Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
Which of the following is MOST important for an IS auditor to validate when auditing network device management?
An organization has engaged a third party to implement an application to perform business-critical calculations. Which of the following is the MOST important process to help ensure the application provides accurate calculations?
Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
In an IT organization where many responsibilities are shared which of the following is the BEST control for detecting unauthorized data changes?
When auditing the feasibility study of a system development project, the IS auditor should:
An IS auditor is evaluating the progress of a web-based customer service application development project. Which of the following would be MOST helpful for this evaluation?
Which of the following is the BEST way to prevent social engineering incidents?
Audit frameworks cart assist the IS audit function by:
Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
The FIRST step in auditing a data communication system is to determine:
An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs) Which of the following findings should be of MOST concern to the auditor?
The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
An IS auditor is analyzing a sample of accounts payable transactions for a specific vendor and identifies one transaction with a value five times as high as the average transaction. Which of the following should the auditor do NEXT?
Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?
Which of the following is the BEST source of information for examining the classification of new data?
Which of the following is an IS auditor's BEST approach when prepanng to evaluate whether the IT strategy supports the organization's vision and mission?
An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?
An IT governance body wants to determine whether IT service delivery is based on consistently effective processes. Which of the following is the BEST approach?
Which of following is MOST important to determine when conducting a post-implementation review?
Which of the following is MOST important during software license audits?
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Which of the following is an IS auditor's BEST recommendation to protect an organization from attacks when its file server needs to be accessible to external users?
Which of the following is the MOST important Issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?
While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)
policy to help prevent data leakage?
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?
An organization implemented a cybersecurity policy last year Which of the following is the GREATE ST indicator that the policy may need to be revised?
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
An IS auditor is reviewing a bank's service level agreement (SLA) with a third-party provider that hosts the bank's secondary data center, which of the following findings should be of GREATEST concern to the auditor?
Which of the following risk scenarios is BEST addressed by implementing policies and procedures related to full disk encryption?
An organization has implemented a distributed security administration system to replace the previous centralized one. Which of the following presents the GREATEST potential concern?
When classifying information, it is MOST important to align the classification to:
Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?
Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?
Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
Which of the following is the MOST important responsibility of user departments associated with program changes?
Which of the following is the BEST testing approach to facilitate rapid identification of application interface errors?
Which of the following is MOST useful to an IS auditor performing a review of access controls for a document management system?
Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit Which of the following risks is MOST affected by this oversight?
An organization is shifting to a remote workforce In preparation the IT department is performing stress and capacity testing of remote access infrastructure and systems What type of control is being implemented?
A finance department has a multi-year project to upgrade the enterprise resource planning (ERP) system hosting the general ledger. and in year one, the system version upgrade will be applied. Which of the following should be the PRIMARY focus of the IS auditor reviewing the first year of the project?
The use of control totals satisfies which of the following control objectives?
An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST
Which of the following would be the BEST process for continuous auditing to a large financial Institution?
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?
To mitigate the risk of exposing data through application programming interface (API) queries. which of the following design considerations is MOST important?
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?
Which of the following is MOST effective for controlling visitor access to a data center?
In which of the following system development life cycle (SDLC) phases would an IS auditor expect to find that controls have been incorporated into system specifications?
An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?
A web proxy server for corporate connections to external resources reduces organizational risk by:
A vendor requires privileged access to a key business application. Which of the following is the BEST recommendation to reduce the risk of data leakage?
Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization1?
With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?
An IS auditor is reviewing an organization's business continuity plan (BCP) following a change in organizational structure with significant impact to business processes. Which of the following findings should be the auditor's GREATEST concern?
Which of the following should an IS auditor review when evaluating information systems governance for a large organization?
A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?
Which of the following should be the FIRST step when conducting an IT risk assessment?
Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be able to access patient data wherever patients present themselves
for care?
Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?
An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's BEST course of action?
Which of the following is the BEST way to minimize sampling risk?
A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system Which of the following is the IS auditors BEST recommendation?
Which of the following is the MAJOR advantage of automating internal controls?
During an audit which of the following would be MOST helpful in establishing a baseline for measuring data quality?
Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
What is the MOST effective way to detect installation of unauthorized software packages by employees?
An IS auditor is reviewing an organizations release management practices and observes inconsistent and inaccurate estimation of the size and complexity of business application development projects. Which of the following should the auditor recommend to address this issue?
Which of the following would present the GREATEST risk within a release management process for a new application?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Which of the following tasks would cause the GREATEST segregation of duties (SoD) concern if performed by the person who reconciles the organization's device inventory?
Which of the following should be the IS auditor's PRIMARY focus when evaluating an organizations offsite storage facility?
Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?
Which of the following is PRIMARILY used in blockchain technology to create a distributed immutable ledger?
An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated. Which of the following should be of
MOST concern?
Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?
Which of the following would be MOST important to include in an IS audit report?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed, as management has decided to accept the risk. Which of the following is the IS auditors BEST course of action?
Which of the following is the MOST effective control when granting access to a service provider for a ctoud-6ased application?
Which of the following BEST mitigates the risk of SQL injection attacks against applications exposed to the internet?
Which of the following should be done FIRST when creating a data protection program?
Which of the following is the BEST reason for software developers to use automated testing versus manual testing?
An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?
An IS auditor discovers that backups of critical systems are not being performed in accordance with the recovery point objective (RPO) established in the business continuity plan (BCP). What should the auditor do NEXT?
Which of the following issues identified during a formal review of an organization's information security policies presents the GREATEST potential risk to the organization?
Which of the following job scheduling schemes for operating system updates is MOST likely to adequately balance protection of workstations with user requirements?
Which of the following is the MOST important reason for an organization to automate data purging?
Aligning IT strategy with business strategy PRIMARILY helps an organization to:
During the audit of an enterprise resource planning (ERP) system, an IS auditor found an applicationpatch was applied to the production environment. It is MOST
important for the IS auditor to verify approval from the:
Which of the following is a PRIMARY function of an intrusion detection system (IDS)?
Having knowledge in which of the following areas is MOST relevant for an IS auditor reviewing public key infrastructure (PKI)?
Which of the following is MOST important to define within a disaster recovery plan (DRP)?
Which of the following is the MOST important consideration of any disaster response plan?
which of the following is a core functionality of a configuration and release management system?
Which type of security testing is MOST efficient for finding hidden errors in software and facilitating source code optimization?
An IS auditor wants to gain a better understanding of an organization’s selected IT operating system software. Which of the following would be MOST helpful to review?
Which of the following is the PRIMARY purpose of batch processing monitoring?
Which of the following is MOST helpful in identifying system performance constraints?
Which of the following can BEST reduce the impact of a long-term power failure?
Which of the following is the PRIMARY benefit of introducing business impact analyses (BIAs) to business resiliency strategies?
An organization is implementing a data loss prevention (DLP) system in response to a new regulatory requirement Reviewing. which of the following would be MOST helpful in evaluating the system's design?
Control self-assessments (CSAs) can be used to:
Which of the following is the MOST efficient way to identify fraudulent activity on a set of transactions?
Management is concerned about sensitive information being intentionally or unintentionally emailed as attachments outside the organization by employees. What is the MOST important task before implementing any associated email controls?
A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?
A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?
Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?
While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization's inventory. Which of the following is the auditor's BEST course of action?
Which of the following should be of MOST concern to an IS auditor reviewing an organization’s business impact analysis (BIA)?
Which of the following is the MOST important task of an IS auditor during an application post-implementation review?
Which of the following MOST effectively enables consistency across high-volume software changes'?
An IS auditor observes that an organization's systems are being used for cryptocurrency mining on a regular basis. Which of the following is the auditor's FIRST course of action?
An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management?
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Which of the following is the BEST approach to help organizations address risks associated with shadow IT?
Which of the following is the PRIMARY benefit of monitoring IT operational logs?
An organization has moved all of its infrastructure to the cloud. Which of the following would be an IS auditor’s GREATEST concern related to the organization’s ability to continue operations in case of a disaster?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Which of the following is MOST helpful for evaluating benefits realized by IT projects?
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?
Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
Which of the following should be of GREATEST concern to an IS auditor reviewing system interfaces used to transfer publicly available information?
Which of the following should be of MOST concern to an IS auditor reviewing an organization's operational log management?
An IS auditor reviewing an organization’s IT systems finds that the organization frequently purchases systems that are incompatible with the technologies already in the organization. Which of the following is the MOST likely reason?
Who is accountable for an organization's enterprise risk management (ERM) program?
Which of the following is the MOST important privacy consideration for an organization that uses a cloud service provider to process customer data?
An organization requires the use of a key card to enter its data center. Recently, a control was implemented that requires biometric authentication for each employee.
Which type of control has been added?
Which of the following would be the GREATEST concern for an IS auditor conducting a pre-implementation review of a data loss prevention (DLP> tool?
Which of the following responsibilities associated with a disaster recovery plan (DRP) can be outsourced to a Disaster Recovery as a Service (DRaaS) provider?
Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?
Which of the following BEST ensures that effective change management is in place in an IS environment?
Which of the following is the MOST appropriate testing approach when auditing a daily data flow between two systems via an automated interface to confirm that it is complete and accurate?
Which of the following should be the PRIMARY concern for the it department head when implementing operational log management?
Which of the following is the MOST important success factor for implementing a data loss prevention (DLP) tool?
An organization has decided to reengineer business processes to improve the performance of overall IT service delivery. Which of the following recommendations from the project team should be the GREATEST concern to the IS auditor?
During which process is regression testing MOST commonly used?
When designing a data analytics process, which of the following should be the stakeholder's role in automating data extraction and validation?
An internal audit department recently established a quality assurance (QA) program. Which of the following activities Is MOST important to include as part of the QA program requirements?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
An organization that has suffered a cyber-attack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Which of the following is MOST important for an IS auditor to verify when evaluating an organization's firewall?
Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?
What is the Most critical finding when reviewing an organization’s information security management?
A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization's level of exposure In the affected country. Which of the following would be MOST helpful in making this assessment?
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
During a follow-up audit, it was found that a complex security vulnerability of low risk was not resolved within the agreed-upon timeframe. IT has stated that the system with the identified vulnerability is being replaced and is expected to be fully functional in two months Which of the following is the BEST course of action?
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
Which of the following is the MOST important activity in the data classification process?
Which of the following is the BEST indicator of the effectiveness of an organization's incident response program?
Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
Which of the following must be in place before an IS auditor initiates audit follow-up activities?
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization's data quality Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
Which of the following activities provides an IS auditor with the MOST insight regarding potential single person dependencies that might exist within the organization?
Providing security certification for a new system should include which of the following prior to the system's implementation?
An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?
Which of the following is the BEST source of information tor an IS auditor to use when determining whether an organization's information security policy is adequate?
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
UESTION NO: 210
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
Which of the following is the MAIN purpose of an information security management system?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
Which of the following should an IS auditor consider FIRST when evaluating firewall rules?
Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
Which of the following MUST be completed as part of the annual audit planning process?
In a RAO model, which of the following roles must be assigned to only one individual?
Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?
During an exit interview, senior management disagrees with some of me facts presented m the draft audit report and wants them removed from the report. Which of the following would be the auditor's BEST course of action?
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?
An organization is considering allowing users to connect personal devices to the corporate network. Which of the following should be done FIRST?
An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?
An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
What is the MAIN reason to use incremental backups?
Which of the following is the GREATEST risk associated with storing customer data on a web server?
Which of the following is the BEST indicator of the effectiveness of signature-based intrusion detection systems (lDS)?
Which of the following is the BEST reason for an organization to use clustering?
Which of the following metrics would BEST measure the agility of an organization's IT function?
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Upon completion of audit work, an IS auditor should:
Capacity management enables organizations to:
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same approach to optimize resources?
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
Which of the following is the BEST control lo mitigate attacks that redirect Internet traffic to an unauthorized website?
Which of the following backup schemes is the BEST option when storage media is limited?
An IS auditor has been asked to advise on measures to improve IT governance within the organization. Which at the following is the BEST recommendation?
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?
An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?
A review of an organization’s IT portfolio revealed several applications that are not in use. The BEST way to prevent this situation from recurring would be to implement.
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?
Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.
Which of the following is necessary for effective risk management in IT governance?
Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?
If enabled within firewall rules, which of the following services would present the GREATEST risk?
An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?
Which of the following is MOST critical for the effective implementation of IT governance?
During audit framework. an IS auditor teams that employees are allowed to connect their personal devices to company-owned computers. How can the auditor BEST validate that appropriate security controls are in place to prevent data loss?
Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?
The PRIMARY benefit of information asset classification is that it:
A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:
An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
Which of the following is MOST important when implementing a data classification program?
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
Which of the following is the BEST reason to implement a data retention policy?
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?
An IS auditor reviewing the threat assessment tor a data center would be MOST concerned if:
Which of the following is MOST important to determine during the planning phase of a cloud-based messaging and collaboration platform acquisition?
During an exit meeting, an IS auditor highlights that backup cycles
are being missed due to operator error and that these exceptions
are not being managed. Which of the following is the BEST way to
help management understand the associated risk?
An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor's BEST recommendation should be to:
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
An IS auditor notes that the previous year's disaster recovery test was not completed within the scheduled time frame due to insufficient hardware allocated by a third-party vendor. Which of the following provides the BEST evidence that adequate resources are now allocated to successfully recover the systems?
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?
A proper audit trail of changes to server start-up procedures would include evidence of:
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
Which of the following is MOST important with regard to an application development acceptance test?
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
What is MOST important to verify during an external assessment of network vulnerability?
An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?
During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
The implementation of an IT governance framework requires that the board of directors of an organization:
Which of the following demonstrates the use of data analytics for a loan origination process?
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
An IS auditor is planning an audit of an organization's accounts payable processes. Which of the following controls is MOST important to assess in the audit?
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?
Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?
To confirm integrity for a hashed message, the receiver should use:
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
When auditing the security architecture of an online application, an IS auditor should FIRST review the:
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
An incorrect version of the source code was amended by a development team. This MOST likely indicates a weakness in:
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
Which of the following should be done FIRST when planning a penetration test?
Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?
Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
An organizations audit charier PRIMARILY:
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery:
Secure code reviews as part of a continuous deployment program are which type of control?
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
Which of the following is a social engineering attack method?
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?
Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization s objectives?
Which of the following is MOST important to include in forensic data collection and preservation procedures?
Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?
Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor's BEST course of action would be to:
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?
During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
The BEST way to evaluate the effectiveness of a newly developed application is to:
The BEST way to provide assurance that a project is adhering to the project plan is to:
Which of the following provides the GREATEST assurance that a middleware application compiling data from multiple sales transaction databases for forecasting is operating effectively?
Which of the following methods would BEST help detect unauthorized disclosure of confidential documents sent over corporate email?
When reviewing an IT strategic plan, the GREATEST concern would be that
Which of the following would BEST indicate the effectiveness of a security awareness training program?
An IS auditor reviewing incident response management processes notices that resolution times for reoccurring incidents have not shown improvement. Which of the following is the auditor's BEST recommendation?
Which type of risk would MOST influence the selection of a sampling methodology?
A security administrator is called in the middle of the night by the on-call programmer A number of programs have failed, and the programmer has asked for access to the live system. What IS the BEST course of action?
Which of the following is the MOST important control for virtualized environments?
Which of the following biometric access controls has the HIGHEST rate of false negatives?
An IT strategic plan that BEST leverages IT in achieving organizational goals will include:
An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?
Which of the following should be done FIRST to minimize the risk of unstructured data?
Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
An IS auditor is reviewing the service agreement with a technology company that provides IT help desk services to the organization. Which of the following monthly performance
metrics is the BEST indicator of service quality?
Which of the following is MOST important for the successful establishment of a security vulnerability management program?
Which of the following should be the FIRST step in a data migration project?
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data
classification in this project?
Which of the following approaches would utilize data analytics to facilitate the testing of a new account creation process?
Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change
management process?
Which of the following areas of responsibility would cause the GREATEST segregation of duties conflict if the individual who performs the related tasks also has approval authority?
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization's data loss prevention (DLP) controls?
Which of the following BEST describes the role of a document owner when implementing a data classification policy in an organization?
Which of the following is an example of a preventive control for physical access?
Which of the following is the MOST significant impact to an organization that does not use an IT governance framework?
During a project audit, an IS auditor notes that project reporting does not accurately reflect current progress. Which of the following is the GREATEST resulting impact?
The use of which of the following would BEST enhance a process improvement program?
Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?
An organization considering the outsourcing of a business application should FIRST:
An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?
If a source code is not recompiled when program changes are implemented, which of the following is a compensating control to ensure synchronization of source and object?
In an environment where data virtualization is used, which of the following provides the BEST disaster recovery solution?
Which of the following responsibilities of an organization's quality assurance (QA) function should raise concern for an IS auditor?
Which of the following presents the GREATEST risk of data leakage in the cloud environment?
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following is the auditor's BEST recommendation?
A national tax administration agency with a distributed network experiences service disruptions due to a large influx of traffic to a regional office near the end of each year. Which of the following would BEST enable the agency to improve the performance of its servers during the busy period?
An IS auditor is reviewing a client's outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's
GREATEST concern?
An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
When a data center is attempting to restore computing facilities at an alternative site following a disaster, which of the following should be restored FIRST?
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST
recommendation to address this situation?
An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
During planning for a cloud service audit, audit management becomes aware that the assigned IS auditor is unfamiliar with the technologies in use and their associated risks to the business. To ensure audit quality, which of the following actions should audit management consider FIRST?
Which of the following provides the BEST evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system?
An organization uses public key infrastructure (PKI) to provide email security. Which of the following would be the MOST efficient method to determine whether email messages have been modified in transit?
Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?
Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the
organization?
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?
Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization's cloud service provider?
An organization that operates an e-commerce website wants to provide continuous service to its customers and is planning to invest in a hot site due to service criticality. Which of the following is the MOST important consideration when making this decision?
Which of the following BEST enables a benefits realization process for a system development project?
A core system fails a week after a scheduled update, causing an outage that impacts service. Which of the following is MOST important for incident management to focus on when addressing the issue?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
In which of the following sampling methods is the entire sample considered to be irregular if a single error is found?
An organization plans to replace its nightly batch processing backup to magnetic tape with real-time replication to a second data center. Which of the following is the GREATEST risk associated with this change?
Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
Which of the following helps to ensure the integrity of data for a system interface?
Which of the following is BEST used for detailed testing of a business application's data and configuration files?
A global organization's policy states that all workstations must be scanned for malware each day. Which of the following would provide an IS auditor with the BEST evidence of continuous compliance with this policy?
An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?
What should an IS auditor evaluate FIRST when reviewing an organization's response to new privacy legislation?
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?