Â
201. Which of the following is CRITICAL to the successful establishment of an enterprise IT architecture?
A.      A well-defined data migration policy
B.      Organizational support for standardization
C.      Comparison of the architecture with that of other organizations
D.     An architecture encompassing only critical systems
Â
Answer: B
Â
Â
Â
202. In a post-implementation review of a recently purchased system, it is MOST important for the IS auditor to determine whether the:
A.      user requirements were met.
B.      test scenarios reflected operating activities.
C.      stakeholder expectations were identified.
D.     vendor product offered a viable solution.
Â
Answer: A
Â
203. An IS auditor is determining the scope for an upcoming audit. Which of the following BEST enables the auditor to ensure appropriate controls are considered?
A.      Reviewing previous audit reports
B.      Reviewing threat intelligence reports
C.      Performing a risk assessment
D.     Conducting interviews with IT staff
Â
Answer: C
Â
204. Which of the following is the MOST important consideration when defining an operational log management strategy?
A.      Industry benchmarking
B.      Audit recommendations
C.      Stakeholder requirements
D.     Event response procedures
Â
Answer: C
Â
Â
205. Which of the following will prevent a record from being deleted from a database parent table if it has associated records in child tables?
A.      Database lock
B.      Referential integrity
C.      Atomicity
D.     Normalization
Â
Â
Answer: B
Â
206. Which of the following is the MOST important consideration for an IS auditor when reviewing implementation, configuration, and release management?
A.      All changes go through formal change management.
B.      All changes are made by the IT department.
C.      All changes are approved by senior management.
D.     All changes are tested in the production environment.
Â
Â
Answer: A
Â
Â
207. Which of the following is an example of an application control?
A.      Changes to an enterprise resource planning (ERP) system are tested before moving to production.
B.      Security logs are collected and regularly reviewed.
C.      Purchase orders that do not pass a three-way match are put on hold.
D.     Software as a Service (SaaS) solutions are procured only after management’s approval.
Â
Answer: C
Â
208. An IS auditor has discovered that a software system still in regular use is outdated and no longer supported. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
A.      Isolate the outdated software system from the main network.
B.      Verify all patches have been applied to the outdated software system.
C.      Close all unused ports on the outdated software system.
D.     Encrypt network traffic to the outdated software system.
Â
Answer: A
Â
209. An organization has outsourced the maintenance of its customer database to an external vendor, and the vendor has requested live data to test the performance of the database. Which of the following is MOST important for the IS auditor to recommend?
A.      Ensure both parties agree the data will be destroyed after the testing is complete.
B.      Ensure the data is backed up before providing it to the vendor.
C.      Ensure sensitive field data is anonymized by random characters.
D.     Ensure data transfer details are specified in the service engagement contract.
Answer: C
Â
Â
210. Which of the following reporting lines should be of GREATEST concern and may cause potential conflicts of interest?
A.      IT governance reports to enterprise risk management (ERM).
B.      Audit reports to the CIO.
C.      The CISO reports to the CEO.
D.     IT security reports to IT risk.
Â
Answer: B
Â
Â
Â
211. Which of the following provides the BEST evidence that system requirements are met when evaluating a project before implementation?
A.      User acceptance testing (UAT) results
B.      Sign-off from senior management
C.      Regression testing results
D.     Integration testing results
Â
Â
Answer: A
Â
212. Which of the following provides the BEST assurance that a new database management system (DBMS) meets the requirements of local privacy regulations?
A.      General IT controls review
B.      Forensic audit
C.      Administrative audit
D.     Compliance audit
Â
Answer: D
Â
213. Which of the following findings should be of GREATEST concern during an audit of IT governance and management?
A.      There is no chief information security officer (CISO) position.
B.      The organization is not aligned with an international IT control standard.
C.      There is no IT representation in business strategy committee meetings.
D.     The IT strategy development process is not documented.
Â
Answer: C
Â
Â
Â
214. When adopted as part of an organization’s privacy program, which of the following is the PRIMARY objective of the data privacy impact assessment (PIA) process?
A.      Determining the necessity and proportionality of processing personal data
B.      Managing organizational risk that results from processing personal data
C.      Establishing criteria for recovering personal information
D.     Documenting compliance with organizational policies and procedures
Â
Answer: B
Â
215. Which of the following is a PRIMARY benefit of monitoring operational logs?
A.      It helps maintain evidence of the successful completion of IT operations.
B.      It helps IS auditors detect problems in IT infrastructure.
C.      It provides insight into the health of the IT infrastructure.
D.     It provides audit trails for transactions processed during IT operations.
Â
Answer: C
Â
Â
Â
216. Which of the following is a principle of the Agile software development process?
A.      Development phases should be isolated from each other.
B.      Clear documentation should be seen as the primary measure of progress.
C.      A linear approach should be used that requires phase completion before continuing.
D.     Changing requirements should be welcomed, even late in the development process.
Â
Answer: D
Â
Â
217. An IS auditor is reviewing the service level agreement (SLA) between the organization and an internet service provider (ISP). Which of the following would be of GREATEST concern to the auditor?
A.      Lack of a late payment clause
B.      Lack of an availability clause
C.      Lack of automated monitoring and measuring tools
D.     Lack of an escrow agreement
Â
Answer: B
Â
Â
218. Which of the following stakeholders is accountable for control evaluations during a control self-assessment (CSA)?
A.      Quality assurance (QA) team
B.      Departmental managers
C.      Chief internal auditor
D.     Enterprise risk management (ERM)
Â
Answer: B
Â
Â
Â
Â
219. Which of the following change controls reduces the risk of conflicting changes?
A.      Prioritizing changes based on when the change was requested
B.      Implementing changes that take the least amount of time first
C.      Prioritizing and implementing changes based on business need
D.     Utilizing a change advisory board to review change requests
Â
Â
Answer: D
Â
220. Which of the following BEST enables alignment of IT with business objectives?
A.      Establishing an IT governance policy
B.      Establishing key risk indicators (KRIs)
C.      Completing an IT risk assessment
D.     Developing an IT strategy roadmap
Â
Answer: D
Â
221. Which of the following is the BEST way to ensure personal data used for a data analytics project cannot be identified?
A.      Reidentification
B.      Randomization
C.      Tokenization
D.     Anonymization
Â
Answer: D
Â
222. Which of the following is the BEST way to address separation of duties issues in an organization with budget constraints?
A.      Hire temporary staff.
B.      Implement compensating controls.
C.      Rotate job duties periodically.
D.     Perform an independent audit.
Â
Answer: B
Â
223. Who would provide an IS auditor with the MOST helpful input during an interview to determine whether business requirements for an application were met?
A.      User management
B.      Project management
C.      Project sponsors
D.     Senior management
Â
Answer: A
Â
224. Which of the following is MOST important to consider when developing a service level agreement (SLA)?
A.      Description of the services from the viewpoint of the provider
B.      Detailed identification of work to be completed
C.      Provisions for regulatory requirements that impact the end users’ businesses
D.     Description of the services from the viewpoint of the client organization
Â
Answer: D
Â
Â
225. Which of the following is the PRIMARY advantage of establishing a control self-assessment (CSA) program?
A.      Reduction in control cost
B.      Early detection of risk
C.      Improvement in audit rating processes
D.     Engagement of senior management
Â
Â
Answer: B
Â
Â
Â
226. Upon completion of a penetration test with findings for an IT system, the NEXT step should be:
A.      remediation and retesting.
B.      analyzing all changes made to the system.
C.      maintaining the confidentiality of the testing report.
D.     vulnerability scanning and reconfirmation.
Â
Answer: A
Â
Â
227. Which of the following business continuity activities prioritizes the recovery of critical functions?
A.      Disaster recovery plan (DRP) testing
B.      Business impact analysis (BIA)
C.      Business continuity plan (BCP) testing
D.     Risk assessment
Â
Answer: B
Â
Â
Â
Â
Â
Â
Â
Â
228. When reviewing previous disaster recovery test results, which of the following is MOST important for an IS auditor to validate?
A.      Database restoration and failover was according to the recovery point objective (RPO).
B.      The head of operations verified the plan activation criteria was met prior to beginning the restoration.
C.      Database restoration and failover was within the recovery time objective (RTO).
D.     Information security leadership reviewed and approved the test results.
Â
Answer: C
Â
Â
229. Which of the following is the BEST preventive control to manage the risks associated with shadow IT?
A.      Using automated asset discovery tools
B.      Restricting software installation to privileged users
C.      Restricting user access during off-hours
D.     Implementing multi-factor authentication (MFA)
Â
Answer: B
Â
Â
Â
Â
230. An IS auditor is conducting an audit of a very large e-commerce platform. Which of the following techniques BEST enables the auditor to identify web application security flaws?
A.      Code review
B.      Penetration testing
C.      Logical security testing
D.     Vulnerability scanning
Â
Answer: D
Â
231. Which of the following is the MOST significant risk an acquiring organization with mature configuration management should consider when integrating the IT systems of the acquired organization?
A.      Process inefficiency
B.      Higher system costs
C.      User satisfaction
D.     System instability
Â
Answer: D
Â
Â
Â
232. An emergency power-off switch should:
A.      be remotely accessible.
B.      be protected.
C.      be under dual control.
D.     not be identified.
Â
Answer: B
Â
233. Which of the following should be of GREATEST concern to an IS auditor when reviewing an organization’s recent implementation of third-party software?
A.      The contract does not contain a right to audit.
B.      Unit testing was not performed, though system testing was.
C.      Vendor selection did not include a security assessment.
D.     Vendor selection included only two suppliers.
Â
Answer: C
Â
Â
234. An administrator performs firewall configuration changes for a small organization. Which of the following is the BEST compensating control to mitigate the risk of unauthorized changes in this situation?
A.      Obtaining supervisor approval for implementation
B.      Restricting administrator access to the firewall
C.      Requiring log review by management
D.     Conducting an annual audit
Â
Answer: A
Â
Â
235. Which of the following scenarios would MOST likely raise a concern about auditor independence?
A.      The auditor attended design and development meetings to monitor progress.
B.      The auditor used to manage the same business process at a different organization.
C.      The auditor was on the implementation team of a project currently being audited.
D.     The auditor has not completed annual business ethics training.
Â
Â
Answer: C
Â
Â
Â
Â
236. Which of the following BEST enables an organization to optimize the performance of IT assets?
A.      Key performance indicators (KPIs) for IT assets are aligned with business goals.
B.      Performance is measured using quantitative methods.
C.      Performance is aligned with manufacturer recommendations.
D.     A process for performance reporting has been established.
Â
Â
Answer: A
Â
237. During a follow-up audit, an IS auditor learns that management has deferred the implementation of a previously agreed-upon recommendation. What is the responsibility of the auditor?
A.      Assess the impact of any risks the decision may pose to the organization.
B.      Report the decision to defer the implementation to the steering committee.
C.      Amend the final report to reflect the decision to defer the implementation.
D.     Obtain commitment from management to implement the recommendations.
Â
Answer: A
Â
238. Which of the following has the GREATEST impact on the level of risk for an application?
A.      Maintenance costs
B.      Regulatory requirements
C.      Vendor engagement
D.     Ownership change
Â
Answer: B
Â
Â
239. Which of the following should be an IS auditor’s PRIMARY focus during a preliminary process review?
A.      Exceptional business events that may be outside the scope of the audit project
B.      Unauthorized access to business resources that may constitute a breach
C.      Inconsistencies between process documents that may lead to misunderstandings
D.     Potential risks that may negatively impact business results
Â
Â
Answer: D
Â
Â
240. Which of the following should be an organization’s PRIMARY consideration when deciding whether to develop software in-house or purchase it from an external vendor?
A.      Alignment with business objectives
B.      Availability of IT resources
C.      Compatibility with existing IT infrastructure
D.     Alignment with industry best practices
Â
Answer: A
Â
241. Which of the following should be the GREATEST concern for an IS auditor assessing an organization’s disaster recovery plan (DRP)?
A.      The DRP does not include the recovery the time objective (RTO) for a key system.
B.      The DRP was developed by the IT department.
C.      The DRP has not been tested during the past three years.
D.     The DRP has not been updated for two years.
Â
Answer: C
Â
242. Visitors to a data center are required to present an ID and pre-approved documents. Which type of control has been implemented?
A.      Administrative control
B.      Detective control
C.      Corrective control
D.     Preventive control
Â
Â
Answer: D
243. Which of the following is MOST important to have in place for an organization’s risk management program?
A.      An established and proven risk assessment technique
B.      A clear understanding of the organization’s risk appetite
C.      A risk management team that periodically assesses and manages risks
D.     Subject matter experts who provide necessary guidance on specific risks
Â
Answer: B
Â
Â
244. Which of the following is the BEST compensating control against separation of duties conflicts in new code development?
A.      Creation of staging environments
B.      Adding the developers to the change approval board
C.      A small number of people have access to deploy code
D.     Post-implementation change review
Â
Answer: D
Â
Â
245. Following a merger, a review of an international organization determines the IT steering committee’s decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor’s BEST recommendation?
A.      Update the IT steering committee’s formal charter.
B.      Engage an IT governance consultant.
C.      Create regional IT steering committees.
D.     Create regional centers of excellence.
Â
Â
Answer: A
246. In operational log management, which of the following BEST ensures the availability of log data?
A.      Regular cleaning and sorting of log data
B.      Regular compression of stored log data
C.      Regular testing of log data backups
D.     Regular analysis and reporting of log data
Â
Answer: C
Â
Â
247. Which of the following is a KEY metric used to measure the effectiveness of quality assurance (QA) processes for software development?
A.      Server uptime
B.      Employee turnover rate
C.      Resolved IT support tickets
D.     Defect density
Â
Â
Answer: D
Â
248. An IS auditor has determined that an internally developed application did not meet user specifications. To determine the root cause, which phase of the system development life cycle (SDLC) should the auditor examine FIRST?
A.      Testing phase
B.      Maintenance phase
C.      Development phase
D.     Implementation phase
Answer: A
Â
249. Outsourcing the IS function releases an organization from responsibility for:
A.   auditing outsourced operations.
B.   retaining IS personnel.
C.   the quality of customer service.
D.     the quality of information services.
Â
Â
Answer: B
Â
250. Which of the following is MOST useful for determining the appropriate system recovery time?
A.      Service level agreement (SLA)
B.      Recovery point objective (RPO)
C.      Business impact analysis (BIA)
D.     Key risk indicators (KRIs)
Â
Â
Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.