An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?
Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?
Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?
Which of the following BEST Indicates that an incident management process is effective?
An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?
Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?
Which of the following BEST protects an organization's proprietary code during a joint-development activity involving a third party?
The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?
An IS auditor finds that an organization's data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor's MAIN concern should be that:
Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?
While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?
A month after a company purchased and implemented system and performance monitoring software, reports were too large and therefore were not reviewed or acted upon The MOST effective plan of action would be to:
UESTION NO: 210
An accounting department uses a spreadsheet to calculate sensitive financial transactions. Which of the following is the MOST important control for maintaining the security of data in the spreadsheet?
In an online application, which of the following would provide the MOST information about the transaction audit trail?
An IS audit learn is evaluating the documentation related to the most recent application user-access review performed by IT and business management It is determined that the user list was not system-generated. Which of the following should be the GREATEST concern?
Which of the following BEST enables the timely identification of risk exposure?
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
Which of the following is the BEST reason to implement a data retention policy?
What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
Which of the following is the BEST reason for an organization to use clustering?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?
Which of the following BEST demonstrates that IT strategy Is aligned with organizational goals and objectives?
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS audit has been asked to conduct a control assessment. the auditor's BEST course of action would be to determine if:
Which of the following business continuity activities prioritizes the recovery of critical functions?
Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?
Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?
Which of the following BEST enables the effectiveness of an agile project for the rapid development of a new software application?
An audit has identified that business units have purchased cloud-based applications without IPs support. What is the GREATEST risk associated with this situation?
An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported the auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?
What should an IS auditor do FIRST when management responses
to an in-person internal control questionnaire indicate a key internal
control is no longer effective?
What is the PRIMARY purpose of documenting audit objectives when preparing for an engagement?
Which of the following is the PRIMARY advantage of using visualization technology for corporate applications?
Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?
Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system's edit routine?
Which of the following should be the FIRST step in the incident response process for a suspected breach?
An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?
Which of the following BEST facilitates the legal process in the event of an incident?
Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?
Which of the following IT service management activities is MOST likely to help with identifying the root cause of repeated instances of network latency?
Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution?
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?
An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?
Which of the following BEST helps to ensure data integrity across system interfaces?
Which of the following would be MOST effective to protect information assets in a data center from theft by a vendor?
Which of the following should be the IS auditor's PRIMARY focus, when evaluating an organization's offsite storage facility?
An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business The auditor's PRIMARY concern would be:
Which of the following should be of GREATEST concern to an IS auditor reviewing a network printer disposal process?
Which of the following should an IS auditor ensure is classified at the HIGHEST level of sensitivity?
An organization allows its employees lo use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?
Which of the following is a challenge in developing a service level agreement (SLA) for network services?
If enabled within firewall rules, which of the following services would present the GREATEST risk?
A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an application developer?
A warehouse employee of a retail company has been able to conceal the theft of inventory items by entering adjustments of either damaged or lost stock items lo the inventory system. Which control would have BEST prevented this type of fraud in a retail environment?
An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?
An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?
A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:
Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?
Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?
Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
An IS auditor is reviewing logical access controls for an organization's financial business application Which of the following findings should be of GREATEST concern to the auditor?
Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY objective is to ensure that
An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?
During an exit meeting, an IS auditor highlights that backup cycles
are being missed due to operator error and that these exceptions
are not being managed. Which of the following is the BEST way to
help management understand the associated risk?
Which of the following presents the GREATEST challenge to the alignment of business and IT?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Which of the following would be MOST useful when analyzing computer performance?
An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?
An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?
Which of the following is the BEST metric to measure the alignment of IT and business strategy?
When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;
During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?
Which of the following should be performed FIRST before key performance indicators (KPIs) can be implemented?
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor?
Which of the following is the BEST way to ensure that an application is performing according to its specifications?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?
Which of the following features of a library control software package would protect against unauthorized updating of source code?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if.
What is the GREATEST concern for an IS auditor reviewing contracts for licensed software that executes a critical business process?
During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date When assessing the seventy of this finding, which mitigating factor would MOST significantly minimize the associated impact?
Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?
Which of the following would BEST ensure that a backup copy is available for restoration of mission critical data after a disaster''
Which of the following provides the BEST providence that outsourced provider services are being properly managed?
An IS auditor assessing the controls within a newly implemented call center would First
Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile-developed software?
A post-implementation review was conducted by issuing a survey to users. Which of the following should be of GREATEST concern to an IS auditor?
An organization is disposing of a system containing sensitive data and has deleted all files from the hard disk. An IS auditor should be concerned because:
What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?
Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio?
Which of the following is MOST critical for the effective implementation of IT governance?
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
Which of the following is necessary for effective risk management in IT governance?
in a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the:
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
Which of the following should be an IS auditor's GREATEST concern when reviewing an organization's security controls for policy compliance?
During a routine internal software licensing review, an IS auditor discovers instances where employees shared license keys to critical pieces of business software. Which of the following would be the auditor's BEST course of action?
A small business unit is implementing a control self-assessment (CSA) program and leveraging the internal
audit function to test its internal controls annually. Which of the following is the MOST significant benefit of
this approach?
An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?
Due to advancements in technology and electronic records, an IS auditor has completed an engagement by email only. Which of the following did the IS auditor potentially compromise?
Which of the following should be given GREATEST consideration when implementing the use of an open-source product?
During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor's NEXT step should be to:
Transaction records from a business database were inadvertently deleted, and system operators decided to restore from a snapshot copy. Which of the following provides assurance that the BEST transactions were recovered successfully?
Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?
An IS auditor has identified deficiencies within the organization's software development life cycle policies. Which of the following should be done NEXT?
When reviewing the functionality of an intrusion detection system (IDS), the IS auditor should be MOST concerned if:
An IS auditor evaluating the change management process must select a sample from the change log. What is the BEST way to the auditor to confirm the change log is complete?
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management
experience. What is the BEST course of action?
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
The use of which of the following is an inherent risk in the application container infrastructure?
Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?
Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?
Which of the following methods will BEST reduce the risk associated with the transition to a new system using
technologies that are not compatible with the old system?
When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
Which of the following should an IS auditor recommend be done FIRST when an organization is made aware of a new regulation that is likely to impact IT security requirements?
Which of the following should be used as the PRIMARY basis for prioritizing IT projects and initiatives?
Which of the following controls is MOST important for ensuring the integrity of system interfaces?
Which of the following is MOST likely to be a project deliverable of an agile software development methodology?
Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?
When an intrusion into an organization's network is detected, which of the following should be done FIRST?
In a review of the organization standards and guidelines for IT management, which of the following should be included in an IS development methodology?
Which of the following is an IS auditor's BEST recommendation for mitigating risk associated with inadvertent disclosure of sensitive information by employees?
An IS auditor Is renewing the deployment of a new automated system Which of the following findings presents the MOST significant risk?
Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?
Which of the following will provide the GREATEST assurance to IT management that a quality management system (QMS) is effective?
Which of the following should be the FIRST step m managing the impact of a recently discovered zero-day attack?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
Which of the following should be restricted from a network administrator's privileges in an adequately segregated IT environment?
Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?
Following a merger, a review of an international organization determines the IT steering committee's decisions do not extend to regional offices as required in the consolidated IT operating model. Which of the following is the IS auditor's BEST recommendation?
Which of the following poses the GREATEST risk to the use of active RFID tags?
While evaluating the data classification process of an organization, an IS auditor's PRIMARY focus should be on whether:
At the end of each business day, a business-critical application generates a report of financial transac-tions greater than a certain value, and an employee
then checks these transactions for errors. What type of control is in place?
Which of the following should be the GREATEST concern to an IS auditor reviewing an organization's method to transport sensitive data between offices?
With regard to resilience, which of the following is the GREATEST risk to an organization that has implemented a new critical system?
Which of the following is the BEST way to prevent social engineering incidents?
An IS auditor is reviewing an organization's business intelligence infrastructure. The BEST recommendation to help the organization achieve a reasonable level of data quality would be to:
Which of the following would be MOST useful to an IS auditor when making recommendations to enable continual improvement of IT processes over time?
The operations team of an organization has reported an IS security attack Which of the following should be the FIRST step for the security incident response team?
During an organization's implementation of a data loss prevention (DLP) solution, which of the following activities should be completed FIRST?
An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager's PRIMARY concern when being made aware that a new
auditor in the department previously worked for this provider?
Who is PRIMARILY responsible for the design of IT controls to meet control objectives?
Which of the following is the MOST effective control over visitor access to highly secured areas?
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization's payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
Which of the following is the BEST recommendation to include in an organization's bring your own device (BYOD)
policy to help prevent data leakage?
A mission-critical application utilizes a one-node database server. On multiple occasions, the database service has been stopped to perform routine patching, causing application outages. Which of the following should be the IS auditor’s GREATEST concern?
How is nonrepudiation supported within a public key infrastructure (PKI) environment?
Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
An IS auditor is reviewing enterprise governance and finds there is no defined organizational structure for technology risk governance. Which of the following is the GREATEST concern with this lack of structure?
An organization is implementing a new data loss prevention (DLP) tool. Which of the following will BEST enable the organization to reduce false positive alerts?
Which of the following should an IS auditor be MOST concerned with when a system uses RFID?
An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?
As part of the architecture of virtualized environments, in a bare metal or native visualization the hypervisor runs without:
A data center's physical access log system captures each visitor's identification document numbers along with the visitor's photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?
An IS auditor finds a user account where privileged access is not appropriate for the user’s role. Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?
Which of the following is the GREATEST concern related to an organization's data classification processes?
Which of the following controls is BEST implemented through system configuration?
Network user accounts for temporary workers expire after 90 days.
Application user access is reviewed every 180 days for appropriateness.
Financial data in key reports is traced to source systems for completeness and accuracy.
An IS auditor is supporting a forensic investigation. An image of affected storage media has been captured while collecting digital forensic evidence. Which of the following techniques would BEST enable an IS auditor to verify that the captured image is an exact, unchanged replica of the original media?
An organization offers an e-commerce platform that allows consumer-to-consumer transactions. The platform now uses blockchain technology to ensure the parties are unable to deny the transactions. Which of the following attributes BEST describes the risk element that this technology is addressing?
What would be the PRIMARY reason an IS auditor would recommend replacing universal PIN codes with an RFID access card system at a data center?
The BEST way to prevent fraudulent payments is to implement segregation of duties between the vendor setup and:
A configuration management audit identified that predefined automated procedures are used when deploying and configuring application infrastructure in a cloud-based
environment. Which of the following is MOST important for the IS auditor to review?
Which of the following documents should specify roles and responsibilities within an IT audit organization?
A new system is being developed by a vendor for a consumer service organization. The vendor will provide its proprietary software once system development is completed Which of the following is the MOST important requirement to include In the vendor contract to ensure continuity?
Which of the following is the BEST method to delete sensitive information from storage media that will be reused?
An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?
A programmer has made unauthorized changes to key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this
problem?
When assessing the overall effectiveness of an organization's disaster recovery planning process, which of the following is MOST important for the IS auditor to verify?
Which of the following is MOST critical to the success of an information security program?
Which of the following should be the FIRST step when conducting an IT risk assessment?
Which of the following is the GREATEST advantage of vulnerability scanning over penetration testing?
Which of the following would BEST guide an IS auditor when determining an appropriate time to schedule the follow-up of agreed corrective actions for reported audit issues?
Who should be the FIRST to evaluate an audit report prior to issuing it to the project steering committee?
Which of the following would be of GREATEST concern to an IS auditor reviewing the resiliency of an organizational network that has two internet connections?
Which of the following is MOST important to consider when reviewing an organization's defined data backup and restoration procedures?
Which of the following should be of GREATEST concern to an IS auditor when auditing an organization's IT strategy development process?
Following a breach, what is the BEST source to determine the maximum amount of time before customers must be notified that their personal information may have been compromised?
Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines?
Which of the following BEST indicates the effectiveness of an organization's risk management program?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?
During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?
Which of the following is the BEST method to safeguard data on an organization's laptop computers?
Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
Which of the following should an IS auditor be MOST concerned with during a post-implementation review?
Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?
The decision to accept an IT control risk related to data quality should be the responsibility of the:
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:
Which of the following is the BEST detective control for a job scheduling process involving data transmission?
Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?
Which of the following would be a result of utilizing a top-down maturity model process?
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
From an IS auditor's perspective, which of the following would be the GREATEST risk associated with an incomplete inventory of deployed software in an organization?
An organization allows employees to retain confidential data on personal mobile devices. Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?
Which of the following is the BEST justification for deferring remediation testing until the next audit?
During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?
An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?
Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?
Which of the following fire suppression systems needs to be combined with an automatic switch to shut down the electricity supply in the event of activation?
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
Which of the following is the BEST method to prevent wire transfer fraud by bank employees?
In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to never expire. Which of the following recommendations would BEST address the risk with minimal disruption to the business?
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?
Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics?
During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?
Which of the following is MOST important to include in forensic data collection and preservation procedures?
Which of the following is the BEST control to prevent the transfer of files to external parties through instant messaging (IM) applications?
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?
A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor's BEST recommendation to facilitate compliance with the regulation?
Which of the following is the BEST way to mitigate the impact of ransomware attacks?
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?
Which of the following attack techniques will succeed because of an inherent security weakness in an Internet firewall?
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between the two systems?
What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?
Secure code reviews as part of a continuous deployment program are which type of control?
Which of the following MOST effectively minimizes downtime during system conversions?
What is MOST important to verify during an external assessment of network vulnerability?
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor's FIRST course of action should be to:
The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:
A data breach has occurred due lo malware. Which of the following should be the FIRST course of action?
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?
What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
One benefit of return on investment (ROI) analysts in IT decision making is that it provides the:
Which of the following is the MOST effective way to maintain network integrity when using mobile devices?
In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:
When an intrusion into an organization network is deleted, which of the following should be done FIRST?
The implementation of an IT governance framework requires that the board of directors of an organization:
Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?
Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?
Which of the following is MOST important to ensure when planning a black box penetration test?
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor's BEST recommendation would be to:
An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?
Which of the following is the MOST important consideration for an IS auditor when assessing the adequacy of an organization's information security policy?
Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?
A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?
An IS auditor notes that several employees are spending an excessive amount of time using social media sites for personal reasons. Which of the following should the auditor recommend be performed FIRST?
Which of the following would BEST facilitate the successful implementation of an IT-related framework?
Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?
Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?
During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?
An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward 10 those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?
Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?
An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
To develop meaningful recommendations 'or findings, which of the following is MOST important 'or an IS auditor to determine and understand?
An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern?
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm tor potential software vulnerabilities?
Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements Which of the following is the BEST way to obtain this assurance?
An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control sell-assessment (CSA)?
The GREATEST benefit of using a polo typing approach in software development is that it helps to:
An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future?
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simu-lation test administered for staff members?
In which phase of penetration testing would host detection and domain name system (DNS) interrogation be performed?
After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?
To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?
Which of the following metrics would BEST measure the agility of an organization's IT function?
The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:
An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST
Which of the following findings from an IT governance review should be of GREATEST concern?
Which of the following would MOST effectively ensure the integrity of data transmitted over a network?
When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?
Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?
In a RAO model, which of the following roles must be assigned to only one individual?
Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?
A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the protect audit?
An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?
An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?
An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?
A now regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?
Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?
Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?
Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization's incident management processes?
The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:
In an environment that automatically reports all program changes, which of the following is the MOST efficient way to detect unauthorized changes to production programs?
Which of the following concerns is BEST addressed by securing production source libraries?
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:
Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor's BEST recommendation for a compensating control?
Which of the following Is the BEST way to ensure payment transaction data is restricted to the appropriate users?
Which of the following provides the MOST assurance over the completeness and accuracy ol loan application processing with respect to the implementation of a new system?
What is the Most critical finding when reviewing an organization’s information security management?
A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?
Which of the following is MOST important for an IS auditor to do during an exit meeting with an auditee?
The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
An information systems security officer's PRIMARY responsibility for business process applications is to:
An organization has developed mature risk management practices that are followed across all departments What is the MOST effective way for the audit team to leverage this risk management maturity?
In data warehouse (DW) management, what is the BEST way to prevent data quality issues caused by changes from a source system?
Which of the following controls BEST ensures appropriate segregation of dudes within an accounts payable department?
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
An IS auditor Is reviewing a recent security incident and is seeking information about me approval of a recent modification to a database system's security settings Where would the auditor MOST likely find this information?
An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:
Which of the following should an IS auditor consider the MOST significant risk associated with a new health records system that replaces a legacy system?
A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?
During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?