Â
101. During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor’s NEXT step should be to:
A.      determine if access rights are in violation of software licenses.
B.      direct management to revoke current access rights.
C.      implement a control to update access rights.
D.     determine the reason why access rights have not been revoked.
Â
Answer: D
Â
Â
102. Which of the following is the MOST likely root cause for multiple systems with the same functional purpose in an organization?
A.      Insufficient business impact analysis (BIA)
B.      Inadequate capacity planning
C.      Inadequate enterprise architecture (EA)
D.     Insufficient key performance indicators (KPIs)
Â
Answer: C
Â
Â
Â
103. An IS auditor is performing an audit of a large organization’s operating system maintenance procedures. Which of the following findings presents the GREATEST risk?
A.      Critical patches are applied immediately while others follow quarterly release cycles.
B.      Some internal servers cannot be patched due to software incompatibility.
C.      Vulnerability testing is not performed on the development servers.
D.     The configuration management database (CMDB) is not up to date.
Answer: B
Â
Â
104. Which of the following is MOST helpful for integrating third-party services into a software platform?
A.      Application programming interface (API)
B.      Simple Object Access Protocol (SOAP)
C.      Hypertext Transfer Protocol (HTTP)
D.     Extensible markup language (XML)
Â
Answer: A
Â
105. Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with large number of widely dispersed employees?
A.      Survey questionnaire
B.      Engaging external consultants
C.      Top-down and bottom-up analysis
D.     Face-to-face interviews
Â
Answer: A
Â
Â
106. In the absence of encryption to protect sensitive database assets, authentication used to authorize database access is considered to be a:
A.      detective control.
B.      corrective control.
C.      compensating control.
D.     directive control.
Â
Answer: C
Â
Â
107. Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?
A.      Cloud computing
B.      Robotic process automation (RPA)
C.      Internet of Things (IoT)
D.     Machine learning (ML) algorithms
Â
Answer: D
Â
108. Which of the following BEST indicates that an organization’s problem management activities are effectively integrated into incident response activities?
A.      Incident response times have been decreased.
B.      Incidents are recorded in a known error database.
C.      Root cause analysis is performed for each incident.
D.     The number of repeated incidents is decreased.
Â
Â
Answer: D
Â
109. Which of the following sampling techniques is MOST appropriate to use when an IS auditor expects Zero or few deviations?
A.      Random sampling
B.      Discovery sampling
C.      Monetary unit sampling
D.     Stop-or-go sampling
Â
Answer: B
Â
110. When reviewing an organization’s controls to mitigate internal financial fraud, which of the following would an IS auditor consider as MOST effective?
A.      Fraud awareness training
B.      Control self-assessments (CSAs)
C.      Mandatory leave policy
D.     Background checks
Â
Answer: C
Â
111. When evaluating a data encryption software solution, which of the following is the MOST important consideration?
A.      Software update frequency
B.      Compliance with industry standards and regulations
C.      Ease of use
D.     Secure storage to prevent unauthorized access and tampering
Â
Answer: B
Â
112. Which of the following BEST facilitates the successful implementation of IT performance monitoring?
A.      Determining goals for IT resources and processes
B.      Adopting global standards and measurement norms
C.      Establishing templates for periodic reporting to management
D.     Identifying tools to automate performance measurement
Â
Answer: A
Â
113. Which of the following presents the GREATEST risk to an organization’s ability to manage quality control (QC) processes?
A.      Lack of a third-party QC function validation
B.      Lack of policies and procedures
C.      Lack of separation of duties
D.     Lack of an annual training requirement
Â
Answer: B
Â
114. An organization has recently acquired another organization. When reviewing both IS departments, the IS auditor discovers two redundant IT applications. Which of the following would be the auditor’s BEST recommendation for management?
A.      Submit a request for proposal (RFP) to replace the applications.
B.      Assess the gaps on both applications to determine further steps.
C.      Keep the most comprehensive application as approved by senior management.
D.     Develop an initiative to integrate both applications.
Â
Answer: B
Â
Â
115. The PRIMARY role of event-driven scheduling in job automation is to:
A.      trigger task execution based on specific conditions.
B.      execute tasks only at predefined intervals.
C.      increase visibility to system activities.
D.     increase automation of manual tasks.
Â
Answer: A
Â
116. Which of the following is the BEST way to identify key areas for a risk-based audit plan?
A.      Conduct a risk survey with the CIO.
B.      Review peer benchmarking results.
C.      Interview relevant stakeholders in the business.
D.     Review open issues from recent audit reports.
Â
Answer: C
Â
Â
117. Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization’s enterprise architecture (EA) program?
A.      The architecture review board IS chaired by the CIO
B.      The EA program governs projects that are not IT-related
C.      Information security requirements are reviewed by the EA program.
D.     IT application owners have sole responsibility for architecture approval.
Â
Answer: D
Â
118. An IS auditor notes that a loan origination team receives customer loan applications via a shared repository. Which of the following findings presents the GREATEST privacy risk for this process?
A.      Loan documentation is not purged from the system.
B.      Duplicate loan applications are not flagged for attention,
C.      SMS multi-factor authentication (MFA) is enabled
D.     Customer data is not updated in the origination system.
Â
Answer: A
Â
Â
119. Which of the following BEST helps to establish that digital evidence is in its original form and has not been tampered with?
A.      Hash values
B.      Write-protecting media
C.      Imaging of digital media
D.     Chain of custody
Â
Answer: A
Â
Â
120. The PRIMARY objective of a privacy protection policy is to increase awareness of.
A.      system configuration procedures to protect privacy.
B.      the benefits of using encryption for personal data protection.
C.      cybercrimes that target an organization’s computer network.
D.     the legal requirements for protecting personal information.
Â
Answer: D
Â
Â
Â
121. Following the complete corruption of a database, an organization recovered its customer data from the most recent available backup. However, the organization has started receiving many complaints about discrepancies in customer data. Which of the following is MOST important for an S auditor to review in this situation?
A.      Maximum tolerable outage (MTO)
B.      Service level agreement (SLA)
C.      Recovery time objective (RTO)
D.     Recovery point objective (RPO)
Â
Answer: D
Â
Â
122. The purpose of a privacy impact assessment (PIA) is to:
A.      provide transparent and easily accessible information about an organization’s privacy practices.
B.      identify, assess, and mitigate the privacy risks associated with the use of personal information.
C.      ensure executive support for the identification of personal information and privacy risk
D.     define an organization’s privacy governance goals and objectives.
Â
Answer: B
Â
Â
123. Which of the following is the MOST appropriate role for an IS auditor in an organizational control self-assessment (CSA)?
A.      Evaluating the effectiveness of controls against control objectives
B.      Identifying business process risks for control testing
C.      Assisting business owners in evaluating the control environment
D.     Managing control testing activities conducted by business owners
Â
Answer: C
Â
Â
124. Which of the following is the PRIMARY benefit of adopting an industry-level standard when developing an organization’s cybersecurity program?
A.      It raises organization-wide awareness.
B.      It reduces the likelihood of cybersecurity incidents.
C.      It provides a framework for cybersecurity governance.
D.     It provides assurance to regulatory bodies.
Â
Answer: C
Â
125. An organization decides to utilize active RFID tags to track the real-time location of merchandise shipments. This technology is inherently prone to which type of attack?
A.      Snooping
B.      Malware
C.      Session hijacking
D.     Phishing
Â
Answer: A
Â
126. An IS auditor is conducting an audit of a very large e-commerce platform. Which of the following techniques BEST enables the auditor to identify web application security flaws?
A.      Vulnerability scanning
B.      Penetration testing
C.      Logical security testing
D.     Code review
Â
Answer: B
Â
127. Enterprise architecture (EA) value is BEST realized when initiated:
A.      in conjunction with testing.
B.      prior to system development.
C.      before the system is promoted to the production environment.
D.     in conjunction with the post-implementation review.
Â
Answer: B
Â
Â
128. Which of the following is MOST important to include in an organization’s internet acceptable use policy?
A.      Definitions of inappropriate internet activity and websites
B.      Configuration of internet browsers at endpoints
C.      Guidelines for security controls on personal laptops and mobile devices
D.     Acceptable design principles for the setup of internet gateways
Â
Answer: A
Â
Â
Â
129. Which of the following is MOST important to consider when evaluating a reciprocal arrangement as a recovery strategy?
A.      Differences in service level expectations
B.      Differences in security policies and procedures
C.      Differences in skills and resource competencies
D.     Differences in infrastructure capabilities
Â
Answer: D
Â
Â
Â
Â
130. Which of the following is MOST important to ensure when planning a black box penetration test?
A.      The test results will be documented and communicated to management.
B.      Diagrams of the organization’s network architecture are available.
C.      The tactic techniques and procedures have been determined.
D.     The management of the client organization has approved the scope of testing.
Â
Answer: D
Â
Â
131. If a pattern of unauthorized changes to IT software is discovered after concluding testing, which of the following would be an IS auditor’s NEXT course of action?
A.      Report the finding to the chief internal auditor.
B.      Re-perform the audit tests to validate the earlier observation.
C.      Recommend modifications to existing controls.
D.     Discuss the finding with management.
Â
Answer: D
Â
132. Which of the following IS the MOST important component of an effective service level agreement (SLA)?
A.      Clear and measurable service metrics and targets
B.      Penalties for IT service providers who fail to meet SLA targets
C.      Listing of all IT employees and supplier contacts involved in service delivery
D.     Detailed technical specifications
Â
Answer: A
Â
Â
Â
Â
133. Which of the following would provide an IS auditor with the MOST assurance of an organization’s ability to maintain information confidentiality?
A.      Confirming that data protection and privacy policies are communicated
B.      Sampling a terminal to ensure that it is identified in the network diagram
C.      Attempting the creation of a password that is not compliant with configuration settings
D.     Conducting social engineering tests to evaluate how well employees adhere to security policies
Â
Answer: D
Â
134. Which of the following Is MOST effective for identifying errors in system interface transmission?
A.      Validity check
B.      Reasonableness check
C.      Parity check
D.     Checksum
Â
Â
Answer: D
Â
Â
Â
Â
Â
135. The PRIMARY advantage of parallel processing for a new system implementation Is that it provides:
A.      a comparison of cost structures between new and the legacy systems.
B.      if the ability to back out if not operating as intended.
C.      assurance that the new system meets performance requirements.
D.     users with more time to complete training for the new system.
Â
Answer: B
Â
Â
Â
136. When the development of a system is outsourced, the outsourcing vendor MUST have access to:
A.      a copy of live production data,
B.      the requirements definition.
C.      remote access facilities.
D.     the production library.
Â
Answer: B
Â
Â
137. Which of the following is the PRIMARY reason for a configuration management system to record the relationships and dependencies between configuration items?
A.      To ensure new release configuration items appropriately include any related dependency configurations.
B.      To verify planned maintenance change requests are accurately mapped to configuration item baselines.
C.      To verity that differences in baselines between configuration items and their dependencies are known and acceptable.
D.     To ensure changes made to one configuration item do not have unintended consequences for other items.
Â
Answer: D
Â
Â
Â
138. Which of the following is the FIRST step in an audit engagement to assess compliance with 3 new data privacy standard?
A.      Identification of unencrypted personal information
B.      Identification of IT systems that host personal information
C.      Review of data loss risk scenarios
D.     Review of data protection procedures
Â
Answer: B
Â
139. Which of the following is the BEST way to determine the criticality of each application?
A.      Review findings from the most recent application audit.
B.      Determine the number of business users for each application.
C.      Determine the number of dependencies on the application.
D.     Perform a business impact analysis (BIA) of each application.
Â
Answer: D
Â
Â
Â
140. Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?
A.      Establish a global IT risk scoring criteria.
B.      Establish a weighted score based on business unit criticality.
C.      Average the business units’ IT risk levels.
D.     Identify the highest-rated IT risk level among the business units.
Â
Answer: A
Â
141. Which of the following is MOST important for an IS auditor responsible for assessing data protection in an organization?
A.      Knowing the detailed functionality of privacy tools and processes
B.      Understanding the legal requirements that apply to the organization
C.      Implementing appropriate technical measures to mitigate privacy risks
D.     Establishing a data protection steering committee to discuss data risks
Â
Answer: B
Â
142. Which of the following is the BE ST control to ensure data entered into a calculation program is accurate?
A.      Programmed edit checks to prevent entry of invalid data
B.      Manual recalculation of data
C.      Reasonableness checks with a data entry range
D.     Visual verification of data entered
Â
Answer: A
Â
Â
Â
Â
143. After a programmer finished writing the source code for a new HR system, the programmer’s manager conducted a manual secure code review before the
release. The manager’s action reflects which type of control?
A.      Preventive
B.      Directive
C.      Detective
D.     Corrective
Â
Â
Answer: C
Â
144. Which of the following would be the GREATEST concern if an information security manager defines a security approach according to industry best practices?
A.      Alignment with IT strategy
B.      Excessive security control cost
C.      Alignment with organizational objectives
D.     Manual control framework
Â
Answer: C
Â
145. A new regulation requires an organization to encrypt sensitive customer information on all mobile devices within a year. Which of the following should be the FIRST step in preparation for compliance?
Â
A.      Determine the gap between existing controls and new requirements.
B.      Develop business cases for mobile device encryption solutions.
C.      Develop a plan to implement an encryption solution to meet requirements.
D.     Perform a risk assessment to determine compensating controls.
Â
Answer: A
Â
Â
146. The GREATEST benefit of conducting a business impact analysis (BIA) for IT systems is that it enables the organization to:
A.      identify internal influences that impact IT security.
B.      link IT systems with critical business services.
C.      identify appropriate business IT system owners.
D.     analyze the impact of threats on affected IT systems.
Â
Answer: B
Â
147. Which of the following is the GREATEST benefit of having a strong organizational security culture?
A.      It reduces the risk of cyberthreats.
B.      It increases user awareness.
C.      It helps maintain security standards.
D.     It enables security metrics targets to be achieved.
Â
Answer: A
Â
148. An information security manager is planning to introduce generative Al tools to the organization’s developer community. Which of the following is MOST important before rolling out the new system?
A.      Creating an organization-wide generative AI policy
B.      Identifying access requirements
C.      Conducting Al training for developers
D.     Developing a communication plan
Â
Answer: A
Â
Â
149. After performing a risk assessment, an information security manager identified IT issues with a third-party vendor used by the finance department. Of the following, who is BEST positioned to define the risk treatment plans?
A.      Head of information security
B.      Head of finance
C.      Head of IT
D.     Head of vendor management
Â
Answer: B
Â
150. An organization’s IT systems consist of in-house, purchased, and open-source software. Which of the following would be MOST helpful to an information security manager tasked with analyzing and evaluating the software supply chain and tracking potential vulnerabilities?
A.      Source code repository
B.      Vulnerability report
C.      Software bill of materials
D.     IT asset inventory
Â
Answer: C
Â
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.