Â
151. Which of the following BEST demonstrates senior management support for the information security program?
A.      Enforcing security policies and procedures
B.      Soliciting feedback from business functions regarding security needs
C.      Providing adequate security resources and funding
D.     Requiring organization-wide security awareness training
Â
Answer: C
Â
152. Which of the following is the BEST source of data for measuring the effectiveness of an organization’s information security program?
A.      Key risk indicators (KRIs)
B.      Incident response test results
C.      Key performance indicators (KPIs)
D.     Risk assessments
Â
Answer: C
Â
153. Which of the following MOST effectively identifies the organization’s ability to comply with legal, regulatory, and contractual requirements?
A.      Vulnerability scan
B.      Gap analysis
C.      Risk assessment
D.     Control self-assessment (CSA)
Â
Answer: B
Â
154. The resilience requirements of an application are BEST determined by:
A.      a cost-benefit analysis.
B.      a threat assessment.
C.      a business impact analysis (BIA).
D.     a risk assessment.
Â
Answer: C
Â
155. An organization has recently acquired a new entity. Which of the following issues is MOST likely to arise when the organization integrates its security strategy without considering the culture of the acquired entity?
A.      Insufficient technical expertise and skills
B.      Lack of available resources
C.      Missed compliance deadlines
D.     Resistance to the implementation
Â
Answer: D
Â
Â
Â
156. Which of the following would BEST support the effective implementation of IT governance?
A.      Establishing IT management reporting requirements
B.      Requiring regular updates to policies and procedures
C.      Introducing IT system ownership to business management
D.     Adopting a framework to align business and IT goals
Â
Answer: D
Â
Â
157. Which of the following should an Is auditor perform FIRST when auditing an outsourced human resource application?
A.      Verify that fees billed for the service are appropriate to the work performed.
B.      Verify that security incident reports are issued in a timely manner.
C.      Review the terms and provisions in the contract.
D.     Implement data access rights consistent with the organization’s security policy.
Â
Answer: C
Â
Â
158. Which of the following is the MOST effective method for ensuring the integrity of log data?
A.      Implementing cryptographic hash functions
B.      Implementing a timestamping mechanism
C.      Limiting access to log data
D.     Regularly archiving log data
Â
Answer: A
Â
Â
Â
159. Which of the following MUST be performed by senior audit leadership prior to starting an IS audit project?
A.      Meet with auditee leadership.
B.      Review audit planning documents.
C.      Signoff on the audit scope.
D.     Attend planning walk-throughs.
Â
Answer: C
Â
Â
160. During the reporting phase, an IS auditor receives additional information that reverses a finding. Which of the following is the auditor’s BEST course of action?
A.      Update the workpapers and do not include the finding in the report.
B.      Defer to audit management based on the additional information provided.
C.      Include the finding in the final report with a clarifying statement.
D.     Delete the finding and associated workpapers.
Â
Answer: A
Â
Â
161. Results from which of the following would BEST provide assurance to a governing body that an organization’s information system controls have been reviewed objectively?
A.      Internal audit
B.      Forensic audit
C.      External audit
D.     Administrative audit
Â
Answer: C
Â
Â
162. Which of the following is the MOST important consideration when an organization is performing a business impact analysis (BIA)?
A.      Involving process owners from various departments
B.      Identifying hardware that is critical for meeting regulatory requirements
C.      Validating recovery time objectives (RTOs) set by IT management
D.     Focusing on the impact of disruptions caused by technological risks
Â
Answer: A
Â
Â
163. Which of the following is the BEST reason to implement a configuration management database (CMDB)?
A.      To provide real-time network monitoring of configuration items
B.      To track the physical location of configuration items
C.      To store licenses for software configuration items
D.     To document relationships between configuration items
Â
Â
Answer: D
Â
164. Which of the following is the PRIMARY objective of encryption when transmitting sensitive data?
A.      Ensuring data integrity
B.      Ensuring the availability of sensitive data
C.      Protecting the confidentiality of data
D.     Preventing data tampering
Â
Answer: C
Â
Â
Â
165. During the development of a business case for a new application, the IS auditor should be PRIMARILY involved in the:
A.      user acceptance testing (UAT).
B.      system test.
C.      feasibility study.
D.     transaction blueprint.
Â
Answer: C
Â
Â
166. An IS auditor determines that secure software development standards were not applied to a recent development project completed by a third-party contractor, Which of the following is the MOST likely impact of the control failure?
A.      Possible source code exfiltration of the purchased software by the third party
B.      Possible fines to the third party that may affect future versions of the acquired software
C.      Potential inability to maintain the software duo to turnover at the third party
D.     Possible software vulnerabilities that could affect the confidentiality and integrity of customer data
Â
Answer: D
Â
Â
Â
Â
167. Which of the following should be the PRIMARY focus when developing an organization’s information security policies?
A.      Policies should be reissued on a frequent basis to address minor technology changes.
B.      Policies should be written at the highest level possible to communicate the intentions of the organization.
C.      Policies should be developed by the IT department to control security operations.
D.     Policies should be written at a technical level to focus on common security industry practices.
Â
Answer: B
Â
168. An IS auditor discovers that an organization shares private information with a third party without the approval of the data subjects. Which of the following privacy principles has been violated?
A.      Data minimization
B.      Free flow of information and legitimate restriction
C.      Choice and consent
D.     Individual participation
Â
Answer: C
Â
Â
169. An IS auditor extracts data from a travel and expenses system to determine whether employees are using the organization’s car for personal use. What type of audit is being performed?
A.      Functional audit
B.      Financial audit
C.      Compliance audit
D.     Fraud audit
Â
Answer: D
Â
170. Which of the following is the BEST source of information when assessing the amount of time a project will take?
A.      Scheduling budget
B.      Critical path analysis
C.      Gantt chart
D.     Workforce estimate
Â
Answer: B
Â
171. Which of the following responsibilities should remain within the client organization when subscribing to Database as a Service (DBaaS) offered by a third-party cloud service provider?
A.      Managing database patching and upgrades
B.      Managing application access control to the database
C.      Managing scheduled database backup and restoration
D.     Managing database server antimalware signature updates
Â
Answer: B
Â
Â
172. Which of the following would MOST help an Is auditor identify potential overpayments in a payroll process?
A.      report of the largest paychecks in the payroll cycle
B.      A report of material variances from previous payrolls
C.      A comparison of employee and vendor account numbers
D.     A review of employee and vendor addresses used for checks
Â
Answer: B
Â
Â
Â
173. Which of the following activities should be performed after an incident has been contained?
A.      Reporting on incident management-related metrics
B.      Developing an organization-wide communications plan
C.      Prioritizing and rating the incident
D.     Conducting log and audit analysis
Â
Answer: A
Â
Â
174. After safe evacuation of employees, which of the following should be the HIGHEST priority in disaster recovery planning?
A.      Minimization of financial losses
B.      Compliance with regulatory requirements
C.      Asset inventory count
D.     Restoration of services
Â
Answer: D
Â
175. Which of the following is an IS auditor’s MOST important course of action when performing a privacy impact assessment (PIA)?
A.      Identify the nature of personal information associated with the business process.
B.      Verify data masking is implemented on databases storing personal information.
C.      Identify global industry standards for privacy protection.
D.     Confirm that employees have completed data privacy training.
Â
Answer: A
Â
Â
Â
176. Which of the following should be an IS auditor’s PRIMARY focus when performing a server audit?
A.      Validating that administrators receive annual server security-related training
B.      Verifying that a monitoring framework exists for identifying potential security threats
C.      Reviewing the deployed password security controls for the administrators
D.     Verifying that access is granted on a need-to-know basis
Â
Answer: D
Â
177. Which of the following is the PRIMARY role of the release plan?
A.      It outlines the steps for database integration.
B.      It identifies all configuration items within an IT environment.
C.      It provides a timeline and schedule for deploying new releases into production.
D.     It evaluates the impact of proposed changes and updates to IT systems.
Â
Answer: C
Â
178. Which of the following is the MOST important area of focus for an IS auditor assessing the management of cryptographic keys in a public key infrastructure (PKI)?
A.      Reviewing key compromise detection activities
B.      Checking the subscription of the key management system
C.      Reviewing PKI documentation
D.     Identifying unusual activities by the key processors
Â
Answer: A
Â
179. An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?
A.      Adopt a service delivery model based on insights from peer organizations.
B.      Delegate business decisions to the to chief risk officer (CRO).
C.      Eliminate certain reports and key performance indicators (KPIs).
D.     Disable operational logging to enhance the processing speed and save storage.
Â
Answer: D
Â
Â
Â
180. Which of the following methods provides the MOST reliable audit evidence?
A.      Re-performance of controls
B.      Management attestation
C.      Inquiry
D.     Observation
Â
Answer: A
Â
181. Which of the following should an organization do FIRST when an employee is terminated for fraudulent activity?
A.      Review transactions approved by the employee.
B.      Backup the employee’s hard drive.
C.      Escort the employee off the premises.
D.     Disable the employee’s logical access.
Â
Answer: D
Â
Â
Â
Â
Â
182. Which of the following is the PRIMARY difference between a compliance audit and an operational audit?
A.      Compliance audits prioritize technology infrastructure, while operational audits focus on human resources.
B.      Compliance audits assess adherence to regulations, while operational audits evaluate the effectiveness of processes.
C.      Compliance audits focus solely on financial records, while operational audits encompass all aspects of an organization.
D.     Compliance audits are conducted by internal auditors, while operational audits are performed by external auditors.
Â
Answer: B
Â
183. Which of the following findings would be of GREATEST concern when reviewing project risk management practices?
A.      There are no formal milestone sign-offs.
B.      Qualitative risk analyses have not been updated.
C.      Ongoing issues are not formally tracked.
D.     Project management software is not being used.
Â
Answer: C
Â
Â
Â
184. Which of the following should be a concern to an IS auditor reviewing an organization’s use of a major cloud provider for Infrastructure as a Service (IaaS)?
A.      The IaaS service relies on the organization’s active directory domain.
B.      The IaaS service is connected to the organization’s network via a virtual private network (VPN).
C.      End users are able to create their own cloud server instances.
D.     The cloud governance policy was not reviewed within the last year by the IT department.
Answer: C
Â
Â
Â
185. Which of the following is the BEST evidence that a database management system (DBMS) is in compliance with the principle of atomicity?
A.      Key tables were not corrupted after a hardware failure.
B.      Concurrent controls were deployed during online processing.
C.      Constraints are used to ensure the integrity of processing.
D.     A partially completed transaction was reversed within 24 hours.
Â
Answer: D
Â
Â
Â
186. An IS audit team is reviewing point of sale (POS) system usage. The team encountered resistance from IT when requesting read-only access to databases containing merchant information. Which of the following is the BEST approach to address this concern?
A.      Provide a copy of the audit charter to IT.
B.      Obtain a list of the merchants from the customer service team.
C.      Escalate the issue to senior management.
D.     Deploy senior-level IS auditors to the engagement.
Â
Â
Answer: A
Â
Â
187. Which of the following reports BEST enables measuring service level agreement (SLA) compliance with a third-party provider?
A.      Availability reports from an internal automated monitoring tool
B.      Availability reports shared by another customer of the service provider
C.      Uptime reports from the service provider
D.     Downtime reports maintained by users
Â
Answer: A
Â
188. Which of the following is the GREATEST benefit of using statistical sampling techniques?
A.      It eliminates the need for substantive testing.
B.      It reduces the need for judgmental sampling.
C.      It enables the quantitative measurement of risk.
D.     It defines the range of tolerable sampling error.
Â
Answer: C
Â
Â
189. During an audit of a database server, which of the following would be considered the GREATEST risk?
A.      Database activity is not fully logged.
B.      The database has not been patched in the last month.
C.      The database’s default global security settings remain unchanged.
D.     The administrator account’s password does not expire.
Â
Answer: C
Â
190. The MOST important objective of a post-implementation audit is to:
A.      determine if the required objectives were met.
B.      seek approval for the next implementation phase.
C.      address lessons learned from the project.
D.     develop a process for continuous improvement.
Â
Answer: A
Â
191. Which of the following observations would be of GREATEST concern to an IS auditor reviewing a workflow and approval system used by a bank?
A.      Users can upload and download change documentation from the system.
B.      The system is slow in processing change searches and queries.
C.      The system’s approver matrix has not been reviewed in the past six months.
D.     Not all changes are managed through the system.
Â
Answer: D
Â
192. Which of the following is MOST important for an IS auditor to review when evaluating the completeness of an organization’s personal information inventory?
A.      Data encryption standards
B.      Data retention and destruction
C.      Data flows and interface diagrams
D.     Data ownership policy
Â
Answer: C
Â
193. When information processing has been outsourced to another organization, an IS auditor reviewing the contract should expect it to specify:
A.      audit objectives.
B.      backup and recovery processes.
C.      compliance with legal requirements.
D.     security administration processes.
Â
Answer: C
Â
Â
194. Which of the following would be of GREATEST concern to an IS auditor reviewing the enterprise architecture (EA) of a startup organization?
A.      Some IT assets in the EA model cannot be mapped to the business strategy.
B.      End users provided limited input to the development of the EA model.
C.      The implemented EA model is not commonly used in the industry.
D.     The final-state version of the EA has not yet been completed.
Â
Answer: A
Â
195. During a review of IT infrastructure, an IS auditor notices that storage resources are frequently being added. Which of the following is the auditor’s MOST important course of action?
A.      Review the capacity management process.
B.      Recommend the use of disk mirroring.
C.      Review the adequacy of offsite storage.
D.     Recommend the use of a compression algorithm.
Â
Â
Answer: A
Â
196. An internal IS auditor is informed that a recently installed data loss prevention (DLP) solution is producing reports with a large number of false positives. Which of the following is the auditor’s BEST recommendation?
A.      Adjust system performance metrics.
B.      Notify the vendor of the defective DLP product.
C.      Document the ineffective DLP controls in the organizational risk register.
D.     Continue to observe system performance to allow for fine tuning.
Â
Answer: D
Â
Â
Â
Â
197. In the event of a failed application upgrade, it is MOST important that change management plans incorporate:
A.      rollback plans.
B.      detailed testing evidence.
C.      change outage windows.
D.     change approval board review.
Â
Answer: A
Â
Â
198. An IS auditor is reviewing a development effort in which third-party programming personnel were used. Which of the following is MOST important for the auditor to consider?
A.      The impact to the cost and timeline estimates originally presented and approved by management
B.      The qualifications of third-party personnel and their knowledge of tools and techniques used within the organization
C.      Whether the code is reviewed independently from the third-party staff and ownership rights are maintained
D.     Whether background checks are conducted for individual third-party staff members
Â
Answer: C
Â
Â
199. Which of the following would be of GREATEST concern to an IS auditor reviewing data backups for a critical system?
A.      Backup logs are not available.
B.      Backups are logically accessible from the originating systems.
C.      Backups are stored in the same geographic area as the originating systems.
D.     Backups have not undergone restoration testing.
Â
Answer: D
Â
200. Which of the following is the PRIMARY reason for implementing continuous auditing?
A.      Risks are identified in a timely manner.
B.      Evidence is reviewed for completeness and accuracy.
C.      It is incorporated into continuous monitoring activities.
D.     Management is aware of issues in real time.
Â
Answer: A
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.