51. A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger, and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
A.      User acceptance testing (UAT)
B.      Unit testing
C.      Network performance testing
D.     Regression testing
Â
Answer: D
Â
Â
52. Which of the following BEST describes the role of an IS auditor in control self-assessments (CSAs)?
A.      Identifying and documenting control risk scenarios
B.      Facilitating understanding of the need for controls and the associated risk
C.      Taking responsibility and ownership of internal control systems
D.     Performing detailed audit procedures to assess controls
Â
Â
Answer: B
Â
53. Which of the following should be of GREATEST concern to an IS auditor when reviewing DevSecOps processes for an organization’s recently implemented project software?
A.      The developers are employees of a third-party vendor.
B.      The developers have not undergone refresher application security training.
C.      The process for reviewing and detecting security gaps is partially manual.
D.     Insecure code was not detected during security reviews prior to deployment.
Â
Answer: D
Â
Â
Â
54. Which of the following is the MOST important consideration when determining how frequently to review a data protection policy?
A.      Known international standards
B.      Local laws and regulations
C.      Industry best practices
D.     Business objectives
Â
Answer: B
Â
Â
55. An organization has performance metrics to track how well IT resources are being used, but there has been little progress on meeting the organization’s goals. Which of the following would be MOST helpful to determine the underlying reason?
A.      Conducting a root cause analysis
B.      Re-evaluating key performance indicators (KPIs)
C.      Conducting business impact analysis (BIA)
D.     Re-evaluating organizational goals
Â
Answer: A
Â
56. An audit department quality assurance and improvement program supports the mitigation of which of the following types of risk?
A.      Detection risk
B.      Compliance risk
C.      Control risk
D.     Inherent risk
Â
Answer: A
Â
57. An organization is planning to implement a new enterprise resource planning (ERP) system that will be developed and operated by a third party. Which of the following documents would be MOST useful for assessing the new system’s supply chain asset and risk management?
A.      Vulnerability assessment report
B.      Software bill of materials
C.      Penetration testing report
D.     Software acquisition plan
Â
Answer: B
Â
Â
58. Which of the following would pose the GREATEST concern for an IS auditor reviewing customer service operations for a healthcare organization?
A.      Customer satisfaction survey results have significantly declined in the past year. in
B.      Employees are using unlicensed tools to process personal information.
C.      Service representatives are using shared workstations.
D.     Acceptable use policies for the organization have not been updated within the last year.
Â
Answer: B
Â
59. Which of the following findings would have the GREATEST impact on the objective of a business intelligence system?
A.      Decision support queries use database functions proprietary to the vendor.
B.      Management reports have not been evaluated since implementation.
C.      The hot site for disaster recovery does not include the decision support system.
D.     Key controls have not been tested in a year.
Â
Answer: B
Â
60. To avoid potential conflicts of interest, the audit department responsible for auditing IT governance should report to which of the following?
A.      Chief risk officer (CRO)
B.      IT strategy committee
C.      Board of directors
D.     IT steering committee
Â
Answer: C
Â
61. Which of the following is the MOST important metric in selecting a biometric device?
A.      Crossover error rate
B.      Image size
C.      System response time
D.     False rejection rate
Â
Answer: A
Â
Â
62. The Waterfall life cycle model of software development is BEST suited for which of the following situations?
A.      The project will involve the use of new technology.
B.      The project requirements are well understood.
C.      The project intends to apply an object-oriented design approach.
D.     The project is subject to time pressures.
Â
Answer: B
Â
63. Which of the following is the BEST protection against forged email?
A.      Application level firewall
B.      Encryption
C.      Identification of sending host
D.     Digital signature
Â
Answer: D
Â
Â
64. Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
A.      Ensures documents are handled in accordance with the sensitivity of information they contain
B.      Classifies documents to correctly reflect the level of sensitivity of information they contain
C.      Classifies documents in accordance with industry standards and best practices
D.     Defines the conditions under which documents containing sensitive information may be transmitted
Â
Answer: B
Â
Â
65. Which of the following is MOST important to consider when developing audit objectives for an organizational privacy audit?
A.      Data subject rights and notification
B.      Legal and regulatory compliance
C.      Third-party vendor assessments
D.     Data security measures
Â
Answer: B
Â
66. Which of the following is MOST important for an organization to include in the asset management inventory?
A.      Asset cost
B.      Inventory number
C.      Asset owner
D.     Network identification details
Â
Answer: C
Â
67. Which of the following public key infrastructure (PKI) roles is MOST likely to be delegated by a certificate authority (CA)?
A.      Ensuring correct registration
B.      Issuing trusted digital certificates
C.      Issuing public-private key pairs
D.     Revoking digital certificates
Â
Answer: A
Â
68. The BEST indicator of an optimized quality management system (QMS) is that it:
A.      is integrated and enforced in all IT activities.
B.      is endorsed by senior management.
C.      aligns with an industry recognized framework.
D.     defines and monitors all IT QMS activities.
Â
Answer: A
Â
Â
69. When implementing a data loss prevention (DLP) system, which of the following should be used to determine when policy violations are triggered?
A.      Frequency of security scans
B.      Network traffic flowing out of the organization
C.      Volume of files downloaded
D.     Defined rules based on precedent
Â
Answer: D
Â
Â
70. winch of the following is the BEST way to obtain assurance of calculation accuracy when an IS auditor finds that a change to a cortical calculation was not tested?
A.      Perform substantive testing using computer-assisted audit techniques (CAATs).
B.      Obtain post-change approval from management.
C.      Interview the lead system developer responsible for the calculations.
D.     Manually reperform batch job calculations.
Answer: A
Â
Â
71. Which of the following poses the GREATEST risk to an organization when employees use public social networking sites?
A.      Cross-site scripting
B.      Copyright violations
C.      Adverse posts about the organization
D.     Social engineering
Â
Answer: D
Â
Â
Â
72. Of the following, who is PRIMARILY responsible for developing standard operating procedures for reporting log monitoring outcomes?
A.      Incident response team leader
B.      Business owner
C.      IT risk manager
D.     Information security manager
Â
Answer: D
Â
Â
Â
73. An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following the BEST way to prevent this vulnerability from being exploited?
A.      Implement security awareness training.
B.      Review security log incidents.
C.      Review hardware vendor contracts
D.     Install vendor patches.
Â
Answer: D
Â
Â
74. Is Which of the following is the BEST way for an IS auditor to verify whether help desk tickets are being managed by IT support in accordance with business expectations?
A.      Review end user satisfaction survey results.
B.      Review IT management metrics reported quarterly to the board
C.      Compare the resolved date and the due date recorded on the help desk tickets.
D.     Compare the response and resolution times against the service level agreement (SLA).
Â
Answer: D
Â
Â
75. An IS auditor reviewing access controls over restricted information on a corporate wireless 8 environment should be MOST concerned if a user is authenticated by using only:
A.      the media access control (MAC) address.
B.      a USB key.
C.      digital certificates.
D.     one-time passwords.
Â
Answer: A
Â
Â
Â
76. Which of the following is the PRIMARY purpose of batch processing monitoring?
A.      To summarize the batch processing reporting
B.      To prevent an incident that may result from batch failure
C.      To comply with security standards
D.     To log error events in batch processing
Â
Answer: B
Â
Â
Â
77. Which of the following is MOST important to include in a contract to outsource data processing that involves customer personally identifiable information (PII)?
A.      The vendor must comply with the organization’s legal and regulatory requirements.
B.      The vendor must provide an independent report of its data processing facilities.
C.      The vendor must sign a nondisclosure agreement (NDA) with the organization.
D.     The vendor must compensate the organization if service levels are not met
Â
Answer: A
Â
Â
78. Which of the following reliably associates users with their public keys and includes attributes that uniquely identify the users?
A.      Digital certificate
B.      Multi-factor authentication (MFA)
C.      Encryption
D.     Nonrepudiation
Â
Answer: A
Â
Â
Â
79. In which phase of the audit life Cycle process should an IS auditor initially discuss observations with management?
A.      Reporting phase
B.      Planning phase
C.      Follow-up phase
D.     Fieldwork phase
Â
Answer: D
Â
Â
80. Which of the following is the MOST effective way to evaluate the physical security of a data center?
A.      Perform a data center tour.
B.      Review data center access logs.
C.      Interview data center stakeholders.
D.     Review camera footage from the data center.
Â
Answer: A
Â
Â
Â
Â
Â
81. Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?
A.      The timing for program updates has not been determined.
B.      Employees do not receive immediate notification of results.
C.      Metrics have not been established to assess training results.
D.     Only new employees are required to attend the program.
Â
Answer: D
Â
Â
82. Which of the following observations should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA) practices?
A.      Recovery objectives are identified without conducting risk assessments.
B.      Outsourced business processes are excluded from the scope of the BIA
C.      Resource dependencies for critical processes are not determined.
D.     A combination of questionnaires, workshops, and interviews is used.
Â
Answer: B
Â
Â
83. Which of the following is a PRIMARY benefit of using risk assessments to determine areas to be included in an audit plan?
A.      Timely audit execution
B.      Reduced travel and expense costs
C.      Effective allocation of audit resources
D.     Effective risk mitigation
Â
Answer: C
Â
Â
Â
84. Which of the following is an audit reviewer’s PRIMARY role with regard to evidence?
A.      Ensuring appropriate statistical sampling methods were used
B.      Ensuring evidence is labeled to show it was obtained from an approved source
C.      Ensuring evidence is sufficient to support audit conclusions
D.     Ensuring unauthorized individuals do not tamper with evidence after it has been captured
Â
Answer: C
Â
Â
85. Which of the following should an IS auditor review to determine whether a project has adequate executive support and is aligned with organizational objectives?
A.      Feasibility analysis
B.      Business case approval
C.      Projected benefits realization
D.     Project plan approval
Â
Answer: B
Â
Â
86. At the conclusion of an audit, but before issuing the final report, the auditor should:
A.      help management develop action plans.
B.      obtain evidence to support findings.
C.      confirm factual findings with the auditee.
D.     confirm results with the audit committee.
Â
Answer: C
Â
Â
87. Which of the following Is MOST helpful to a data owner when classifying the organization’s data?
A.      Corporate privacy statement
B.      Data retention policy
C.      Risk assessment results
D.     Existing protection levels
Â
Answer: C
Â
88. Which of the following BEST facilitates the legal process in the event of an incident?
A.      Right to perform e-discovery
B.      Advice from legal counsel
C.      Results of a root cause analysis
D.     Preserving the chain of custody
Â
Answer: D
Â
89. Monitoring which of the following is the MOST useful for evaluating whether the agreed service level is delivered by IT operations?
A.      Key performance indicators (KPIs)
B.      Service level objectives
C.      Operator performance
D.     Key risk indicators (KRIs)
Â
Answer: A
Â
90. When reviewing an ongoing business process reengineering project, which of the following should be an IS auditor’s GREATEST concern?
A.      Control gaps are created but not addressed.
B.      Additional cost may be required to stabilize the process.
C.      A business impact analysis (BIA) may not be carried out
D.     Existing processes may not be fully documented.
Â
Answer: A
Â
91. Which of the following should be of GREATEST concern to an IS auditor evaluating an organization’s patch management process?
A.      Patches have been installed more than six months after the vendor released them.
B.      Security patches have not been regularly reviewed for several critical IT systems.
C.      Patch installation statistics have not been tracked and reported.
D.     Security patches have been installed directly from the vendor’s website.
Â
Answer: B
Â
92. Which of the following is the PRIMARY reason for an organization to implement a configuration management database (CMDB)?
A.      To store backup copies of software applications
B.      To record and monitor performance metrics for configuration items
C.      To provide an organized view of configuration items and their relationships
D.     To track configuration incidents and service requests
Â
Answer: C
Â
93. The PRIMARY reason to perform a capacity management review of technology resources is to ensure that:
A.      available capacity is operated in a secure and compliant manner.
B.      infrastructure and processes can meet current and future business needs.
C.      technology resource acquisitions align with current needed capacity.
D.     technological resource capacity requirements are properly defined.
Â
Answer: B
Â
94. Which of the following system redundancy configurations BEST improves system resiliency and reduces the possibility of a single cause of failure impacting system dependability?
A.      Diverse redundancy
B.      Active redundancy
C.      Homogeneous redundancy
D.     Passive redundancy
Â
Answer: A
Â
95. What should an IS auditor ensure when a financial organization intends to utilize production data in the testing environment?
A.      The data utilized is current.
B.      The data utilized is accurate.
C.      The data utilized is complete.
D.     The data utilized is de-identified.
Â
Answer: D
Â
96. An IS auditor has traced the source of a transaction fraud to the desktop system of an e-business staff member who of on leave. Which of the following is the BEST way for the auditor to ensure the success of the investigation?
A.      Immediately seal off the attacked system and block all access until after the investigation.
B.      Reboot the attacked system and promptly review log files and file timestamps
C.      Create an image of the attacked system and dump the memory on a file for review.
D.     Interview the business staff and ask them to provide details of recent system activities
Â
Answer: C
Â
Â
97. Which of the following is the PRIMARY advantage of using an automated security log mentoring tool instead of conducting a manual review to monitor the use of privileged access?
A.      Reduced costs associated with automating the review
B.      Ease of log retrieval for audit purposes
C.      Ease of storing and maintaining log file
D.     Increased likelihood of detecting suspicious activity
Â
Â
Answer: D
Â
Â
Â
Â
Â
Â
98. Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?
A.      Performance reporting includes too many technical terms.
B.      Metrics were defined without key stakeholder input.
C.      Metrics are not aligned with industry benchmarks.
D.     Key performance indicators (KPIs) are not consistently monitored.
Â
Answer: D
99. An organization plans to provide a wireless network for guests to access the internet. Which of the following should be implemented to protect information assets from unauthorized access through the wireless network?
A.      Adopt encryption between mobile endpoints and the wireless network.
B.      Implement a web gateway to control internet access in the wireless network
C.      Enforce complex password requirements for connection to the wireless network.
D.     Isolate the organization’s internal network from the wireless network.
Â
Answer: D
Â
100. An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the QA program requirements?
A.      Feedback from internal audit staff
B.      Long-term internal audit resource planning
C.      Ongoing monitoring of the audit activities
D.     Control self-assessment (CSA)
Â
Answer: C
Â
Â
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.