Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Isaca CISA Certified Information Systems Auditor Exam Practice Test

Page: 1 / 140
Total 1404 questions

Certified Information Systems Auditor Questions and Answers

Question 1

Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?

Options:

A.

Function point analysis

B.

Work breakdown structure

C.

Critical path analysts

D.

Software cost estimation

Question 2

Which of the following is MOST important for an IS auditor to validate when auditing network device management?

Options:

A.

Devices cannot be accessed through service accounts.

B.

Backup policies include device configuration files.

C.

All devices have current security patches assessed.

D.

All devices are located within a protected network segment.

Question 3

An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?

Options:

A.

Key performance indicator (KPI) monitoring

B.

Change management

C.

Configuration management

D.

Quality assurance (QA)

Question 4

Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?

Options:

A.

Degaussing

B.

Random character overwrite

C.

Physical destruction

D.

Low-level formatting

Question 5

In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?

Options:

A.

Users are required to periodically rotate responsibilities

B.

Segregation of duties conflicts are periodically reviewed

C.

Data changes are independently reviewed by another group

D.

Data changes are logged in an outside application

Question 6

When auditing the feasibility study of a system development project, the IS auditor should:

Options:

A.

review qualifications of key members of the project team.

B.

review the request for proposal (RFP) to ensure that it covers the scope of work.

C.

review cost-benefit documentation for reasonableness.

D.

ensure that vendor contracts are reviewed by legal counsel.

Question 7

An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?

Options:

A.

Backlog consumption reports

B.

Critical path analysis reports

C.

Developer status reports

D.

Change management logs

Question 8

Which of the following is the BEST way to prevent social engineering incidents?

Options:

A.

Maintain an onboarding and annual security awareness program.

B.

Ensure user workstations are running the most recent version of antivirus software.

C.

Include security responsibilities in job descriptions and require signed acknowledgment.

D.

Enforce strict email security gateway controls

Question 9

Audit frameworks cart assist the IS audit function by:

Options:

A.

defining the authority and responsibility of the IS audit function.

B.

providing details on how to execute the audit program.

C.

providing direction and information regarding the performance of audits.

D.

outlining the specific steps needed to complete audits

Question 10

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

Options:

A.

Stronger data security

B.

Better utilization of resources

C.

Increased application performance

D.

Improved disaster recovery

Question 11

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''

Options:

A.

Steps taken to address identified vulnerabilities are not formally documented

B.

Results are not reported to individuals with authority to ensure resolution

C.

Scans are performed less frequently than required by the organization's vulnerability scanning schedule

D.

Results are not approved by senior management

Question 12

The FIRST step in auditing a data communication system is to determine:

Options:

A.

traffic volumes and response-time criteria

B.

physical security for network equipment

C.

the level of redundancy in the various communication paths

D.

business use and types of messages to be transmitted

Question 13

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?

Options:

A.

KPI data is not being analyzed

B.

KPIs are not clearly defined

C.

Some KPIs are not documented

D.

KPIs have never been updated

Question 14

The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?

Options:

A.

Report results to management

B.

Document lessons learned

C.

Perform a damage assessment

D.

Prioritize resources for corrective action

Question 15

An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?

Options:

A.

Report the variance immediately to the audit committee

B.

Request an explanation of the variance from the auditee

C.

Increase the sample size to 100% of the population

D.

Exclude the transaction from the sample population

Question 16

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

Options:

A.

The information security policy has not been approved by the chief audit executive (CAE).

B.

The information security policy does not include mobile device provisions

C.

The information security policy is not frequently reviewed

D.

The information security policy has not been approved by the policy owner

Question 17

Which of the following is the BEST source of information for examining the classification of new data?

Options:

A.

Input by data custodians

B.

Security policy requirements

C.

Risk assessment results

D.

Current level of protection

Question 18

Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?

Options:

A.

Review strategic projects tor return on investments (ROls)

B.

Solicit feedback from other departments to gauge the organization's maturity

C.

Meet with senior management to understand business goals

D.

Review the organization's key performance indicators (KPls)

Question 19

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Options:

A.

Degradation of services

B.

Limited tolerance for damage

C.

Decreased mean time between failures (MTBF)

D.

Single point of failure

Question 20

An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?

Options:

A.

implement a control self-assessment (CSA)

B.

Conduct a gap analysis

C.

Develop a maturity model

D.

Evaluate key performance indicators (KPIs)

Question 21

Which of following is MOST important to determine when conducting a post-implementation review?

Options:

A.

Whether the solution architecture compiles with IT standards

B.

Whether success criteria have been achieved

C.

Whether the project has been delivered within the approved budget

D.

Whether lessons teamed have been documented

Question 22

Which of the following is MOST important during software license audits?

Options:

A.

Judgmental sampling

B.

Substantive testing

C.

Compliance testing

D.

Stop-or-go sampling

Question 23

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

Options:

A.

Industry regulations

B.

Industry standards

C.

Incident response plan

D.

Information security policy

Question 24

Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?

Options:

A.

Enforce a secure tunnel connection.

B.

Enhance internal firewalls.

C.

Set up a demilitarized zone (DMZ).

D.

Implement a secure protocol.

Question 25

Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

Options:

A.

Continuity of service

B.

Identity management

C.

Homogeneity of the network

D.

Nonrepudiation

Question 26

While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:

Options:

A.

data classifications are automated.

B.

a data dictionary is maintained.

C.

data retention requirements are clearly defined.

D.

data is correctly classified.

Question 27

Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)

policy to help prevent data leakage?

Options:

A.

Require employees to waive privacy rights related to data on BYOD devices.

B.

Require multi-factor authentication on BYOD devices,

C.

Specify employee responsibilities for reporting lost or stolen BYOD devices.

D.

Allow only registered BYOD devices to access the network.

Question 28

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

Options:

A.

Only new employees are required to attend the program

B.

Metrics have not been established to assess training results

C.

Employees do not receive immediate notification of results

D.

The timing for program updates has not been determined

Question 29

An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?

Options:

A.

A significant increase in authorized connections to third parties

B.

A significant increase in cybersecurity audit findings

C.

A significant increase in approved exceptions

D.

A significant increase in external attack attempts

Question 30

Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?

Options:

A.

To enable conclusions about me performance of the processes and target variances tor follow-up analysis

B.

To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value

C.

To assess the functionality of a software deliverable based on business processes

Question 31

When is it MOST important for an IS auditor to apply the concept of materiality in an audit?

Options:

A.

When planning an audit engagement

B.

When gathering information for the fieldwork

C.

When a violation of a regulatory requirement has been identified

D.

When evaluating representations from the auditee

Question 32

An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan (ORP).

B.

The SLA has not been reviewed in more than a year.

C.

Backup data is hosted online only.

D.

The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan (DRP).

Question 33

Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?

Options:

A.

Data leakage as a result of employees leaving to work for competitors

B.

Noncompliance fines related to storage of regulated information

C.

Unauthorized logical access to information through an application interface

D.

Physical theft of media on which information is stored

Question 34

An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?

Options:

A.

Security procedures may be inadequate to support the change

B.

A distributed security system is inherently a weak security system

C.

End-user acceptance of the new system may be difficult to obtain

D.

The new system will require additional resources

Question 35

When classifying information, it is MOST important to align the classification to:

Options:

A.

business risk

B.

security policy

C.

data retention requirements

D.

industry standards

Question 36

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

Options:

A.

The vendor's process appropriately sanitizes the media before disposal

B.

The contract includes issuance of a certificate of destruction by the vendor

C.

The vendor has not experienced security incidents in the past.

D.

The disposal transportation vehicle is fully secure

Question 37

Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?

Options:

A.

Lessons learned were documented and applied.

B.

Business and IT stakeholders participated in the post-implementation review.

C.

Post-implementation review is a formal phase in the system development life cycle (SDLC).

D.

Internal audit follow-up was completed without any findings.

Question 38

Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

Options:

A.

Crypto-shredding

B.

Multiple overwriting

C.

Reformatting

D.

Re-partitioning

Question 39

Which of the following is the MOST important responsibility of user departments associated with program changes?

Options:

A.

Providing unit test data

B.

Analyzing change requests

C.

Updating documentation lo reflect latest changes

D.

Approving changes before implementation

Question 40

Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?

Options:

A.

Integration testing

B.

Regression testing

C.

Automated testing

D.

User acceptance testing (UAT)

Question 41

Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?

Options:

A.

Policies and procedures for managing documents provided by department heads

B.

A system-generated list of staff and their project assignments. roles, and responsibilities

C.

Previous audit reports related to other departments' use of the same system

D.

Information provided by the audit team lead an the authentication systems used by the department

Question 42

Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

Options:

A.

IT value analysis

B.

Prior audit reports

C.

IT balanced scorecard

D.

Vulnerability assessment report

Question 43

After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?

Options:

A.

Inherent

B.

Operational

C.

Audit

D.

Financial

Question 44

An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?

Options:

A.

Directive

B.

Detective

C.

Preventive

D.

Compensating

Question 45

A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?

Options:

A.

unit testing

B.

Network performance

C.

User acceptance testing (UAT)

D.

Regression testing

Question 46

The use of control totals satisfies which of the following control objectives?

Options:

A.

Transaction integrity

B.

Processing integrity

C.

Distribution control

D.

System recoverability

Question 47

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST

Options:

A.

Escalate to audit management to discuss the audit plan

B.

Notify the chief operating officer (COO) and discuss the audit plan risks

C.

Exclude IS audits from the upcoming year's plan

D.

Increase the number of IS audits in the clan

Question 48

Which of the following would be the BEST process for continuous auditing to a large financial Institution?

Options:

A.

Testing encryption standards on the disaster recovery system

B.

Validating access controls for real-time data systems

C.

Performing parallel testing between systems

D.

Validating performance of help desk metrics

Question 49

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

Options:

A.

Antivirus software was unable to prevent the attack even though it was properly updated

B.

The most recent security patches were not tested prior to implementation

C.

Backups were only performed within the local network

D.

Employees were not trained on cybersecurity policies and procedures

Question 50

To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?

Options:

A.

Data retention

B.

Data minimization

C.

Data quality

D.

Data integrity

Question 51

Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?

Options:

A.

The method relies exclusively on the use of asymmetric encryption algorithms.

B.

The method relies exclusively on the use of 128-bit encryption.

C.

The method relies exclusively on the use of digital signatures.

D.

The method relies exclusively on the use of public key infrastructure (PKI).

Question 52

Which of the following is MOST effective for controlling visitor access to a data center?

Options:

A.

Visitors are escorted by an authorized employee

B.

Pre-approval of entry requests

C.

Visitors sign in at the front desk upon arrival

D.

Closed-circuit television (CCTV) is used to monitor the facilities

Question 53

In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?

Options:

A.

Implementation

B.

Development

C.

Feasibility

D.

Design

Question 54

An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?

Options:

A.

The new system has resulted m layoffs of key experienced personnel.

B.

Users have not been trained on the new system.

C.

Data from the legacy system is not migrated correctly to the new system.

D.

The new system is not platform agnostic

Question 55

A web proxy server for corporate connections to external resources reduces organizational risk by:

Options:

A.

anonymizing users through changed IP addresses.

B.

providing multi-factor authentication for additional security.

C.

providing faster response than direct access.

D.

load balancing traffic to optimize data pathways.

Question 56

A vendor requires privileged access to a key business application. Which of the following is the BEST recommendation to reduce the risk of data leakage?

Options:

A.

Implement real-time activity monitoring for privileged roles

B.

Include the right-to-audit in the vendor contract

C.

Perform a review of privileged roles and responsibilities

D.

Require the vendor to implement job rotation for privileged roles

Question 57

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?

Options:

A.

Readily available resources such as domains and risk and control methodologies

B.

Comprehensive coverage of fundamental and critical risk and control areas for IT governance

C.

Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

D.

Wide acceptance by different business and support units with IT governance objectives

Question 58

With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?

Options:

A.

A business impact analysis (BIA) has not been performed

B.

Business data is not sanitized in the development environment

C.

There is no plan for monitoring system downtime

D.

The process owner has not signed off on user acceptance testing (UAT)

Question 59

An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?

Options:

A.

Key business process end users did not participate in the business impact " analysis (BIA)

B.

Copies of the BCP have not been distributed to new business unit end users sjnce the reorganization

C.

A test plan for the BCP has not been completed during the last two years

Question 60

Which of the following should an IS auditor review when evaluating information systems governance for a large organization?

Options:

A.

Approval processes for new system implementations

B.

Procedures for adding a new user to the invoice processing system

C.

Approval processes for updating the corporate website

D.

Procedures for regression testing system changes

Question 61

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

Options:

A.

Trace a sample of complete PCR forms to the log of all program changes

B.

Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date

C.

Review a sample of PCRs for proper approval throughout the program change process

D.

Trace a sample of program change from the log to completed PCR forms

Question 62

Which of the following should be the FIRST step when conducting an IT risk assessment?

Options:

A.

Identify potential threats.

B.

Assess vulnerabilities.

C.

Identify assets to be protected.

D.

Evaluate controls in place.

Question 63

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves

for care?

Options:

A.

Infrastructure as a Service (laaS) provider

B.

Software as a Service (SaaS) provider

C.

Network segmentation

D.

Dynamic localization

Question 64

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Options:

A.

The policy aligns with corporate policies and practices.

B.

The policy aligns with global best practices.

C.

The policy aligns with business goals and objectives.

D.

The policy aligns with local laws and regulations.

Question 65

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine exposure to the business

B.

Adjust future testing activities accordingly

C.

Increase monitoring for security incidents

D.

Hire a third party to perform security testing

Question 66

Which of the following is the BEST way to minimize sampling risk?

Options:

A.

Use a larger sample size

B.

Perform statistical sampling

C.

Perform judgmental sampling

D.

Enhance audit testing procedures

Question 67

A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?

Options:

A.

Enable automatic encryption decryption and electronic signing of data files

B.

implement software to perform automatic reconciliations of data between systems

C.

Have coders perform manual reconciliation of data between systems

D.

Automate the transfer of data between systems as much as feasible

Question 68

Which of the following is the MAJOR advantage of automating internal controls?

Options:

A.

To enable the review of large value transactions

B.

To efficiently test large volumes of data

C.

To help identity transactions with no segregation of duties

D.

To assist in performing analytical reviews

Question 69

During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?

Options:

A.

Input from customers

B.

Industry standard business definitions

C.

Validation of rules by the business

D.

Built-in data error prevention application controls

Question 70

Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?

Options:

A.

Parallel changeover

B.

Modular changeover

C.

Phased operation

D.

Pilot operation

Question 71

What is the MOST effective way to detect installation of unauthorized software packages by employees?

Options:

A.

Regular scanning of hard drives

B.

Communicating the policy to employees

C.

Logging of activity on the network

D.

Maintaining current antivirus software

Question 72

An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?

Options:

A.

Critical path methodology

B.

Agile development approach

C.

Function point analysis

D.

Rapid application development

Question 73

Which of the following would present the GREATEST risk within a release management process for a new application?

Options:

A.

Procedures are not updated to coincide with the production release schedule.

B.

Code is deployed to production without authorization.

C.

A newly added program may overwrite existing production files.

D.

An identified bug was not resolved.

Question 74

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The transfer protocol does not require authentication.

B.

The quality of the data is not monitored.

C.

Imported data is not disposed of frequently.

D.

The transfer protocol is not encrypted.

Question 75

Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?

Options:

A.

Tracking devices used for spare parts

B.

Creating the device policy

C.

vIssuing devices to employees

D.

Approving the issuing of devices

Question 76

Which of the following should be the IS auditor's PRIMARY focus when evaluating an organizations offsite storage facility?

Options:

A.

Adequacy of physical and environmental controls

B.

Results of business continuity plan (BCP) tests

C.

Shared facilities

D.

Retention policy and period

Question 77

Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?

Options:

A.

The production configuration does not conform to corporate policy.

B.

Responsibility for the firewall administration rests with two different divisions.

C.

Industry hardening guidance has not been considered.

D.

The firewall configuration file is extremely long and complex.

Question 78

Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?

Options:

A.

Artificial intelligence (Al)

B.

Application hardening

C.

Edge computing

D.

Encryption

Question 79

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of

MOST concern?

Options:

A.

Confidentiality of the user list

B.

Timeliness of the user list review

C.

Completeness of the user list

D.

Availability of the user list

Question 80

Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?

Options:

A.

IS audit manager

B.

Audit committee

C.

Business owner

D.

Project sponsor

Question 81

Which of the following would be MOST important to include in an IS audit report?

Options:

A.

Observations not reported as findings due to inadequate evidence

B.

The roadmap for addressing the various risk areas

C.

The level of unmitigated risk along with business impact

D.

Specific technology solutions for each audit observation

Question 82

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.

Risk acceptance

B.

Risk transfer

C.

Risk reduction

D.

Risk avoidance

Question 83

During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed, as management has decided to accept the risk. Which of the following is the IS auditors BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Update the audit program based on management's acceptance of risk.

C.

Evaluate senior management's acceptance of the risk.

D.

Adjust the annual risk assessment accordingly.

Question 84

Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?

Options:

A.

Administrator access is provided for a limited period with an expiration date.

B.

Access has been provided on a need-to-know basis.

C.

User IDs are deleted when work is completed.

D.

Access is provided to correspond with the service level agreement (SLA).

Question 85

Which of the following BEST mitigates the risk of SQL injection attacks against applications exposed to the internet?

Options:

A.

Web application firewall (WAF)

B.

SQL server hardening

C.

Patch management program

D.

SQL server physical controls

Question 86

Which of the following should be done FIRST when creating a data protection program?

Options:

A.

Implement data loss prevention (DLP) controls.

B.

Perform classification based on standards.

C.

Deploy intrusion detection systems (IDS).

D.

Test logical access controls for effectiveness.

Question 87

Which of the following is the BEST reason for software developers to use automated testing versus manual testing?

Options:

A.

CAATs are easily developed

B.

Improved regression testing

C.

Ease of maintaining automated test scripts

D.

Reduces the scope of acceptance testing

Question 88

An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?

Options:

A.

Replace the API key with time-limited tokens that grant least privilege access.

B.

Authorize the API key to allow read-only access by all applications.

C.

Implement a process to expire the API key after a previously agreed-upon period of time.

D.

Coordinate an API key rotation exercise with all impacted application owners.

Question 89

An IS auditor discovers that backups of critical systems are not being performed in accordance with the recovery point objective (RPO) established in the business continuity plan (BCP). What should the auditor do NEXT?

Options:

A.

Request an immediate backup be performed.

B.

Expand the audit scope.

C.

Identify the root cause.

D.

Include the observation in the report.

Question 90

Which of the following issues identified during a formal review of an organization's information security policies presents the GREATEST potential risk to the organization?

Options:

A.

The policies are not available to key risk stakeholders.

B.

The policies have not been reviewed by the risk management committee.

C.

The policies are not aligned with the information security risk appetite.

D.

The policies are not based on industry best practices for information security.

Question 91

Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?

Options:

A.

Automated patching jobs and immediate restart

B.

Automated patching jobs followed by a scheduled restart outside of business hours

C.

End users can initiate patching including subsequent system restarts

D.

Applying only those patches not requiring a system restart

Question 92

Which of the following is the MOST important reason for an organization to automate data purging?

Options:

A.

Protection against privacy breaches

B.

Storage cost reduction

C.

Disaster recovery planning

D.

Ransomware protection

Question 93

Aligning IT strategy with business strategy PRIMARILY helps an organization to:

Options:

A.

Increase involvement of senior management in IT.

B.

Optimize investments in IT.

C.

Create risk awareness across business units.

D.

Monitor the effectiveness of IT.

Question 94

During the audit of an enterprise resource planning (ERP) system, an IS auditor found an applicationpatch was applied to the production environment. It is MOST

important for the IS auditor to verify approval from the:

Options:

A.

information security officer.

B.

system administrator.

C.

information asset owner.

D.

project manager.

Question 95

Which of the following is a PRIMARY function of an intrusion detection system (IDS)?

Options:

A.

Predicting an attack before it occurs

B.

Alerting when a scheduled backup job fails

C.

Blocking malicious network traffic

D.

Warning when executable programs are modified

Question 96

Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?

Options:

A.

Design and application of key controls in public audit

B.

Security strategy in public cloud Infrastructure as a Service (IaaS)

C.

Modern encoding methods for digital communications

D.

Technology and process life cycle for digital certificates and key pairs

Question 97

Which of the following is MOST important to define within a disaster recovery plan (DRP)?

Options:

A.

A comprehensive list of disaster recovery scenarios and priorities

B.

Business continuity plan (BCP)

C.

Test results for backup data restoration

D.

Roles and responsibilities for recovery team members

Question 98

Which of the following is the MOST important consideration of any disaster response plan?

Options:

A.

Lost revenue

B.

Personnel safety

C.

IT asset protection

D.

Adequate resource capacity

Question 99

which of the following is a core functionality of a configuration and release management system?

Options:

A.

Managing privileged access to databases servers and infrastructure

B.

Identifying vulnerabilities in configuration settings

C.

Deploying a configuration change to the sandbox environment

D.

Identifying other configuration items that will be impacted by a given change

Question 100

Which type of security testing is MOST efficient for finding hidden errors in software and facilitating source code optimization?

Options:

A.

User acceptance testing (UAT)

B.

Black box testing

C.

White box testing

D.

Penetration testing

Question 101

An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?

Options:

A.

Service level agreements (SLAs)

B.

Project steering committee charter

C.

IT audit reports

D.

Enterprise architecture (EA)

Question 102

Which of the following is the PRIMARY purpose of batch processing monitoring?

Options:

A.

To comply with security standards

B.

To summarize the batch processing reporting

C.

To log error events in batch processing

D.

To prevent an incident that may result from batch failure

Question 103

Which of the following is MOST helpful in identifying system performance constraints?

Options:

A.

Security logs

B.

Directory service logs

C.

Proxy logs

D.

Operational logs

Question 104

Which of the following can BEST reduce the impact of a long-term power failure?

Options:

A.

Power conditioning unit

B.

Emergency power-off switches

C.

Battery bank

D.

Redundant power source

Question 105

Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?

Options:

A.

It identifies legal obligations that may be incurred as a result of business service disruptions

B.

It provides updates on the risk level of disasters that may occur

C.

It delineates employee responsibilities that the organization must fulfill in a crisis

D.

It helps prioritize the restoration of systems and applications

Question 106

An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?

Options:

A.

System manuals

B.

Enterprise architecture (EA)

C.

Historical record of data breaches

D.

Industry trends

Question 107

Control self-assessments (CSAs) can be used to:

Options:

A.

Determine the value of assets.

B.

Establish baselines.

C.

Evaluate strategic business goals.

D.

Replace audits.

Question 108

Which of the following is the MOST efficient way to identify fraudulent activity on a set of transactions?

Options:

A.

Control self-assessments (CSAs)

B.

Interviews with control owners

C.

Regression analysis

D.

Benford’s law analysis

Question 109

Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?

Options:

A.

Provide notification to employees about possible email monitoring.

B.

Develop an information classification scheme.

C.

Require all employees to sign nondisclosure agreements (NDAs).

D.

Develop an acceptable use policy for end-user computing (EUC).

Question 110

A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?

Options:

A.

Ensure that code has been reviewed.

B.

Perform user acceptance testing (UAT).

C.

Document last-minute enhancements.

D.

Perform a pre-implementation audit.

Question 111

A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?

Options:

A.

Revenue lost due to application outages

B.

Patching performed by the vendor

C.

A large number of scheduled database changes

D.

The presence of a single point of failure

Question 112

Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

Options:

A.

To verify that risks listed in the audit report have been properly mitigated

B.

To identify new risks and controls for the organizationTo ensure senior management is aware of the audit findingsTo align the management action plans with business requirements

Question 113

While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization's inventory. Which of the following is the auditor's BEST course of action?

Options:

A.

Ask the asset management staff where the devices are.

B.

Alert both audit and operations management about the discrepancy.

C.

Ignore the invoices since they are not part of the follow-up.

D.

Make a note of the evidence to include it in the scope of a future audit.

Question 114

Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?

Options:

A.

A risk assessment was not conducted prior to completing the BIA.

B.

System criticality information was only provided by the IT manager.

C.

A questionnaire was used to gather information as opposed to in-person interviews.

D.

The BIA was not signed off by executive management.

Question 115

Which of the following is the MOST important task of an IS auditor during an application post-implementation review?

Options:

A.

Conduct a business impact analysis (BIA)

B.

Perform penetration testing

C.

identify project delays

D.

Verify user access controls

Question 116

Which of the following MOST effectively enables consistency across high-volume software changes'?

Options:

A.

The use of continuous integration and deployment pipelines

B.

Management reviews of detailed exception reports for released code

C.

Publication of a refreshed policy on development and release management

D.

An ongoing awareness campaign for software deployment best practices

Question 117

An IS auditor observes that an organization's systems are being used for cryptocurrency mining on a regular basis. Which of the following is the auditor's FIRST course of action?

Options:

A.

Report the incident immediately.

B.

Recommend changing the organization's firewall settings.

C.

Consult the organization's acceptable use policy.

D.

Require mining software to be uninstalled.

Question 118

An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management?

Options:

A.

Noncompliance with project methodology

B.

Inability to achieve expected benefits

C.

Increased staff turnover

D.

Project abandonment

Question 119

Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?

Options:

A.

Information security policy

B.

Industry standards

C.

Incident response plan

D.

Industry regulations

Question 120

Which of the following is the BEST approach to help organizations address risks associated with shadow IT?

Options:

A.

Implementing policies that prohibit the use of unauthorized systems and solutions

B.

Training employees on information security and conducting routine follow-ups

C.

Providing employees with access to necessary systems and unlimited software licenses

D.

Conducting regular security assessments to identify unauthorized systems and solutions

Question 121

Which of the following is the PRIMARY benefit of monitoring IT operational logs?

Options:

A.

Detecting processing errors in a timely manner

B.

Identifying configuration flaws in operating systems

C.

Managing the usability and capacity of IT resources

D.

Generating exception reports to assess security compliance

Question 122

An organization has moved all of its infrastructure to the cloud. Which of the following would be an IS auditor’s GREATEST concern related to the organization’s ability to continue operations in case of a disaster?

Options:

A.

There is no evidence that disaster recovery plan (DRP) testing was performed after the migration.

B.

Only business-critical servers were configured with redundancy services on the cloud service provider.

C.

The previous infrastructure was not retained to support business operations in case of a disaster.

D.

The step-by-step recovery process was not updated in the disaster recovery plan (DRP) after the migration.

Question 123

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

Imported data is not disposed of frequently.

B.

The transfer protocol is not encrypted.

C.

The transfer protocol does not require authentication.

D.

The quality of the data is not monitored.

Question 124

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

Options:

A.

Benchmarking IT project management practices with industry peers

B.

Evaluating compliance with key security controls

C.

Comparing planned versus actual return on investment (ROI)

D.

Reviewing system development life cycle (SDLC) processes

Question 125

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

Options:

A.

Log feeds are uploaded via batch process.

B.

Completeness testing has not been performed on the log data.

C.

The log data is not normalized.

D.

Data encryption standards have not been considered.

Question 126

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Options:

A.

Requirements may become unreasonable.

B.

Local regulations may contradict the policy.

C.

The policy may conflict with existing application requirements.

D.

Local management may not accept the policy.

Question 127

Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?

Options:

A.

A system interface tracking program is not enabled.

B.

The data has not been encrypted.

C.

Data is intercepted while in transit between systems.

D.

The data from the originating system differs from the downloaded data.

Question 128

Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?

Options:

A.

Log file size has grown year over year.

B.

Critical events are being logged to immutable log files.

C.

Applications are logging events into multiple log files.

D.

Data formats have not been standardized across all logs.

Question 129

An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization. Which of the following is the MOST likely reason?

Options:

A.

Ineffective risk management policy

B.

Lack of enterprise architecture (EA)

C.

Lack of a maturity model

D.

Outdated enterprise resource planning (ERP) system

Question 130

Who is accountable for an organization's enterprise risk management (ERM) program?

Options:

A.

Board of directors

B.

Steering committee

C.

Chief risk officer (CRO)

D.

Executive management

Question 131

Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?

Options:

A.

Data privacy must be managed in accordance with the regulations applicable to the organization.

B.

Data privacy must be monitored in accordance with industry standards and best practices.

C.

No personal information may be transferred to the service provider without notifying the customer.

D.

Customer data transferred to the service provider must be reported to the regulatory authority.

Question 132

An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.

Which type of control has been added?

Options:

A.

Corrective

B.

Compensating

C.

Preventive

D.

Detective

Question 133

Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP> tool?

Options:

A.

The tool is implemented in monitor mode rather than block mode.

B.

Crawlers are used to discover sensitive data.

C.

Deep packet inspection opens data packets in transit.

D.

Encryption keys are not centrally managed.

Question 134

Which of the following responsibilities associated with a disaster recovery plan (DRP) can be outsourced to a Disaster Recovery as a Service (DRaaS) provider?

Options:

A.

System recovery procedures

B.

Stakeholder communications during a disaster

C.

Validation of recovered data

D.

Processes for maintaining currency of data

Question 135

Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?

Options:

A.

Cloud computing

B.

Robotic process automation (RPA)

C.

Internet of Things (IoT)

D.

Machine learning algorithms

Question 136

Which of the following BEST ensures that effective change management is in place in an IS environment?

Options:

A.

User authorization procedures for application access are well established.

B.

User-prepared detailed test criteria for acceptance testing of the software.

C.

Adequate testing was carried out by the development team.

D.

Access to production source and object programs is well controlled.

Question 137

Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?

Options:

A.

Confirm that the encryption standard applied to the interface is in line with best practice.

B.

Inspect interface configurations and an example output of the systems.

C.

Perform data reconciliation between the two systems for a sample of 25 days.

D.

Conduct code review for both systems and inspect design documentation.

Question 138

Which of the following should be the PRIMARY concern for the it department head when implementing operational log management?

Options:

A.

Diversity of log formats generated by different IT resources

B.

Retention and storage issues due to log volume

C.

Resistance by operational users

D.

Impact on performance of IT resources

Question 139

Which of the following is the MOST important success factor for implementing a data loss prevention (DLP) tool?

Options:

A.

Implementing the tool in monitor mode to avoid unnecessary blocking of communication

B.

Defining and configuring policies and tool rule sets to monitor sensitive data movement

C.

Testing the tool in a test environment before moving to the production environment

D.

Assigning responsibilities for maintaining the tool to applicable data owners and stakeholders

Question 140

An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?

Options:

A.

Disable operational logging to enhance the processing speed and save storage.

B.

Adopt a service delivery model based on insights from peer organizations.

C.

Delegate business decisions to the chief risk officer (CRO).

D.

Eliminate certain reports and key performance indicators (KPIs)

Question 141

During which process is regression testing MOST commonly used?

Options:

A.

System modification

B.

Unit testing

C.

Stress testing

D.

Program development

Question 142

When designing a data analytics process, which of the following should be the stakeholder's role in automating data extraction and validation?

Options:

A.

Indicating which data elements are necessary to make informed decisions

B.

Allocating the resources necessary to purchase the appropriate software packages

C.

Performing the business case analysis for the data analytics initiative

D.

Designing the workflow necessary for the data analytics tool to evaluate the appropriate data

Question 143

An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?

Options:

A.

Long-term Internal audit resource planning

B.

Ongoing monitoring of the audit activities

C.

Analysis of user satisfaction reports from business lines

D.

Feedback from Internal audit staff

Question 144

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

Options:

A.

Sell-assessment reports of IT capability and maturity

B.

IT performance benchmarking reports with competitors

C.

Recent third-party IS audit reports

D.

Current and previous internal IS audit reports

Question 145

Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?

Options:

A.

Ensuring that audit trails exist for transactions

B.

Restricting access to update programs to accounts payable staff only

C.

Including the creator's user ID as a field in every transaction record created

D.

Restricting program functionality according to user security profiles

Question 146

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

Options:

A.

Reviewing the parameter settings

B.

Reviewing the system log

C.

Interviewing the firewall administrator

D.

Reviewing the actual procedures

Question 147

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:

Options:

A.

the patches were updated.

B.

The logs were monitored.

C.

The network traffic was being monitored.

D.

The domain controller was classified for high availability.

Question 148

An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Options:

A.

An imaging process was used to obtain a copy of the data from each computer.

B.

The legal department has not been engaged.

C.

The chain of custody has not been documented.

D.

Audit was only involved during extraction of the Information

Question 149

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Question 150

Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?

Options:

A.

Ensure that the facts presented in the report are correct

B.

Communicate the recommendations lo senior management

C.

Specify implementation dates for the recommendations.

D.

Request input in determining corrective action.

Question 151

A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?

Options:

A.

Continuous 24/7 support must be available.

B.

The vendor must have a documented disaster recovery plan (DRP) in place.

C.

Source code for the software must be placed in escrow.

D.

The vendor must train the organization's staff to manage the new software

Question 152

Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?

Options:

A.

Logs are being collected in a separate protected host

B.

Automated alerts are being sent when a risk is detected

C.

Insider attacks are being controlled

D.

Access to configuration files Is restricted.

Question 153

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

Options:

A.

Ensure compliance with the data classification policy.

B.

Protect the plan from unauthorized alteration.

C.

Comply with business continuity best practice.

D.

Reduce the risk of data leakage that could lead to an attack.

Question 154

What is the Most critical finding when reviewing an organization’s information security management?

Options:

A.

No dedicated security officer

B.

No official charier for the information security management system

C.

No periodic assessments to identify threats and vulnerabilities

D.

No employee awareness training and education program

Question 155

A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?

Options:

A.

Developing an inventory of all business entities that exchange personal data with the affected jurisdiction

B.

Identifying data security threats in the affected jurisdiction

C.

Reviewing data classification procedures associated with the affected jurisdiction

D.

Identifying business processes associated with personal data exchange with the affected jurisdiction

Question 156

Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?

Options:

A.

Statement of work (SOW)

B.

Nondisclosure agreement (NDA)

C.

Service level agreement (SLA)

D.

Privacy agreement

Question 157

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

Options:

A.

attributes for system passwords.

B.

security training prior to implementation.

C.

security requirements for the new application.

D.

the firewall configuration for the web server.

Question 158

Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?

Options:

A.

Comparing code between old and new systems

B.

Running historical transactions through the new system

C.

Reviewing quality assurance (QA) procedures

D.

Loading balance and transaction data to the new system

Question 159

During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?

Options:

A.

Require documentation that the finding will be addressed within the new system

B.

Schedule a meeting to discuss the issue with senior management

C.

Perform an ad hoc audit to determine if the vulnerability has been exploited

D.

Recommend the finding be resolved prior to implementing the new system

Question 160

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Evaluate the appropriateness of the remedial action taken.

B.

Conduct a risk analysis incorporating the change.

C.

Report results of the follow-up to the audit committee.

D.

Inform senior management of the change in approach.

Question 161

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

Options:

A.

Data migration is not part of the contracted activities.

B.

The replacement is occurring near year-end reporting

C.

The user department will manage access rights.

D.

Testing was performed by the third-party consultant

Question 162

To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?

Options:

A.

Root cause

B.

Responsible party

C.

impact

D.

Criteria

Question 163

Which of the following is the MOST important activity in the data classification process?

Options:

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Question 164

Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?

Options:

A.

Number of successful penetration tests

B.

Percentage of protected business applications

C.

Financial impact per security event

D.

Number of security vulnerability patches

Question 165

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

Options:

A.

Requirements may become unreasonable.

B.

The policy may conflict with existing application requirements.

C.

Local regulations may contradict the policy.

D.

Local management may not accept the policy.

Question 166

In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?

Options:

A.

Configure data quality alerts to check variances between the data warehouse and the source system

B.

Require approval for changes in the extract/Transfer/load (ETL) process between the two systems

C.

Include the data warehouse in the impact analysis (or any changes m the source system

D.

Restrict access to changes in the extract/transfer/load (ETL) process between the two systems

Question 167

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

Options:

A.

Available resources for the activities included in the action plan

B.

A management response in the final report with a committed implementation date

C.

A heal map with the gaps and recommendations displayed in terms of risk

D.

Supporting evidence for the gaps and recommendations mentioned in the audit report

Question 168

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Options:

A.

Data with customer personal information

B.

Data reported to the regulatory body

C.

Data supporting financial statements

D.

Data impacting business objectives

Question 169

Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?

Options:

A.

Reviewing vacation patterns

B.

Reviewing user activity logs

C.

Interviewing senior IT management

D.

Mapping IT processes to roles

Question 170

Providing security certification for a new system should include which of the following prior to the system's implementation?

Options:

A.

End-user authorization to use the system in production

B.

External audit sign-off on financial controls

C.

Testing of the system within the production environment

D.

An evaluation of the configuration management practices

Question 171

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

Options:

A.

Training was not provided to the department that handles intellectual property and patents

B.

Logging and monitoring for content filtering is not enabled.

C.

Employees can share files with users outside the company through collaboration tools.

D.

The collaboration tool is hosted and can only be accessed via an Internet browser

Question 172

Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?

Options:

A.

Information security program plans

B.

Penetration test results

C.

Risk assessment results

D.

Industry benchmarks

Question 173

Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?

Options:

A.

Audit charter

B.

IT steering committee

C.

Information security policy

D.

Audit best practices

Question 174

The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

Options:

A.

risk management review

B.

control self-assessment (CSA).

C.

service level agreement (SLA).

D.

balanced scorecard.

Question 175

UESTION NO: 210

An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?

Options:

A.

There Is a reconciliation process between the spreadsheet and the finance system

B.

A separate copy of the spreadsheet is routinely backed up

C.

The spreadsheet is locked down to avoid inadvertent changes

D.

Access to the spreadsheet is given only to those who require access

Question 176

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Options:

A.

reflect current practices.

B.

include new systems and corresponding process changes.

C.

incorporate changes to relevant laws.

D.

be subject to adequate quality assurance (QA).

Question 177

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?

Options:

A.

Implementing the remediation plan

B.

Partially completing the CSA

C.

Developing the remediation plan

D.

Developing the CSA questionnaire

Question 178

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Question 179

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

Options:

A.

Use automatic document classification based on content.

B.

Have IT security staff conduct targeted training for data owners.

C.

Publish the data classification policy on the corporate web portal.

D.

Conduct awareness presentations and seminars for information classification policies.

Question 180

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

Options:

A.

the access control system's log settings.

B.

how the latest system changes were implemented.

C.

the access control system's configuration.

D.

the access rights that have been granted.

Question 181

Which of the following is the MAIN purpose of an information security management system?

Options:

A.

To identify and eliminate the root causes of information security incidents

B.

To enhance the impact of reports used to monitor information security incidents

C.

To keep information security policies and procedures up-to-date

D.

To reduce the frequency and impact of information security incidents

Question 182

An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?

Options:

A.

Users are not required to sign updated acceptable use agreements.

B.

Users have not been trained on the new system.

C.

The business continuity plan (BCP) was not updated.

D.

Mobile devices are not encrypted.

Question 183

An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:

Options:

A.

violation reports may not be reviewed in a timely manner.

B.

a significant number of false positive violations may be reported.

C.

violations may not be categorized according to the organization's risk profile.

D.

violation reports may not be retained according to the organization's risk profile.

Question 184

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Options:

A.

The organization's security policy

B.

The number of remote nodes

C.

The firewalls' default settings

D.

The physical location of the firewalls

Question 185

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

Options:

A.

Historical privacy breaches and related root causes

B.

Globally accepted privacy best practices

C.

Local privacy standards and regulations

D.

Benchmark studies of similar organizations

Question 186

An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?

Options:

A.

Availability of the user list reviewed

B.

Confidentiality of the user list reviewed

C.

Source of the user list reviewed

D.

Completeness of the user list reviewed

Question 187

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?

Options:

A.

Compare the agile process with previous methodology.

B.

Identify and assess existing agile process control

C.

Understand the specific agile methodology that will be followed.

D.

Interview business process owners to compile a list of business requirements

Question 188

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

Options:

A.

compare the organization's strategic plan against industry best practice.

B.

interview senior managers for their opinion of the IT function.

C.

ensure an IT steering committee is appointed to monitor new IT projects.

D.

evaluate deliverables of new IT initiatives against planned business services.

Question 189

Which of the following MUST be completed as part of the annual audit planning process?

Options:

A.

Business impact analysis (BIA)

B.

Fieldwork

C.

Risk assessment

D.

Risk control matrix

Question 190

In a RAO model, which of the following roles must be assigned to only one individual?

Options:

A.

Responsible

B.

Informed

C.

Consulted

D.

Accountable

Question 191

Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

Options:

A.

Legal and compliance requirements

B.

Customer agreements

C.

Data classification

D.

Organizational policies and procedures

Question 192

During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?

Options:

A.

Revise the assessment based on senior management's objections.

B.

Escalate the issue to audit management.

C.

Finalize the draft audit report without changes.

D.

Gather evidence to analyze senior management's objections

Question 193

In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?

Options:

A.

Reviewing the last compile date of production programs

B.

Manually comparing code in production programs to controlled copies

C.

Periodically running and reviewing test data against production programs

D.

Verifying user management approval of modifications

Question 194

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

Options:

A.

Staging

B.

Testing

C.

Integration

D.

Development

Question 195

Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?

Options:

A.

Require written authorization for all payment transactions

B.

Restrict payment authorization to senior staff members.

C.

Reconcile payment transactions with invoices.

D.

Review payment transaction history

Question 196

Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?

Options:

A.

Implementing two-factor authentication

B.

Restricting access to transactions using network security software

C.

implementing role-based access at the application level

D.

Using a single menu tor sensitive application transactions

Question 197

An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?

Options:

A.

Attack vectors are evolving for industrial control systems.

B.

There is a greater risk of system exploitation.

C.

Disaster recovery plans (DRPs) are not in place.

D.

Technical specifications are not documented.

Question 198

Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

Options:

A.

Human resources (HR) sourcing strategy

B.

Records of actual time spent on projects

C.

Peer organization staffing benchmarks

D.

Budgeted forecast for the next financial year

Question 199

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?

Options:

A.

Staff members who failed the test did not receive follow-up education

B.

Test results were not communicated to staff members.

C.

Staff members were not notified about the test beforehand.

D.

Security awareness training was not provided prior to the test.

Question 200

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

Question 201

An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?

Options:

A.

Conduct security awareness training.

B.

Implement an acceptable use policy

C.

Create inventory records of personal devices

D.

Configure users on the mobile device management (MDM) solution

Question 202

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

Options:

A.

There are conflicting permit and deny rules for the IT group.

B.

The network security group can change network address translation (NAT).

C.

Individual permissions are overriding group permissions.

D.

There is only one rule per group with access privileges.

Question 203

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Question 204

What is the MAIN reason to use incremental backups?

Options:

A.

To improve key availability metrics

B.

To reduce costs associates with backups

C.

To increase backup resiliency and redundancy

D.

To minimize the backup time and resources

Question 205

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Options:

A.

Data availability

B.

Data confidentiality

C.

Data integrity

D.

Data redundancy

Question 206

Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?

Options:

A.

An increase in the number of identified false positives

B.

An increase in the number of detected Incidents not previously identified

C.

An increase in the number of unfamiliar sources of intruders

D.

An increase in the number of internally reported critical incidents

Question 207

Which of the following is the BEST reason for an organization to use clustering?

Options:

A.

To decrease system response time

B.

To Improve the recovery lime objective (RTO)

C.

To facilitate faster backups

D.

To improve system resiliency

Question 208

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

Question 209

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

Options:

A.

Verifying that access privileges have been reviewed

B.

investigating access rights for expiration dates

C.

Updating the continuity plan for critical resources

D.

Updating the security policy

Question 210

Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?

Options:

A.

Guest operating systems are updated monthly

B.

The hypervisor is updated quarterly.

C.

A variety of guest operating systems operate on one virtual server

D.

Antivirus software has been implemented on the guest operating system only.

Question 211

An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

Options:

A.

well understood by all employees.

B.

based on industry standards.

C.

developed by process owners.

D.

updated frequently.

Question 212

Upon completion of audit work, an IS auditor should:

Options:

A.

provide a report to senior management prior to discussion with the auditee.

B.

distribute a summary of general findings to the members of the auditing team.

C.

provide a report to the auditee stating the initial findings.

D.

review the working papers with the auditee.

Question 213

Capacity management enables organizations to:

Options:

A.

forecast technology trends

B.

establish the capacity of network communication links

C.

identify the extent to which components need to be upgraded

D.

determine business transaction volumes.

Question 214

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

Question 215

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

Options:

A.

Ensure that paper documents arc disposed security.

B.

Implement an intrusion detection system (IDS).

C.

Verify that application logs capture any changes made.

D.

Validate that all data files contain digital watermarks

Question 216

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

A.

Risk avoidance

B.

Risk transfer

C.

Risk acceptance

D.

Risk reduction

Question 217

Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?

Options:

A.

IT steering committee minutes

B.

Business objectives

C.

Alignment with the IT tactical plan

D.

Compliance with industry best practice

Question 218

During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?

Options:

A.

Leverage the work performed by external audit for the internal audit testing.

B.

Ensure both the internal and external auditors perform the work simultaneously.

C.

Request that the external audit team leverage the internal audit work.

D.

Roll forward the general controls audit to the subsequent audit year.

Question 219

Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?

Options:

A.

Change management

B.

Problem management

C.

incident management

D.

Configuration management

Question 220

Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?

Options:

A.

Utilize a network-based firewall.

B.

Conduct regular user security awareness training.

C.

Perform domain name system (DNS) server security hardening.

D.

Enforce a strong password policy meeting complexity requirement.

Question 221

Which of the following backup schemes is the BEST option when storage media is limited?

Options:

A.

Real-time backup

B.

Virtual backup

C.

Differential backup

D.

Full backup

Question 222

An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?

Options:

A.

Implement key performance indicators (KPIs)

B.

Implement annual third-party audits.

C.

Benchmark organizational performance against industry peers.

D.

Require executive management to draft IT strategy

Question 223

Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?

Options:

A.

Perimeter firewall

B.

Data loss prevention (DLP) system

C.

Web application firewall

D.

Network segmentation

Question 224

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Question 225

Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''

Options:

A.

Use an electronic vault for incremental backups

B.

Deploy a fully automated backup maintenance system.

C.

Periodically test backups stored in a remote location

D.

Use both tape and disk backup systems

Question 226

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Using smart cards with one-time passwords

B.

Periodically reviewing log files

C.

Configuring the router as a firewall

D.

Installing biometrics-based authentication

Question 227

Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?

Options:

A.

Media recycling policy

B.

Media sanitization policy

C.

Media labeling policy

D.

Media shredding policy

Question 228

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Question 229

What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?

Options:

A.

To address the overall risk associated with the activity under review

B.

To identify areas with relatively high probability of material problems

C.

To help ensure maximum use of audit resources during the engagement

D.

To help prioritize and schedule auditee meetings

Question 230

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Options:

A.

Program coding standards have been followed

B.

Acceptance test criteria have been developed

C.

Data conversion procedures have been established.

D.

The design has been approved by senior management.

Question 231

Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?

Options:

A.

Review of program documentation

B.

Use of test transactions

C.

Interviews with knowledgeable users

D.

Review of source code

Question 232

An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?

Options:

A.

The applications are not included in business continuity plans (BCFs)

B.

The applications may not reasonably protect data.

C.

The application purchases did not follow procurement policy.

D.

The applications could be modified without advanced notice.

Question 233

A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.

Options:

A.

A formal request for proposal (RFP) process

B.

Business case development procedures

C.

An information asset acquisition policy

D.

Asset life cycle management.

Question 234

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Options:

A.

The BCP's contact information needs to be updated

B.

The BCP is not version controlled.

C.

The BCP has not been approved by senior management.

D.

The BCP has not been tested since it was first issued.

Question 235

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Options:

A.

There are documented compensating controls over the business processes.

B.

The risk acceptances were previously reviewed and approved by appropriate senior management

C.

The business environment has not significantly changed since the risk acceptances were approved.

D.

The risk acceptances with issues reflect a small percentage of the total population

Question 236

Which of the following features of a library control software package would protect against unauthorized updating of source code?

Options:

A.

Required approvals at each life cycle step

B.

Date and time stamping of source and object code

C.

Access controls for source libraries

D.

Release-to-release comparison of source code

Question 237

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

Options:

A.

The IT strategy is modified in response to organizational change.

B.

The IT strategy is approved by executive management.

C.

The IT strategy is based on IT operational best practices.

D.

The IT strategy has significant impact on the business strategy

Question 238

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

C.

Server crashes

D.

Penetration testing

Question 239

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Options:

A.

Review a report of security rights in the system.

B.

Observe the performance of business processes.

C.

Develop a process to identify authorization conflicts.

D.

Examine recent system access rights violations.

Question 240

A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?

Options:

A.

Separate authorization for input of transactions

B.

Statistical sampling of adjustment transactions

C.

Unscheduled audits of lost stock lines

D.

An edit check for the validity of the inventory transaction

Question 241

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

Options:

A.

Perform a business impact analysis (BIA).

B.

Determine which databases will be in scope.

C.

Identify the most critical database controls.

D.

Evaluate the types of databases being used

Question 242

When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.

Options:

A.

each information asset is to a assigned to a different classification.

B.

the security criteria are clearly documented for each classification

C.

Senior IT managers are identified as information owner.

D.

the information owner is required to approve access to the asset

Question 243

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Question 244

Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?

Options:

A.

SIEM reporting is customized.

B.

SIEM configuration is reviewed annually

C.

The SIEM is decentralized.

D.

SIEM reporting is ad hoc.

Question 245

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

Question 246

Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?

Options:

A.

Disposal policies and procedures are not consistently implemented

B.

Evidence is not available to verify printer hard drives have been sanitized prior to disposal.

C.

Business units are allowed to dispose printers directly to

D.

Inoperable printers are stored in an unsecured area.

Question 247

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

Options:

A.

conduct interviews to gain background information.

B.

focus the team on internal controls.

C.

report on the internal control weaknesses.

D.

provide solutions for control weaknesses.

Question 248

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Options:

A.

Project management

B.

Risk assessment results

C.

IT governance framework

D.

Portfolio management

Question 249

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

Options:

A.

Prepare detailed plans for each business function.

B.

Involve staff at all levels in periodic paper walk-through exercises.

C.

Regularly update business impact assessments.

D.

Make senior managers responsible for their plan sections.

Question 250

Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Developing procedures to monitor the use of personal data

C.

Defining roles within the organization related to privacy

D.

Designing controls to protect personal data

Question 251

Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?

Options:

A.

Cost of projects divided by total IT cost

B.

Expected return divided by total project cost

C.

Net present value (NPV) of the portfolio

D.

Total cost of each project

Question 252

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Options:

A.

Perform background verification checks.

B.

Review third-party audit reports.

C.

Implement change management review.

D.

Conduct a privacy impact analysis.

Question 253

A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?

Options:

A.

The survey results were not presented in detail lo management.

B.

The survey questions did not address the scope of the business case.

C.

The survey form template did not allow additional feedback to be provided.

D.

The survey was issued to employees a month after implementation.

Question 254

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Options:

A.

Abuses by employees have not been reported.

B.

Lessons learned have not been properly documented

C.

vulnerabilities have not been properly addressed

D.

Security incident policies are out of date.

Question 255

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

Options:

A.

Limit check

B.

Parity check

C.

Reasonableness check

D.

Validity check

Question 256

If enabled within firewall rules, which of the following services would present the GREATEST risk?

Options:

A.

Simple mail transfer protocol (SMTP)

B.

Simple object access protocol (SOAP)

C.

Hypertext transfer protocol (HTTP)

D.

File transfer protocol (FTP)

Question 257

An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?

Options:

A.

Users are not required to change their passwords on a regular basis

B.

Management does not review application user activity logs

C.

User accounts are shared between users

D.

Password length is set to eight characters

Question 258

Which of the following is MOST critical for the effective implementation of IT governance?

Options:

A.

Strong risk management practices

B.

Internal auditor commitment

C.

Supportive corporate culture

D.

Documented policies

Question 259

During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?

Options:

A.

Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data.

B.

Review compliance with data loss and applicable mobile device user acceptance policies.

C.

Verify the data loss prevention (DLP) tool is properly configured by the organization.

D.

Verify employees have received appropriate mobile device security awareness training.

Question 260

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Options:

A.

Have an independent party review the source calculations

B.

Execute copies of EUC programs out of a secure library

C.

implement complex password controls

D.

Verify EUC results through manual calculations

Question 261

The PRIMARY benefit of information asset classification is that it:

Options:

A.

prevents loss of assets.

B.

helps to align organizational objectives.

C.

facilitates budgeting accuracy.

D.

enables risk management decisions.

Question 262

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

Options:

A.

use a proxy server to filter out Internet sites that should not be accessed.

B.

keep a manual log of Internet access.

C.

monitor remote access activities.

D.

include a statement in its security policy about Internet use.

Question 263

An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:

Options:

A.

failure to maximize the use of equipment

B.

unanticipated increase in business s capacity needs.

C.

cost of excessive data center storage capacity

D.

impact to future business project funding.

Question 264

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

Options:

A.

data analytics findings.

B.

audit trails

C.

acceptance lasting results

D.

rollback plans

Question 265

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

Question 266

Which of the following is MOST important when implementing a data classification program?

Options:

A.

Understanding the data classification levels

B.

Formalizing data ownership

C.

Developing a privacy policy

D.

Planning for secure storage capacity

Question 267

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

Options:

A.

Unit testing

B.

Pilot testing

C.

System testing

D.

Integration testing

Question 268

Which of the following is the BEST reason to implement a data retention policy?

Options:

A.

To limit the liability associated with storing and protecting information

B.

To document business objectives for processing data within the organization

C.

To assign responsibility and ownership for data protection outside IT

D.

To establish a recovery point detective (RPO) for (toaster recovery procedures

Question 269

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

Options:

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

Question 270

An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:

Options:

A.

some of the identified throats are unlikely to occur.

B.

all identified throats relate to external entities.

C.

the exercise was completed by local management.

D.

neighboring organizations operations have been included.

Question 271

Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?

Options:

A.

Role-based access control policies

B.

Types of data that can be uploaded to the platform

C.

Processes for on-boarding and off-boarding users to the platform

D.

Processes for reviewing administrator activity

Question 272

During an exit meeting, an IS auditor highlights that backup cycles

are being missed due to operator error and that these exceptions

are not being managed. Which of the following is the BEST way to

help management understand the associated risk?

Options:

A.

Explain the impact to disaster recovery.

B.

Explain the impact to resource requirements.

C.

Explain the impact to incident management.

D.

Explain the impact to backup scheduling.

Question 273

An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Options:

A.

Installing security software on the devices

B.

Partitioning the work environment from personal space on devices

C.

Preventing users from adding applications

D.

Restricting the use of devices for personal purposes during working hours

Question 274

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version

B.

Close all unused ports on the outdated software system.

C.

Segregate the outdated software system from the main network.

D.

Monitor network traffic attempting to reach the outdated software system.

Question 275

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Options:

A.

Sampling risk

B.

Detection risk

C.

Control risk

D.

Inherent risk

Question 276

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Options:

A.

Inability to utilize the site when required

B.

Inability to test the recovery plans onsite

C.

Equipment compatibility issues at the site

D.

Mismatched organizational security policies

Question 277

Which of the following is MOST important for an IS auditor to look

for in a project feasibility study?

Options:

A.

An assessment of whether requirements will be fully met

B.

An assessment indicating security controls will operateeffectively

C.

An assessment of whether the expected benefits can beachieved

D.

An assessment indicating the benefits will exceed the implement

Question 278

Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?

Options:

A.

Monitor and restrict vendor activities

B.

Issues an access card to the vendor.

C.

Conceal data devices and information labels

D.

Restrict use of portable and wireless devices.

Question 279

An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:

Options:

A.

reclassify the data to a lower level of confidentiality

B.

require the business owner to conduct regular access reviews.

C.

implement a strong password schema for users.

D.

recommend corrective actions to be taken by the security administrator.

Question 280

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Options:

A.

Notify law enforcement of the finding.

B.

Require the third party to notify customers.

C.

The audit report with a significant finding.

D.

Notify audit management of the finding.

Question 281

An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?

Options:

A.

Service level agreement (SLA)

B.

Hardware change management policy

C.

Vendor memo indicating problem correction

D.

An up-to-date RACI chart

Question 282

Which of the following provides the BEST providence that outsourced provider services are being properly managed?

Options:

A.

The service level agreement (SLA) includes penalties for non-performance.

B.

Adequate action is taken for noncompliance with the service level agreement (SLA).

C.

The vendor provides historical data to demonstrate its performance.

D.

Internal performance standards align with corporate strategy.

Question 283

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

Options:

A.

Increasing the frequency of risk-based IS audits for each business entity

B.

Developing a risk-based plan considering each entity's business processes

C.

Conducting an audit of newly introduced IT policies and procedures

D.

Revising IS audit plans to focus on IT changes introduced after the split

Question 284

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Question 285

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Question 286

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?

Options:

A.

Risk identification

B.

Risk classification

C.

Control self-assessment (CSA)

D.

Impact assessment

Question 287

A proper audit trail of changes to server start-up procedures would include evidence of:

Options:

A.

subsystem structure.

B.

program execution.

C.

security control options.

D.

operator overrides.

Question 288

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Options:

A.

Background checks

B.

User awareness training

C.

Transaction log review

D.

Mandatory holidays

Question 289

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Question 290

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Options:

A.

Annual sign-off of acceptable use policy

B.

Regular monitoring of user access logs

C.

Security awareness training

D.

Formalized disciplinary action

Question 291

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Options:

A.

Ensure corrected program code is compiled in a dedicated server.

B.

Ensure change management reports are independently reviewed.

C.

Ensure programmers cannot access code after the completion of program edits.

D.

Ensure the business signs off on end-to-end user acceptance test (UAT) results.

Question 292

What is MOST important to verify during an external assessment of network vulnerability?

Options:

A.

Update of security information event management (SIEM) rules

B.

Regular review of the network security policy

C.

Completeness of network asset inventory

D.

Location of intrusion detection systems (IDS)

Question 293

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Options:

A.

Percentage of new hires that have completed the training.

B.

Number of new hires who have violated enterprise security policies.

C.

Number of reported incidents by new hires.

D.

Percentage of new hires who report incidents

Question 294

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:

Options:

A.

note the noncompliance in the audit working papers.

B.

issue an audit memorandum identifying the noncompliance.

C.

include the noncompliance in the audit report.

D.

determine why the procedures were not followed.

Question 295

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Options:

A.

The process does not require specifying the physical locations of assets.

B.

Process ownership has not been established.

C.

The process does not include asset review.

D.

Identification of asset value is not included in the process.

Question 296

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

Question 297

During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?

Options:

A.

Notify the chair of the audit committee.

B.

Notify the audit manager.

C.

Retest the control.

D.

Close the audit finding.

Question 298

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

Options:

A.

Identifying relevant roles for an enterprise IT governance framework

B.

Making decisions regarding risk response and monitoring of residual risk

C.

Verifying that legal, regulatory, and contractual requirements are being met

D.

Providing independent and objective feedback to facilitate improvement of IT processes

Question 299

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?

Options:

A.

The policy includes a strong risk-based approach.

B.

The retention period allows for review during the year-end audit.

C.

The total transaction amount has no impact on financial reporting.

D.

The retention period complies with data owner responsibilities.

Question 300

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

D.

Full operational test

Question 301

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Question 302

The implementation of an IT governance framework requires that the board of directors of an organization:

Options:

A.

Address technical IT issues.

B.

Be informed of all IT initiatives.

C.

Have an IT strategy committee.

D.

Approve the IT strategy.

Question 303

Which of the following demonstrates the use of data analytics for a loan origination process?

Options:

A.

Evaluating whether loan records are included in the batch file and are validated by the servicing system

B.

Comparing a population of loans input in the origination system to loans booked on the servicing system

C.

Validating whether reconciliations between the two systems are performed and discrepancies are investigated

D.

Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure

Question 304

Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?

Options:

A.

Developing and communicating test procedure best practices to audit teams

B.

Developing and implementing an audit data repository

C.

Decentralizing procedures and Implementing periodic peer review

D.

Centralizing procedures and implementing change control

Question 305

An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Options:

A.

Segregation of duties between issuing purchase orders and making payments.

B.

Segregation of duties between receiving invoices and setting authorization limits

C.

Management review and approval of authorization tiers

D.

Management review and approval of purchase orders

Question 306

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Options:

A.

Invoking the disaster recovery plan (DRP)

B.

Backing up data frequently

C.

Paying the ransom

D.

Requiring password changes for administrative accounts

Question 307

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

Question 308

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

Options:

A.

Business interruption due to remediation

B.

IT budgeting constraints

C.

Availability of responsible IT personnel

D.

Risk rating of original findings

Question 309

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Options:

A.

Increase the capacity of existing systems.

B.

Upgrade hardware to newer technology.

C.

Hire temporary contract workers for the IT function.

D.

Build a virtual environment.

Question 310

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Question 311

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Options:

A.

Compliance with action plans resulting from recent audits

B.

Compliance with local laws and regulations

C.

Compliance with industry standards and best practice

D.

Compliance with the organization's policies and procedures

Question 312

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Options:

A.

firewall standards.

B.

configuration of the firewall

C.

firmware version of the firewall

D.

location of the firewall within the network

Question 313

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display the back of the project detail after the entry

Question 314

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Options:

A.

Audit cycle defined in the audit plan

B.

Complexity of management's action plans

C.

Recommendation from executive management

D.

Residual risk from the findings of previous audits

Question 315

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Note the exception in a new report as the item was not addressed by management.

B.

Recommend alternative solutions to address the repeat finding.

C.

Conduct a risk assessment of the repeat finding.

D.

Interview management to determine why the finding was not addressed.

Question 316

An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

Options:

A.

Require employees to attend security awareness training.

B.

Password protect critical data files.

C.

Configure to auto-wipe after multiple failed access attempts.

D.

Enable device auto-lock function.

Question 317

An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?

Options:

A.

Double-posting of a single journal entry

B.

Inability to support new business transactions

C.

Unauthorized alteration of account attributes

D.

Inaccuracy of financial reporting

Question 318

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

Options:

A.

There is not a defined IT security policy.

B.

The business strategy meeting minutes are not distributed.

C.

IT is not engaged in business strategic planning.

D.

There is inadequate documentation of IT strategic planning.

Question 319

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Options:

A.

Implement a new system that can be patched.

B.

Implement additional firewalls to protect the system.

C.

Decommission the server.

D.

Evaluate the associated risk.

Question 320

An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?

Options:

A.

Implement a process to actively monitor postings on social networking sites.

B.

Adjust budget for network usage to include social media usage.

C.

Use data loss prevention (DLP) tools on endpoints.

D.

implement policies addressing acceptable usage of social media during working hours.

Question 321

An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:

Options:

A.

incident management.

B.

quality assurance (QA).

C.

change management.

D.

project management.

Question 322

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Options:

A.

Review system and error logs to verify transaction accuracy.

B.

Review input and output control reports to verify the accuracy of the system decisions.

C.

Review signed approvals to ensure responsibilities for decisions of the system are well defined.

D.

Review system documentation to ensure completeness.

Question 323

Which of the following should be done FIRST when planning a penetration test?

Options:

A.

Execute nondisclosure agreements (NDAs).

B.

Determine reporting requirements for vulnerabilities.

C.

Define the testing scope.

D.

Obtain management consent for the testing.

Question 324

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

Options:

A.

To ensure that older versions are availability for reference

B.

To ensure that only the latest approved version of the application is used

C.

To ensure compatibility different versions of the application

D.

To ensure that only authorized users can access the application

Question 325

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Options:

A.

Limiting the size of file attachments being sent via email

B.

Automatically deleting emails older than one year

C.

Moving emails to a virtual email vault after 30 days

D.

Allowing employees to store large emails on flash drives

Question 326

A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?

Options:

A.

Notify the cyber insurance company.

B.

Shut down the affected systems.

C.

Quarantine the impacted systems.

D.

Notify customers of the breach.

Question 327

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

Options:

A.

Blocking attachments in IM

B.

Blocking external IM traffic

C.

Allowing only corporate IM solutions

D.

Encrypting IM traffic

Question 328

An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

Options:

A.

Obtain error codes indicating failed data feeds.

B.

Appoint data quality champions across the organization.

C.

Purchase data cleansing tools from a reputable vendor.

D.

Implement business rules to reject invalid data.

Question 329

Which of the following is the BEST detective control for a job scheduling process involving data transmission?

Options:

A.

Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.

B.

Jobs are scheduled to be completed daily and data is transmitted using a Secure File Transfer Protocol (SFTP).

C.

Jobs are scheduled and a log of this activity is retained for subsequent review.

D.

Job failure alerts are automatically generated and routed to support personnel.

Question 330

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Options:

A.

Rollback strategy

B.

Test cases

C.

Post-implementation review objectives

D.

Business case

Question 331

An organizations audit charier PRIMARILY:

Options:

A.

describes the auditors' authority to conduct audits.

B.

defines the auditors' code of conduct.

C.

formally records the annual and quarterly audit plans.

D.

documents the audit process and reporting standards.

Question 332

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Options:

A.

Periodically reviewing log files

B.

Configuring the router as a firewall

C.

Using smart cards with one-time passwords

D.

Installing biometrics-based authentication

Question 333

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Question 334

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

Options:

A.

Full test results

B.

Completed test plans

C.

Updated inventory of systems

D.

Change management processes

Question 335

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Options:

A.

Key performance indicators (KPIs)

B.

Maximum allowable downtime (MAD)

C.

Recovery point objective (RPO)

D.

Mean time to restore (MTTR)

Question 336

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

Options:

A.

Align service level agreements (SLAs) with current needs.

B.

Monitor customer satisfaction with the change.

C.

Minimize costs related to the third-party agreement.

D.

Ensure right to audit is included within the contract.

Question 337

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

B.

Training plans

C.

Database conversion results

D.

Stress testing results

Question 338

When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:

Options:

A.

communicate via Transport Layer Security (TLS),

B.

block authorized users from unauthorized activities.

C.

channel access only through the public-facing firewall.

D.

channel access through authentication.

Question 339

Secure code reviews as part of a continuous deployment program are which type of control?

Options:

A.

Detective

B.

Logical

C.

Preventive

D.

Corrective

Question 340

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

Options:

A.

Availability of the site in the event of multiple disaster declarations

B.

Coordination with the site staff in the event of multiple disaster declarations

C.

Reciprocal agreements with other organizations

D.

Complete testing of the recovery plan

Question 341

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Question 342

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

Options:

A.

Real-time audit software

B.

Performance data

C.

Quality assurance (QA) reviews

D.

Participative management techniques

Question 343

An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?

Options:

A.

Examine the computer to search for evidence supporting the suspicions.

B.

Advise management of the crime after the investigation.

C.

Contact the incident response team to conduct an investigation.

D.

Notify local law enforcement of the potential crime before further investigation.

Question 344

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Options:

A.

Purchasing guidelines and policies

B.

Implementation methodology

C.

Results of line processing

D.

Test results

Question 345

Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

Options:

A.

The system does not have a maintenance plan.

B.

The system contains several minor defects.

C.

The system deployment was delayed by three weeks.

D.

The system was over budget by 15%.

Question 346

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?

Options:

A.

Assessment of the personnel training processes of the provider

B.

Adequacy of the service provider's insurance

C.

Review of performance against service level agreements (SLAs)

D.

Periodic audits of controls by an independent auditor

Question 347

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Options:

A.

Assuring the physical security of devices

B.

Preserving data integrity

C.

Maintaining chain of custody

D.

Determining tools to be used

Question 348

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Question 349

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

Question 350

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

Options:

A.

hire another person to perform migration to production.

B.

implement continuous monitoring controls.

C.

remove production access from the developers.

D.

perform a user access review for the development team

Question 351

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:

Options:

A.

re-prioritize the original issue as high risk and escalate to senior management.

B.

schedule a follow-up audit in the next audit cycle.

C.

postpone follow-up activities and escalate the alternative controls to senior audit management.

D.

determine whether the alternative controls sufficiently mitigate the risk.

Question 352

A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?

Options:

A.

Include the requirement in the incident management response plan.

B.

Establish key performance indicators (KPIs) for timely identification of security incidents.

C.

Enhance the alert functionality of the intrusion detection system (IDS).

D.

Engage an external security incident response expert for incident handling.

Question 353

Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

Options:

A.

Encryption of the spreadsheet

B.

Version history

C.

Formulas within macros

D.

Reconciliation of key calculations

Question 354

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

Question 355

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Options:

A.

The exceptions are likely to continue indefinitely.

B.

The exceptions may result in noncompliance.

C.

The exceptions may elevate the level of operational risk.

D.

The exceptions may negatively impact process efficiency.

Question 356

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

Options:

A.

Determine service level requirements.

B.

Complete a risk assessment.

C.

Perform a business impact analysis (BIA)

D.

Conduct a vendor audit.

Question 357

The BEST way to evaluate the effectiveness of a newly developed application is to:

Options:

A.

perform a post-implementation review-

B.

analyze load testing results.

C.

perform a secure code review.

D.

review acceptance testing results.

Question 358

The BEST way to provide assurance that a project is adhering to the project plan is to:

Options:

A.

require design reviews at appropriate points in the life cycle.

B.

have an IS auditor participate on the steering committee.

C.

have an IS auditor participate on the quality assurance (QA) team.

D.

conduct compliance audits at major system milestones.

Question 359

Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?

Options:

A.

Continuous auditing

B.

Manual checks

C.

Exception reporting

D.

Automated reconciliations

Question 360

Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?

Options:

A.

Requiring all users to encrypt documents before sending

B.

Installing firewalls on the corporate network

C.

Reporting all outgoing emails that are marked as confidential

D.

Monitoring all emails based on pre-defined criteria

Question 361

When reviewing an IT strategic plan, the GREATEST concern would be that

Options:

A.

an IT strategy committee has not been created

B.

the plan does not support relevant organizational goals.

C.

there are no key performance indicators (KPls).

D.

the plan was not formally approved by the board of directors

Question 362

Which of the following would BEST indicate the effectiveness of a security awareness training program?

Options:

A.

Results of third-party social engineering tests

B.

Employee satisfaction with training

C.

Increased number of employees completing training

D.

Reduced unintentional violations

Question 363

An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of the following is the auditor's BEST recommendation?

Options:

A.

Harden IT system and application components based on best practices.

B.

Incorporate a security information and event management (SIEM) system into incident response

C.

Implement a survey to determine future incident response training needs.

D.

Introduce problem management into incident response.

Question 364

Which type of risk would MOST influence the selection of a sampling methodology?

Options:

A.

Inherent

B.

Residual

C.

Control

D.

Detection

Question 365

A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?

Options:

A.

Require that a change request be completed and approved

B.

Give the programmer an emergency ID for temporary access and review the activity

C.

Give the programmer read-only access to investigate the problem

D.

Review activity logs the following day and investigate any suspicious activity

Question 366

Which of the following is the MOST important control for virtualized environments?

Options:

A.

Regular updates of policies for the operation of the virtualized environment

B.

Hardening for the hypervisor and guest machines

C.

Redundancy of hardware resources and network components

D.

Monitoring utilization of resources at the guest operating system level

Question 367

Which of the following biometric access controls has the HIGHEST rate of false negatives?

Options:

A.

Iris recognition

B.

Fingerprint scanning

C.

Face recognition

D.

Retina scanning

Question 368

An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

Options:

A.

a comparison of future needs against current capabilities.

B.

a risk-based ranking of projects.

C.

enterprise architecture (EA) impacts.

D.

IT budgets linked to the organization's budget.

Question 369

An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?

Options:

A.

Administrator passwords do not meet organizational security and complexity requirements.

B.

The number of support staff responsible for job scheduling has been reduced.

C.

The scheduling tool was not classified as business-critical by the IT department.

D.

Maintenance patches and the latest enhancement upgrades are missing.

Question 370

Which of the following should be done FIRST to minimize the risk of unstructured data?

Options:

A.

Identify repositories of unstructured data.

B.

Purchase tools to analyze unstructured data.

C.

Implement strong encryption for unstructured data.

D.

Implement user access controls to unstructured data.

Question 371

Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?

Options:

A.

The recovery plan does not contain the process and application dependencies.

B.

The duration of tabletop exercises is longer than the recovery point objective (RPO).

C.

The duration of tabletop exercises is longer than the recovery time objective (RTO).

D.

The recovery point objective (RPO) and recovery time objective (R TO) are not the same.

Question 372

An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.

Which of the following is the BEST course of action to address this issue?

Options:

A.

Examine the workflow to identify gaps in asset-handling responsibilities.

B.

Escalate the finding to the asset owner for remediation.

C.

Recommend the drives be sent to the vendor for destruction.

D.

Evaluate the corporate asset-handling policy for potential gaps.

Question 373

An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance

metrics is the BEST indicator of service quality?

Options:

A.

The total number of users requesting help desk services

B.

The average call waiting time on each request

C.

The percent of issues resolved by the first contact

D.

The average turnaround time spent on each reported issue

Question 374

Which of the following is MOST important for the successful establishment of a security vulnerability management program?

Options:

A.

A robust tabletop exercise plan

B.

A comprehensive asset inventory

C.

A tested incident response plan

D.

An approved patching policy

Question 375

Which of the following should be the FIRST step in a data migration project?

Options:

A.

Reviewing decisions on how business processes should be conducted in the new system

B.

Completing data cleanup in the current database to eliminate inconsistencies

C.

Understanding the new system's data structure

D.

Creating data conversion scripts

Question 376

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data

classification in this project?

Options:

A.

Information security officer

B.

Database administrator (DBA)

C.

Information owner

D.

Data architect

Question 377

Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?

Options:

A.

Attempt to submit new account applications with invalid dates of birth.

B.

Review the business requirements document for date of birth field requirements.

C.

Review new account applications submitted in the past month for invalid dates of birth.

D.

Evaluate configuration settings for the date of birth field requirements

Question 378

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change

management process?

Options:

A.

The added functionality has not been documented.

B.

The new functionality may not meet requirements.

C.

The project may fail to meet the established deadline.

D.

The project may go over budget.

Question 379

Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?

Options:

A.

Purchase requisitions and purchase orders

B.

Invoices and reconciliations

C.

Vendor selection and statements of work

D.

Good receipts and payments

Question 380

Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?

Options:

A.

Review data classification levels based on industry best practice

B.

Verify that current DLP software is installed on all computer systems.

C.

Conduct interviews to identify possible data protection vulnerabilities.

D.

Verify that confidential files cannot be transmitted to a personal USB device.

Question 381

Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?

Options:

A.

Classifies documents to correctly reflect the level of sensitivity of information they contain

B.

Defines the conditions under which documents containing sensitive information may be transmitted

C.

Classifies documents in accordance with industry standards and best practices

D.

Ensures documents are handled in accordance With the sensitivity of information they contain

Question 382

Which of the following is an example of a preventive control for physical access?

Options:

A.

Keeping log entries for all visitors to the building

B.

Implementing a fingerprint-based access control system for the building

C.

Installing closed-circuit television (CCTV) cameras for all ingress and egress points

D.

Implementing a centralized logging server to record instances of staff logging into workstations

Question 383

Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?

Options:

A.

adequate measurement of key risk indicators (KRIS)

B.

Inadequate alignment of IT plans and business objectives

C.

Inadequate business impact analysis (BIA) results and predictions

D.

Inadequate measurement of key performance indicators (KPls)

Question 384

During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?

Options:

A.

The project manager will have to be replaced.

B.

The project reporting to the board of directors will be incomplete.

C.

The project steering committee cannot provide effective governance.

D.

The project will not withstand a quality assurance (QA) review.

Question 385

The use of which of the following would BEST enhance a process improvement program?

Options:

A.

Model-based design notations

B.

Balanced scorecard

C.

Capability maturity models

D.

Project management methodologies

Question 386

Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

Options:

A.

Any information assets transmitted over a public network must be approved by executive management.

B.

All information assets must be encrypted when stored on the organization's systems.

C.

Information assets should only be accessed by persons with a justified need.

D.

All information assets will be assigned a clearly defined level to facilitate proper employee handling.

Question 387

An organization considering the outsourcing of a business application should FIRST:

Options:

A.

define service level requirements.

B.

perform a vulnerability assessment.

C.

conduct a cost-benefit analysis.

D.

issue a request for proposal (RFP).

Question 388

An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

Options:

A.

Computer-assisted technique

B.

Stratified sampling

C.

Statistical sampling

D.

Process walk-through

Question 389

If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?

Options:

A.

Comparison of object and executable code

B.

Review of audit trail of compile dates

C.

Comparison of date stamping of source and object code

D.

Review of developer comments in executable code

Question 390

In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?

Options:

A.

Onsite disk-based backup systems

B.

Tape-based backup systems

C.

Virtual tape library

D.

Redundant array of independent disks (RAID)

Question 391

Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?

Options:

A.

Ensuring standards are adhered to within the development process

B.

Ensuring the test work supports observations

C.

Updating development methodology

D.

Implementing solutions to correct defects

Question 392

Which of the following presents the GREATEST risk of data leakage in the cloud environment?

Options:

A.

Lack of data retention policy

B.

Multi-tenancy within the same database

C.

Lack of role-based access

D.

Expiration of security certificate

Question 393

Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?

Options:

A.

Progress updates indicate that the implementation of agreed actions is on track.

B.

Sufficient time has elapsed since implementation to provide evidence of control operation.

C.

Business management has completed the implementation of agreed actions on schedule.

D.

Regulators have announced a timeline for an inspection visit.

Question 394

During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?

Options:

A.

System administrators should ensure consistency of assigned rights.

B.

IT security should regularly revoke excessive system rights.

C.

Human resources (HR) should delete access rights of terminated employees.

D.

Line management should regularly review and request modification of access rights

Question 395

A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?

Options:

A.

Virtual firewall

B.

Proxy server

C.

Load balancer

D.

Virtual private network (VPN)

Question 396

An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's

GREATEST concern?

Options:

A.

User access rights have not been periodically reviewed by the client.

B.

Payroll processing costs have not been included in the IT budget.

C.

The third-party contract has not been reviewed by the legal department.

D.

The third-party contract does not comply with the vendor management policy.

Question 397

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

Options:

A.

Source code version control

B.

Project change management controls

C.

Existence of an architecture review board

D.

Configuration management

Question 398

Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?

Options:

A.

Review exception reports

B.

Review IT staffing schedules.

C.

Analyze help desk ticket logs

D.

Conduct IT management interviews

Question 399

When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?

Options:

A.

Data backups

B.

Decision support system

C.

Operating system

D.

Applications

Question 400

An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST

recommendation to address this situation?

Options:

A.

Suspend contracts with third-party providers that handle sensitive data.

B.

Prioritize contract amendments for third-party providers.

C.

Review privacy requirements when contracts come up for renewal.

D.

Require third-party providers to sign nondisclosure agreements (NDAs).

Question 401

An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?

Options:

A.

Document the findings in the audit report.

B.

Identify who approved the policies.

C.

Escalate the situation to the lead auditor.

D.

Communicate the observation to the auditee.

Question 402

During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?

Options:

A.

Conduct a follow-up audit after a suitable period has elapsed.

B.

Reschedule the audit assignment for the next financial year.

C.

Reassign the audit to an internal audit subject matter expert.

D.

Extend the duration of the audit to give the auditor more time.

Question 403

Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?

Options:

A.

Compliance testing

B.

Stop-or-go sampling

C.

Substantive testing

D.

Variable sampling

Question 404

An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?

Options:

A.

The message is encrypted using a symmetric algorithm.

B.

The message is sent using Transport Layer Security (TLS) protocol.

C.

The message is sent along with an encrypted hash of the message.

D.

The message is encrypted using the private key of the sender.

Question 405

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

Options:

A.

Performing a cyber resilience test

B.

Performing a full interruption test

C.

Performing a tabletop test

D.

Performing a parallel test

Question 406

Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the

organization?

Options:

A.

Integrating data requirements into the system development life cycle (SDLC)

B.

Appointing data stewards to provide effective data governance

C.

Classifying data quality issues by the severity of their impact to the organization

D.

Facilitating effective communication between management and developers

Question 407

An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Identify existing mitigating controls.

B.

Disclose the findings to senior management.

C.

Assist in drafting corrective actions.

D.

Attempt to exploit the weakness.

Question 408

Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization's cloud service provider?

Options:

A.

There is no change management process defined in the contract.

B.

There are no procedures for incident escalation.

C.

There is no dispute resolution process defined in the contract.

D.

There is no right-to-audit clause defined in the contract.

Question 409

An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?

Options:

A.

Maximum tolerable downtime (MTD)

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Mean time to repair (MTTR)

Question 410

Which of the following BEST enables a benefits realization process for a system development project?

Options:

A.

Metrics for the project have been selected before the project begins.

B.

Project budget includes costs to execute the project and costs associated with the solution.

C.

Estimates of business benefits are backed by similar previously completed projects.

D.

Metrics are evaluated immediately after the project has been implemented.

Question 411

A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?

Options:

A.

Analyzing the root cause of the outage to ensure the incident will not reoccur

B.

Restoring the system to operational state as quickly as possible

C.

Ensuring all resolution steps are fully documented prior to returning thesystem to service

D.

Rolling back the unsuccessful change to the previous state

Question 412

Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?

Options:

A.

Legacy data has not been purged.

B.

Admin account passwords are not set to expire.

C.

Default settings have not been changed.

D.

Database activity logging is not complete.

Question 413

In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?

Options:

A.

Discovery sampling

B.

Variable sampling

C.

Stop-or-go sampling

D.

Judgmental sampling

Question 414

An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?

Options:

A.

Version control issues

B.

Reduced system performance

C.

Inability to recover from cybersecurity attacks

D.

Increase in IT investment cost

Question 415

Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?

Options:

A.

Critical business applications

B.

Business processes

C.

Existing IT controls

D.

Recent audit results

Question 416

Which of the following helps to ensure the integrity of data for a system interface?

Options:

A.

System interface testing

B.

user acceptance testing (IJAT)

C.

Validation checks

D.

Audit logs

Question 417

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

Options:

A.

Version control software

B.

Audit hooks

C.

Utility software

D.

Audit analytics tool

Question 418

A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?

Options:

A.

Penetration testing results

B.

Management attestation

C.

Anti-malware tool audit logs

D.

Recent malware scan reports

Question 419

An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?

Options:

A.

Determine whether the business impact analysis (BIA) is current with the organization's structure and context.

B.

Determine the types of technologies used at the plant and how they may affect the BCP.

C.

Perform testing to determine the impact to the recovery time objective (R TO).

D.

Assess the risk to operations from the closing of the plant.

Question 420

What should an IS auditor evaluate FIRST when reviewing an organization's response to new privacy legislation?

Options:

A.

Implementation plan for restricting the collection of personal information

B.

Privacy legislation in other countries that may contain similar requirements

C.

Operational plan for achieving compliance with the legislation

D.

Analysis of systems that contain privacy components

Question 421

Which of the following is MOST likely to be a project deliverable of an agile software development methodology?

Options:

A.

Strictly managed software requirements baselines

B.

Extensive project documentation

C.

Automated software programming routines

D.

Rapidly created working prototypes

Page: 1 / 140
Total 1404 questions