserving the same data structure
Answer: C
Question #:443
During which phase of the incident management life cycle should metrics such as "mean time to incident
discovery" and "cost of recovery" be reported?
A. Containment, analysis, tracking, and recovery
B. Post-incident assessment
C. Planning and preparation
D. Detection, triage, and investigation
Answer: B
Question #:444

An IS auditor finds a number of system accounts that do not have documented approvals Which of the
following should be performed FIRST by the auditor?
A. Have the accounts removed immediately
B. Obtain sign-off on the accounts from the application owner
C. Document a finding and report an ineffective account provisioning control
D. Determine the purpose and risk of the accounts
Answer: D
Question #:445
A company laptop has been stolen and all photos on the laptop have been published on social media. Which of
the following is the IS auditor's BEST course of action?
A. Determine if the laptop had the appropriate level of encryption
B. Verify the organization's incident reporting policy was followed
C. Ensure that the appropriate authorities have been notified
D. Review the photos to determine whether they were for business or personal purposes
Answer: B
Question #:446
Which of the following would BEST help prioritize various projects in an organization's IT portfolio?
A. Business cases
B. Industry trends
C. Enterprise architecture (EA)
D. Total cost of ownership (TCO)
Answer: A
Question #:447
Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of
high-risk processor. However it is determined that there are insufficient resources to execute the plan. What
should be done NEXT?
A. Remove audit from the annual plan to better match the number of resources available.
B.

B. Review the audit plan and defer some audits to the subsequent year
C. Present the annual plan to the audit committee and ask for more resources
D. Reduce the scope of the audit to better match the number of resources available
Answer: C
Question #:448
Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to
improve the effectiveness of its IT processes?
A. IT management should include process improvement requirements in staff performance objectives
B. IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
C. The organization should refer to poor audit reports to identify the specific IT processes to be improved
D. The organization should use a capability maturity model to identify current maturity levels for each IT
process.
Answer: D
Question #:449
An organization allows its employees to use personal mobile devices for work. Which of the following would
BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices
B. Restricting the use of devices for personal purposes during working hours
C. Partitioning the work environment from personal space on devices
D. Preventing users from adding applications
Answer: C
Question #:450
What is the PRIMARY reason for conducting a risk assessment when developing an annual IS audit plan?
A. Decide which audit procedures and techniques to use
B. Determine the existence of controls in audit areas
C. Identify and prioritize audit areas
D. Provide assurance material items will be covered

Answer: C
Question #:451
Which of the following would be MOST helpful in ensuring security procedures are followed by employees in
a multinational organization?
A. Comprehensive end-user training
B. Security architecture review
C. Regular clean desk reviews
D. Regular policy updates by management
Answer: A
Question #:452
The BEST method an organization can employ to align its business continuity plan (BCP) and disaster
recovery plan (DRP) with core business needs is to:
A. include BCP and disaster recovery plan responsibilities as a part of new employee training,
B. execute periodic walk-throughs of the plans.
C. update the business impact analysis (BIA) for significant business changes.
D. outsource the maintenance of the BCP and disaster recovery plan to a third party.
Answer: C
Question #:453
A maturity model can be used to aid the implementation of IT governance by identifying:
A. improvement opportunities.
B. accountabilities.
C. performance drivers.
D. critical success factors.
Answer: A

Question #:454
An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor
should take is to
A. Perform procedures to quantify the irregularities
B. Withdraw from the engagement
C. Recommend compensating controls
D. Report the absence of key controls to regulators
Answer: A
Question #:455
An IS auditor finds that the process for removing access for terminated employee is not documented. What is
the MOST significant risk from this observation?
A. Access rights may not be removed in a timely manner
B. Unauthorized access cannot be identified
C. Procedures may not align with the practices
D. HR records may not match system access
Answer: A
Question #:456
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system.
Which of the following is the IS auditor s BEST recommendation for a compensating control?
A. Restrict payment authorization to senior staff members
B. Review payment transaction history.
C. Require written authorization for all payment transactions.
D. Reconcile payment transactions with invoices.
Answer: C
Question #:457

Which of the following features can be provided only by asymmetric encryption?
A. Data confidentiality
B. Information privacy
C. Nonrepudiation
D. 128-bit key length
Answer: A
Question #:458
The PRIMARY reason to follow up on prior-year audit reports is to determine if
A. prior-year recommendations have become irrelevant
B. significant changes to the control environment have occurred
C. identified control weaknesses have been addressed
D. inherent risks have changed
Answer: C
Question #:459
Which of the following is the BEST way to reduce sampling risk?
A. Plan the audit in accordance with generally accepted auditing principles
B. Ensure each item has an equal chance to be selected
C. Assign experienced auditors to the sampling process.
D. Align the sampling approach with the one used by external auditors
Answer: B
Question #:460
In an organization that has a staff-rotation policy, the MOST appropriate access control model is:
A. discretionary.
B. lattice-based.

C. mandatory.
D. role-based.
Answer: D
Question #:461
Which of the following backup schemes is the BEST option when storage media is limited?
A. Virtual backup
B. Real-time backup
C. Full backup
D. backup Differential
Answer: D
Question #:462
During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more
time fulfilling user requests (or password resets than resolving critical incidents. Which of the following
recommendations to IT management would BEST address this situation?
A. Implement a self-service solution and redirect users to access frequently requested services.
B. Incentivize service desk personnel to close incidents within agreed service levels.
C. Calculate the age of incident tickets and alert senior IT personnel when they exceed service level
agreements (SLAs).
D. Provide annual password management training to end users to reduce the number of instances requiring
password resets.
Answer: A
Question #:463
Which of the following is the BEST preventive control to ensure the integrity of server operating systems?
A. Monitoring server performance
B. Protecting the server in a secure data center
C. Logging all activity on the server
D. Hardening the server configurations

Answer: D
Question #:464
What is the PRIMARY purpose of performing a parallel run of a new system?
A. To provide a failover plan in case of system Issues.
B. To validate the operation of the new system against its predecessor.
C. To verify the new system can process the production load
D. To verify the new system provides required business functionality
Answer: D
Question #:465
When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT processing
capabilities, it is MOST important for the IS auditor to verify the plan is:
A. communicated to department heads,
B. regularly reviewed.
C. stored at an offsite location.
D. periodically tested.
Answer: D
Question #:466
Which of the following is the BEST solution to minimize risk from security flaws introduced by developers
using open source libraries?
A. Dynamic application security testing tools
B. Security business impact analysis (BIA)
C. Checks of dependencies between code libraries
D. Technical documentation review policies
Answer: A
Question #:467

Which of the following is the PRIMARY advantage of using virtualization technology for corporate
applications?
A. Increased application performance
B. Improved disaster recovery
C. Stronger data security
D. Better utilization of resources
Answer: B
Question #:468
To address issues related to privileged users identified in an IS audit, management implemented a security
information and event management (SIEM) system. Which type of control ………
A. Directive
B. Corrective
C. Preventive
D. Detective
Answer: D
Question #:469
Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a
continuous software release process?
A. Release documentation is not updated to reflect successful deployment
B. Testing documentation is not attached to production releases.
C. Developers are able to approve their own releases
D. Test libraries have not been reviewed in over six months
Answer: C
Question #:470
Which of the following is the PRIMARY benefit of using a capability maturity model?
A.

A. It provides detailed changes management strategies for performance improvement.
B. It helps the organization estimate how long it will lake to reach the highest level of maturity in each area
C. It provides a way to compare against similar organizations' maturity levels
D. It helps the organization develop a roadmap toward its desired level of n each area
Answer: D
Question #:471
Which of the following human resources management practices BEST leads to the detection of fraudulent
activity?
A. Background checks
B. Time reporting
C. Employee code of ethics
D. Mandatory time off
Answer: D
Question #:472
A review of IT interface controls finds an organization does not have a process to identify and correct records
that do not get transferred to the receiving system. Which of the following is.........
A. Implement software to perform automatic reconciliations of data between systems
B. Automate the transfer of data between systems as much as feasible.
C. Enable automatic encryption, decryption and electronic signing of data files
D. Have coders perform manual reconciliation of data between systems
Answer: B
Question #:473
Which of the following provides for the GREATEST cost reduction in a large data center?
A. Power conditioning
B. Job-scheduling software
C.

C. Server consolidation
D. Staff rotation
Answer: C
Question #:474
An IS audit reveals that many of an organization's Internet of Things (loT) devices have not been patched.
Which of the following should the auditor do FIRST when determining why these devices have not received
the required patches?
A. Determine the physical location of the deployed devices
B. Review the organization's patching policy and process documentation
C. Ensure the devices are listed in the asset inventory database
D. Review the organization's most recent risk assessment on loT devices
Answer: B
Question #:475
When a firewall is subjected to a probing attack, the MOST appropriate first response is for the firewall to:
A. alert the administrator.
B. break the Internet connection.
C. drop the packet
D. reject the packet.
Answer: C
Question #:476
When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST
important consideration is that the metrics:
A. are used by similar industries to measure the effect of IT on business strategy.
B. measure the effectiveness of IT controls in the achievement of IT strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.

Answer: C
Question #:477
Which of the following issues identified during a postmortem analysis of the IT security incident response
process should be of GREATEST concern?
A. The incident response team did not initiate actions to limit the impact of the incident
B. Incident response team members' contact details were not up to date.
C. The root cause of the incident was not properly identified and documented
D. The incident was caused by an attacker that exploited a zero-day vulnerability.
Answer: A
Question #:478
Which type of control is being implemented when a biometric access device is installed at the entrance to a
facility?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Answer: C
Question #:479
Which of the following is the MOST reliable network connection medium in an environment where there is
strong electromagnetic interface?
A. Fiber optic cable
B. Coaxial cable
C. Shielded twisted-pair cable
D. Wireless link
Answer: A

Question #:480
When reviewing an organization's information security policies, an IS auditor should venfy that the policies
have been defined PRIMARILY on the basis of
A. an information security framework
B. industry best practices
C. past information security incidents
D. a risk management process
Answer: A
Question #:481
Which of the following clauses is MOST important to include in a contract to help maintain data privacy in the
event a Platform as a Service (PaaS) provider becomes financially insolvent?
A. Intellectual property protection
B. Software escrow
C. Data classification
D. Secure data destruction
Answer: D
Question #:482
During a routine check, a system administrator identifies unusual activity indicating an intruder within a
firewall. Which of the following controls has MOST likely been compromised?
A. Data integrity
B. Identification
C. Authentication
D. Data validation
Answer: C
Question #:483
During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on delivering new
systems and technology are not aligned with the organization's strategy. Which of the following would be the
IS auditor's BEST recommendation?
A.

A. Modify IT initiatives that do not map to business strategies.
B. Reassess IT initiatives that do not map to business strategies.
C. Utilize a balanced scorecard to align IT initiatives to business strategies.
D. Reassess the return on investment (ROI) for the IT initiatives.
Answer: C
Question #:484
Which of the following is the MAIN benefit of using data analytics when testing the effectiveness of controls?
A. Analytics can be applied to any type of control
B. Analytics remove the need to focus on areas of higher risk
C. The demand for IS auditors is reduced over time
D. The full population can be tested.
Answer: D
Question #:485
Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related to privacy?
A. Call recording
B. Incorrect routing
C. Eavesdropping
D. Denial of service (DoS)
Answer: C
Question #:486
Which of the following is MOST likely to result from compliance testing?
A. Comparison of data with physical counts
B. Confirmation of data with outside sources
C. Identification of errors due to processing mistakes
D.

D. Discovery of controls that have not been applied
Answer: A
Question #:487
What would be of GREATEST concern to an IS auditor observing shared key cards being utilized to access an
organization's data center?
A. The lack of a multi-factor authentication system
B. The lack of enforcement of organizational policy and procedures
C. The inability to identify who has entered the data center
D. The inability to track the number of misplaced cards
Answer: C
Question #:488
An IS auditor conducting a follow-up audit learns that previously funded recommendations have not been
implemented due to recent budget restrictions. Which of the following should the
A. Report the matter to the chief financial officer (CFO) and recommend funding be reinstated
B. Report to the audit committee that the recommendations are still open
C. Close the audit recommendations in the tracking register
D. Start an audit of the project funding allocation process
Answer: B
Question #:489
During a business process re-engineering (BPR) program, IT can assist with:
A. segregation of duties
B. streamlining of tasks
C. total cost of ownership,
D. focusing on value-added tasks.
Answer: B
Question #:490

The objective of a vulnerability identification step in a risk assessment process is to.
A. determine the impact of compromise
B. develop a list of weaknesses
C. identify the compensating controls
D. determine the likelihood of a threat
Answer: B
Question #:491
Which of the following is the PRIMARY reason for using a digital signature?
A. Provide confidentiality to the transmission
B. Authenticate the sender of a message
C. Verify the integrity of the data and the identity of the recipient
D. Provide availability to the transmission
Answer: C
Question #:492
Which of the following MOST efficiently protects computer equipment against short-term reductions in
electrical power?
A. Surge protection devices
B. Alternative power supplies
C. Power line conditioners
D. Generators
Answer: C
Question #:493
Which of the following techniques would provide the BEST assurance to an IS auditor that all necessary data
has been successfully migrated from a legacy system to a modern platform?
A. Review of logs from the migration process

B. Data analytics
C. Interviews with migration staff
D. Statistical sampling
Answer: A
Question #:494
After an external IS audit, which of the following should be IT management's MAIN consideration when
determining the prioritization of follow-up activities?
A. The availability of the external auditors
B. The scheduling of major changes in the control environment
C. The materiality of the reported findings
D. The amount of time since the initial audit was completed
Answer: C
Question #:495
An audit of the quality management system (QMS) begins with an evaluation of the:
A. organization’s QMS policy
B. sequence and interaction of QMS processes
C. QMS processes and their application
D. QMS document control procedures
Answer: A
Question #:496
A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor reviewing the
evaluation process would expect the team to have considered each vendor's:
A. security policy.
B. acceptance test plan
C. financial stability
D.

D. development methodology.
Answer: A
Question #:497
Which of the following is the BEST way to confirm that a digital signature is valid?
A. Confirm that the sender's public key certificate is from a trusted certificate authority (CA).
B. Compare the hash value of the digital signature manually
C. Verify the digital signature by obtaining the senders public key
D. Request a valid private key from the sender and compare it with the public key
Answer: A
Question #:498
Which of the following is the GREATEST concern associated with migrating computing resources to a cloud
virtualized environment?
A. An increase in inherent vulnerability
B. An increase in residual risk
C. An increase in the potential for data leakage
D. An increase in the number of e-discovery requests
Answer: C
Question #:499
An IS auditor is reviewing the implementation of an international quality management standard Which of the
following provides the BEST evidence that quality management objectives have been achieved?
A. Reduction in risk profile
B. Quality assurance (QA) documentation
C. Measurable processes
D. Enhanced compliance with laws and regulations
Answer: C

Question #:500
Which of the following observations noted during a review of the organization s social media practices should
be of MOST concern to the IS auditor?
A. The organization does not require approval for social media posts.
B. Not all employees using social media have attended the security awareness program.
C. The organization does not have a documented social media policy.
D. More than one employee is authorized to publish on social media on behalf of the organization
Answer: C
Question #:501
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an
e-commerce application system's edit routine?
A. Review of program documentation
B. Use of test transactions
C. Interviews with knowledgeable users
D. Review of source code
Answer: D
Question #:502
As part of a follow-up of a previous year’s audit, an IS auditor has increased the expected error rate for a
sample. The impact will be:
A. required sample size increases.
B. sampling risk decreases.
C. degree of assurance increases.
D. standard deviation decreases.
Answer: C
Question #:503

Which of the following will MOST likely compromise the control provided by a digital signature created
using RSA encryption?
A. Obtaining the sender's private key
B. Reversing the hash function using the digest
C. Altering the plaintext message
D. Deciphering the receiver's public key
Answer: A
Question #:504
A financial institution suspects that a manager has been crediting customer accounts without authorization.
Which of the following is the MOST effective method to validate this concern?
A. Variable sampling
B. Attribute sampling
C. Stop or go sampling
D. Discovery sampling
Answer: B
Question #:505
An IS auditor is a member of an application development team that is selecting software. Which of the
following would impair the auditor's independence?
A. Approving the vendor selection methodology
B. verifying the weighting of each selection criteria
C. Reviewing the request for proposal (RFP)
D. Witnessing the vendor selection process
Answer: A
Question #:506
Which of the following is the client organization's responsibility in a Software as a Service (SaaS)
environment?
A. Ensuring the data is available when needed
B.

B. Ensuring that users are properly authorized
C. Detecting unauthorized access
D. Preventing insertion of malicious code
Answer: B
Question #:507
An IS auditor is reviewing security policies and finds no mention of the return of corporate-owned
smartphones upon termination of employment. The GREATEST risk arising from this situation is that
unreturned devices:
A. cause the asset inventory to be inaccurate.
B. have access to corporate resources
C. result in loss of customer contact details
D. generate excessive telecommunication costs.
Answer: C
Question #:508
A financial institution is launching a mobile banking service utilizing multi-factor authentication. This access
control is an example of which of the following?
A. Corrective control
D. Preventive control
Answer: D
Question #:509
A CIO has asked an IS auditor to implement several security controls for an organization s IT processes and
systems. The auditor should:
A. obtain approval from executive management for the implementation
B. communicate the conflict of interest to audit management
C. perform the assignment and future audits with due professional care.
D.

D. refuse due to independence issues.
Answer: B
Question #:510
An organization recently implemented a cloud document storage solution and removed the ability for end
users to save data to their local workstation hard drives Which of the following findings should be the IS
auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users have not been trained on the new system.
C. Users are not required to sign updated acceptable
D. The business continuity plan (BCP) was not updated.
Answer: D
Question #:511
The purpose of data migration testing is to validate data:
A. retention.
B. completeness.
C. availability.
D. confidentiality.
Answer: B
Question #:512
For a company that outsources payroll processing, which of the following is the BEST way to ensure that only
authorized employees are paid?
A. Only payroll employees should be given the password for data entry and report retrieval.
B. Employees should receive pay statements showing gross pay, net pay. and deductions.
C. The company's bank reconciliations should be independently prepared and checked.
D. Electronic payroll reports should be independently reviewed.
Answer: D

Question #:513
An IS auditor finds that needed security patches cannot be applied to some of an organization's network
devices due to compatibility issues. The organization has not budgeted sufficiently for security upgrades.
Which of the following should the auditor recommend be done FIRST?
A. Perform a risk analysis of the relevant security issues.
B. Prioritize funding for next year's budget.
C. Discuss adding compensating controls with the vendor.
D. Implement stronger security patch management processes.
Answer: A
Question #:514
Which of the following is the GREATEST security risk associated with data migration from a legacy human
resources (HR) system to a cloud-based system''
A. Data from the source and target system may be intercepted
B. Records past their retention period may not be migrated to the new system
C. System performance may be impacted by the migration
D. Data from the source and target system may have different data formats
Answer: A
Question #:515
An IS auditor is reviewing database log settings and notices that only INSERT and DELETE operations are
being monitored in the database. What is the MOST significant risk?
A. Metadata may not be logged.
B. Purged records may not be logged.
C. Newly added records may not be logged.
D. Changes to existing records may not be logged.
Answer: D
Question #:516
What is the BEST justification for allocating more funds to implement a control for an IT asset than the actual
cost of the IT asset?
A.

A. To protect the associated intangible business value
B. To comply with information security best practices
C. To avoid future audit findings
D. To maintain the residual value of the asset
Answer: A
Question #:517
Which of the following is the BEST source for describing the objectives of an organization s information
systems?
A. IT management
B. Business process owners
C. Information security management
D. End users
Answer: B
Question #:518
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Outsourced auditing
B. Continuous auditing
C. Agile auditing
D. Risk-based auditing
Answer: D
Question #:519
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging
(IM) system1?
A. Allowing only corporate IM solutions
B. Encrypting IM traffic
C. Blocking external IM traffic

D. Blocking attachments in IM
Answer: B
Question #:520
Which of the following is the BEST way to minimize the impact of a ransomware attack?
A. Perform more frequent system backups.
B. Maintain a regular schedule for patch updates.
C. Provide user awareness training on ransomware attacks.
D. Grant system access based on least privilege.
Answer: A
Question #:521
What would be an IS auditor’s BEST recommendation upon finding that a third-party IT service provider
hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks.
B. Implement change management review.
C. Conduct a privacy impact analysis.
D. Review third-party audit reports.
Answer: C
Question #:522
Which of the following should be of GREATEST concern to an IS auditor reviewing actions taken during a
forensic investigation?
A. The investigation report does not indicate a conclusion.
B. An image copy of the attacked system was not taken.
C. The proper authorities were not notified.
D. The handling procedures of the attacked system are not documented.
Answer: C

Question #:523
An IS auditor finds the timeliness and depth of information regarding the organization's IT projects varies
based on which project manager is assigned. Which of the following recommendations would be A MOST
helpful in achieving predictable and repeatable project management processes?
A. Alignment of project performance to pay incentives
B. Adoption of business case and earned value templates
C. Use of Gantt charts and work breakdown structures
D. Measurement against defined and documented procedures
Answer: B
Question #:524
In a database management system (DBMS) normalization is used to:
A. standardize data names
B. reduce data redundancy
C. eliminate processing deadlocks
D. reduce access time
Answer: B
Question #:525
An IS auditor determines that a business continuity plan has not been reviewed and approved by management.
Which of the following is the MOST significant risk associated with this situation?
A. Continuity planning may be subject to resource constraints.
B. The plan may not be aligned with industry best practice.
C. Critical business processes may not be addressed adequate.
D. The plan has not been reviewed by risk management
Answer: C
Question #:526

An IS auditor is reviewing the key payroll interface that collects wage rates from various business applications
to process payroll. Which of the following is MOST likely to cause errors in payroll processing?
A. User acceptance testing (UAT) has not been properly documented for all changes.
B. Data conversion procedures did not include all business applications and interfaces.
C. The payroll processing application does not follow a regularly scheduled patching cycle.
D. Changes to the interface configuration settings were not adequately tested and approved.
Answer: D
Question #:527
Which of the following poses the GREATEST security risk when implementing acquired application systems?
A. Default logon IDs
B. Social engineering
C. Lack of audit logs
D. Password length
Answer: A
Question #:528
Code changes are compiled and placed in a change folder by the developer. An implementation learn migrates
changes to production from the change folder. Which of the following BEST indicates separation of duties is
in place during the migration process?
A. A second individual performs code review before the change is released to production.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. The developer approves changes prior to moving them to the change folder.
Answer: B
Question #:529
Which of the following would BEST provide executive management with current information on IT related
costs and IT performance indicators?
A.

A. Risk register
B. IT service management plan
C. Continuous audit reports
D. IT dashboard
Answer: D
Question #:530
An organization seeks to control costs related to storage media throughout the information life cycle while still
meeting business and regulatory requirements. Which of the following is the BEST way to achieve this
objective?
A. Perform periodic tape backups.
B. Stream backups to the cloud.
C. Implement a data retention policy.
D. Utilize solid state memory.
Answer: C
Question #:531
An IS auditor is assessing the results of an organization's post-implementation review of a newly developed

information system. Which of the following should be the auditor's MAIN focus?
A. Benefits realization analysis has been completed
B. The disaster recovery plan (DRP) has been updated
C. The procurement contract has been closed
D. Lessons learned have been identified
Answer: A
Question #:532
The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. determine if all incidents and problems are reported
B. assess help desk performance
C. assign responsibility for problems.

D. identify the causes of recurring incidents and problems.
Answer: D
Question #:533
Which of the following is MOST likely to enable a hacker to successfully penetrate a system?
A. Unpatched software
B. Decentralized dialup access
C. Lack of DoS protection
D. Lack of virus protection
Answer: A
Question #:534
Which of the following is a corrective control that reduces the impact of a threat event?
A. Business process analysis
B. Security policy
C. Business continuity plan (BCP)
D. Segregation of duties (SoD)
Answer: C
Question #:535
Spreadsheets are used to calculate project cost estimates Totals for each cost category are then keyed into the
job-costing system. What is the BIST control to ensure that data are accurately entered into the system?
A. Validity checks preventing entry of character data
B. Reconciliation total amounts by project
C. Display back of project detail after entry
D. Reasonableness checks for each cost type
Answer: B

Question #:536
Which of the following are examples of detective controls?
A. Use of access control software and deploying encryption software
B. Source code review and echo checks in telecommunications
C. Check points in production jobs and rerun procedures
D. Continuity of operations planning and backup procedures
Answer: B
Question #:537
On a public-key cryptosystem when there is no previous knowledge between parties, which of the following
will BEST help to prevent one person from using a fictitious key to impersonate someone else?
A. Send the public key to the recipient prior to establishing the connection
B. Encrypt the message containing the sender's public key using a private-key
C. cryptosystem 1 Encrypt the message containing the sender's public key. using the recipient's public key
D. Send a certificate that can be verified by a certification authority with the public key
Answer: D
Question #:538
Which of the following is an objective of data transfer controls?
A. To ensure there are sufficient dedicated resources in place to facilitate data transfer
B. To ensure receiving data fields have been configured according to the structure of the transmitted data
C. To ensure the data is backed up on a regular basis
D. To ensure access control lists are accurately and completely maintained
Answer: B
Question #:539
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following
is the MOST important consideration for a go-live decision?

A. Post-implementation review objectives
B. Test cases
C. Rollback strategy
D. Business case
Answer: C
Question #:540
What should be the PRIMARY basis for scheduling a follow-up audit?
A. The significance of reported findings
B. The completion of all corrective actions
C. The availability of audit resources
D. The time elapsed after audit report submission
Answer: A
Question #:541
A user of a telephone banking system has forgotten his personal identification number (PIN), after the user has
been authenticated, the BEST method of issuing a new pin is to have:
A. A randomly generated pin communicated by banking personnel
B. Banking personnel assign the user a new PIN via email
C. The user enter a new PIN twice
D. Banking personnel verbally assign a new PIN
Answer: C
Question #:542
Which of the following control techniques BEST ensures the integrity of system interface transmissions?
A. Validity check
B. Completeness check
C. Parity check
D.

D. Reasonableness check
Answer: B
Question #:543
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by
accounts payable employees?
A. Independent reconciliation
B. Periodic vendor reviews
C. Dual control
D. Re-keying of monetary amounts
Answer: C
Question #:544
An IS auditor has completed an audit on the organization's IT strategic planning process Which of the
following findings should be given the HIGHEST priority?
A. Assumptions in the IT strategic plan have not been communicated to business stakeholders
B. The IT strategic plan was formulated based on the current IT capabilities.
C. The IT strategic plan was completed prior to the formulation of the business strategic plan
D. The IT strategic plan does not include resource requirements for implementation.
Answer: C
Question #:545
Which of the following is the MOST effective sampling method for an IS auditor to use for identifying fraud
and circumvention of regulations?
A. Discovery sampling
B. Stop-or-go sampling
C. Statistical sampling
D. Variable sampling

Answer: A
Question #:546
An IS audit reveals an organization's IT department reports any deviations from its security standards to an
internal IT risk committee involving IT senior management. Which of the following should be the IS auditor's
GREATEST concern?
A. The list of IT risk committee members does not include the board member responsible for IT.
B. The IT risk committee has no reporting line to any governance committee outside IT.
C. The IT risk committee meeting minutes are not signed off by all participants.
D. The chief information officer (CIO) did not attend a number of IT risk committee meetings during the
past year.
Answer: B
Question #:547
Which of the following is an example of a preventive control?
A. Purchase orders in the system being checked by a supervisor prior to execution to identify errors during
entry
B. An online retailer's daily review of transactions processed to identify trends and changes in customer
demand
C. Regular assessments of the sales department to identify the most profitable sales strategies used by sales
staff D. Continuous operation of a screening system to identify fraudulent patterns in recent transactions
Answer: A
Question #:548
The PRIMARY benefit of information asset classification is that it:
A. facilitates budgeting accuracy.
B. enables risk management decisions.
C. prevents loss of assets.
D. helps to align organizational objectives.
Answer: B

Question #:549
An internal audit department recently established a quality assurance (QA) program as part of its overall audit
program. Which of the following activities is MOST important to rlude as part of the QA program
requirements?
A. Implementing corrective action plans
B. Creating a long-term plan for internal audit staffing
C. Analyzing user satisfaction reports from business lines
D. Reviewing audit standards periodically
Answer: A
Question #:550
Which of the following is MOST important for an IS auditor to verify when evaluating an organization's
firewall?
A. Logs are being collected in a separate protected host.
B. Access to configuration files is restricted.
C. Insider attacks are being controlled.
D. Automated alerts are being sent when a risk is detected.
Answer: A
Question #:551
Which of the following is the MOST important consideration for building resilient systems?
A. Eliminating single points of failure
B. Performing periodic backups
C. Creating disaster recovery plans (DRPs)
D. Defining recovery point objectives (RPOs)
Answer: C

Question #:552
To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. First use a symmetric algorithm for the authentication sequence.
B. encrypt the authentication sequence using a public key.
C. transmit the actual digital signature in unencrypted clear text.
D. encrypt the authentication sequence using a private key.
Answer: D
Question #:553
A multinational organization is integrating its existing payroll system with a human resource information
system. Which of the following should be of GREATEST concern to the IS auditor?
A. Application interfaces
B. Scope creep
C. System documentation
D. Currency conversion
Answer: C
Question #:554
Which of the following controls will MOST effectively detect inconsistent records resulting from the lack of
referential integrity in a database management system?
A. Concurrent access controls
B. Incremental data backups
C. Performance monitoring tools
D. Periodic table link checks
Answer: D
Question #:555
Which of the following is MOST important for an IS auditor to examine when reviewing an organization's

privacy policy?
A. The encryption mechanism selected by the organization for protecting personal data
B. Whether there is explicit permission from regulators to collect personal data
C. The organization's legitimate purpose for collecting personal data
D. Whether sharing of personal information with third-party service providers is prohibited
Answer: C
Question #:556
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection
systems (IDSs)?
A. An increase in the number of internally reported critical incidents
B. An increase in the number of detected incidents not previously identified
C. An increase in the number of identified false positives
D. An increase in the number of unfamiliar sources of intruders
Answer: A
Question #:557
Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating
end user networking?
A. Peer-to-peer
B. Client-to-server
C. Host-to-host
D. System-to-system
Answer: A
Question #:558
The BEST way to prevent fraudulent payments is to implement segregation of duties between payment
processing and:
A. payment approval.

B. requisition creation.
C. vendor setup.
D. check creation.
Answer: A
Question #:559
An IS auditor is assigned to review the development of a specific application. Which of the following would
be the MOST significant step following the feasibility study?
A. Attend project progress meetings to monitor timely implementation of the application.
B. Assist users in the design of proper acceptance-testing procedures.
C. Follow up with project sponsor for project's budgets and actual costs.
D. Review functional design to determine that appropriate controls are planned.
Answer: D
Question #:560
An IS auditor assessing the controls within a newly implemented call center would FIRST
A. test the technical infrastructure at the call center.
B. review the manual and automated controls in the call center.
C. gather information from the customers regarding response times and quality of service.
D. evaluate the operational risk associated with the call center.
Answer: D
Question #:561
When developing a business continuity plan (BCP), which of the following should be performed FIRST?
A. Classify operations.
B. Conduct a business impact analysis (BIA)
C. Develop business continuity training.
D.

D. Establish a disaster recovery plan (DRP)
Answer: B
Question #:562
An IS auditor is reviewing a recent security incident and is seeking information about the approval of a recent
modification to a database system's security settings Where would the auditor MOST likely find this
information?
A. System event correlation report
B. Change log
C. Database log
D. Security incident and event management (SIEM) report
Answer: B
Question #:563
Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant
hardware?
A. Improving system performance
B. Reducing hardware maintenance costs
C. Minimizing business loss
D. Compensating for the lack of contingency planning
Answer: C
Question #:564
An IS auditor is evaluating a virtual server environment and teams that the production server, development
server and management console are housed in the same physical host. What
A. The physical host is a single point of failure.
B. The management console is a single point of failure
C. The development server and management console share the same host.
D. The development and production servers share the same host.

Answer: A
Question #:565
An organization is using a single account shared by personnel for its social networking marketing page. Which
of the following is the BEST method to maintain accountability over the account?
A. Reviewing access rights on a periodic basis
B. Integrating the account with single sign-on
C. Regular monitoring of proxy server logs
D. Implementing an account password check-out process
Answer: A
Question #:566
Which of the following is the BEST sampling method to ensure only active users have access to critical
systems?
A. Substantive testing
B. Difference estimation
C. Unstratified mean per unit
D. Compliance testing
Answer: D
Question #:567
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s
privacy program?
A. Analyzing risks posed by new regulations
B. Developing procedures to monitor the use of personal data
C. Defining roles within the organization related to privacy
D. Designing controls to protect personal data
Answer: B
Question #:568

planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to
A. evaluate the organization's EUC policy
B. evaluate EUC threats and vulnerabilities
C. obtains an inventory EUC applications
D. determine EUC materiality and complexity thresholds
Answer: D
Question #:569
During a review, an IS auditor notes that an organization's marketing department has purchased a cloud-based
software application without following the procurement process. What should the auditor do FIRST?
A. Perform a risk analysis.
B. Escalate to senior management.
C. Review the procurement process.
D. Review the business impact analysis (BIA).
Answer: A
Question #:570
An organization issues digital certificates to employees to enable connectivity to a web-based application.

Which of the following public key infrastructure (PKI) components MUST be included in the application
architecture for determining the on-going validity of connections?
A. Secure hash algorithm (SHA)
B. Registration authority (RA)
C. Certificate authority (CA)
D. Certificate revocation list (CRL)
Answer: A
Question #:571
An organization plans to eliminate pilot releases and instead deliver all functionality in a single release. Which
of the following is the GREATEST risk with this approach?
A. Likelihood of scope creep over time

B. Increased oversight required to track projects
C. Inability to track project costs
D. Releasing critical deficiencies into production
Answer: D
Question #:572
Segregation of duties would be compromised if:
A. application programmers moved programs into production.
B. application programmers accessed test data.
C. database administrators (DBAs) modified the structure of user tables.
D. operations staff modified batch schedules.
Answer: B
Question #:573
Which of the following is the MOST effective means of helping management and the IT strategy committee to
monitor IT performance?
A. Gap analysis
B. Measurement of service levels against metrics
C. End-user satisfaction surveys
D. Infrastructure monitoring reports
Answer: B
Question #:574
During an operational audit of a biometric system used to control physical access, which of the following
should be of GREATEST concern to an IS auditor?
A. False positives
B. Lack of biometric training
C. False negatives

D. User acceptance of biometrics
Answer: A
Question #:575
An IS auditor s role in privacy and security is to:
A. implement risk management methodologies.
B. verify compliance with applicable laws.
C. assist in developing an IS security strategy.
D. assist the governance steering committee with implementing a security policy.
Answer: B
Question #:576
An IS auditor notes that application super-user activity was not recorded in system logs. What is the auditor’s
BEST course of action?
A. Investigate the reason for the lack of logging
B. Recommend a least privilege access model
C. Recommend activation of super user activity logging
D. Report the issue to the audit manager
Answer: C
Question #:577
An organization has decided to implement a third-party system in its existing IT environment Which of the
following is MOST important for the IS auditor to confirm?
A. The organization has created a clone of the third party's IT infrastructure to host the IT system
B. The organization has maintained a clone of the existing infrastructure as backup.
C. The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT system.
D. The organization has purchased a newly released IT infrastructure environment relevant to the IT system
Answer: C


About dumpscollection.com
dumpscollection.com was founded in 2007. We provide latest & high quality IT / Business Certification Training
Exam Questions, Study Guides, Practice Tests.
We help you pass any IT / Business Certification Exams with 100% Pass Guaranteed or Full Refund. Especially
Cisco, CompTIA, Citrix, EMC, HP, Oracle, VMware, Juniper, Check Point, LPI, Nortel, EXIN and so on.
View list of all certification exams: All vendors
We prepare state-of-the art practice tests for certification exams. You can reach us at any of the email addresses listed
below.
Sales: sales@dumpscollection.com
Feedback: feedback@dumpscollection.com
Support: support@dumpscollection.com
Skype ID: crack4sure@gmail.com
Any problems about IT certification or our products, You can write us back and we will get back to you within 24
hours.
15% Discount Coupon Code:

DC15disc

CISA Dump - Updated

Uploaded by

Copyright:

Available Formats

CISA Dump - Updated

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Dump - Updated

Uploaded by

Copyright:

Available Formats

Isaca

Web: www.dumpscollection.com [ Total Questions: 577]

A. Hiring IT consultants from overseas

B. Purchasing cyber insurance from an overseas insurance company

C. Applying encryption to databases hosting PII data

D. Hosting the payroll system at an external cloud service provider

A. Substantive testing of payroll files

B. Data analytics on payroll data

C. Observation of payment processing

D. Sample-based review of pay stubs

Success Guaranteed, 100% Valid 1 of 180

A. Moving emails to a virtual email vault after 30 days

B. Limiting the size of file attachments being sent via email

C. Automatically deleting emails older than one year

D. Allowing employees to store large emails on flash drives

What is the purpose of a hypervisor?

A. Monitoring the performance of virtual machines

B. Cloning virtual machines

C. Deploying settings to multiple machines simultaneously

D. Running the virtual machine environment

A. Annual loss expectancy

B. Maximum tolerable downtime

C. Data classification scheme

D. Existing server redundancies

Success Guaranteed, 100% Valid 2 of 180

have done PRIOR to re-initiating the update?

A. Determined the cause of the error

B. Obtained approval before re-initiating the update

C. Allowed the roll-back to complete

D. Scheduled the roll-back for a later time

To protect information assets, which of the following should be done FIRST?

B. Restrict access to data.

Which of the following is found in an audit charter?

A. Audit objectives and scope

B. Required training for audit staff

C. The process of developing the annual audit plan

D. The authority given to the audit function

A. percentage of growth in project intake is reviewed.

Success Guaranteed, 100% Valid 3 of 180

B. overall success rate of projects is high.

C. business cases have been clearly defined for all projects.

D. project portfolio database is updated when new systems are acquired.

A. Verify that the organization has adequate levels of cyber insurance

D. Assess the skill set within the security function

A. public keys be stored in encrypted form.

B. encryption keys at one end be changed on a regular basis

C. primary keys for encrypting the data be stored in encrypted form

D. encryption keys be changed only when a compromise is detected at both ends

A. Participating in weekly project management team presentations

B. Making design decisions related to automated controls

C. Recommending which reports are required to be converted

Success Guaranteed, 100% Valid 4 of 180

D. Reviewing process for each program specification

A. Process accountabilities to external stakeholders are improved

B. Security breach incidents can be identified in early stages

C. Fewer views are needed when updating the IT compliance process

D. Regulatory risk exposures can be identified before they materialize

Success Guaranteed, 100% Valid 5 of 180

A. copy the contents of the hard drive.