Which of the following should be an IS auditor’s GREATEST concern when assessing an IT service configuration database?

A. The database is not encrypted at rest.

B. The database is read-accessible for all users.

C. The database is executable for all users.

D. The database is write-accessible for all users.

What is the PRIMARY reason to adopt a risk-based IS audit strategy?

A. To achieve synergy between audit and other risk management functions

B. To reduce the time and effort needed to perform a full audit cycle

C. To prioritize available resources and focus on areas with significant risk

D. To identify key threats, risks, and controls for the organization

Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?

A. Failure to comply with data-related regulations

B. Failure to prevent fraudulent transactions

C. Inability to manage access to private or sensitive data

D. Inability to obtain customer confidence

A data breach has occurred due to malware. Which of the following should be the FIRST course of action?

A. Shut down the affected systems.

B. Quarantine the impacted systems.

C. Notify customers of the breach.

D. Notify the cyber insurance company

Which of the following is the MOST effective way for an organization to help ensure agreed-upon action plans from an IS audit will be implemented?

A. Ensure ownership is assigned.

B. Test corrective actions upon completion.

C. Ensure sufficient audit resources are allocated.

D. Communicate audit results organization-wide.

When auditing the feasibility study of a system development project, the IS auditor should:

A. review the request for proposal (RFP) to ensure that it covers the scope of work.

B. ensure that vendor contracts are reviewed by legal counsel.

C. review cost-benefit documentation for reasonableness.

D. review qualifications of key members of the project team.

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

A. There are conflicting permit and deny rules for the IT group.

B. There is only one rule per group with access privileges.

C. Individual permissions are overriding group permissions.

D. The network security group can change network address translation (NAT).

Which of the following is the BEST way to mitigate the risk associated with technology obsolescence?

A. Create tactical and strategic IS plans.

B. Make provisions in the budgets for potential upgrades.

C. Invest in current technology.

D. Create a technology watch team that evaluates emerging trends.

An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime?

A. Cutover

B. Phased

C. Pilot

D. Parallel

An IS auditor is reviewing the contract for a customer relationship management (CRM) system containing personal identifiable information (PII) hosted by a third party. The absence of which of the following would be the GREATEST concern regarding the contract?

A. Right-to-audit clause

B. Service level agreements (SLAs)

C. System availability requirements

D. Confidentiality terms

How does a continuous integration/continuous development (CI/CD) process help to reduce software failure risk?

A. Fewer manual milestones

B. Easy software version rollback

C. Automated software testing

D. Smaller incremental changes

Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?

A. To assess evidence for management reporting

B. To validate the correctness of reported findings

C. To validate remediation efforts

D. To assess the risk of the audit environment

Which of the following is the MAJOR advantage of automating internal controls?

A. To enable the review of large value transactions

B. To help identify transactions with no segregation of duties

C. To efficiently test large volumes of data

D. To assist in performing analytical reviews

Which of the following is the MOST useful information for an IS auditor to review when formulating an audit plan for the organization's outsourced service provider?

A. Service level agreement (SLA) reports

B. The service provider’s control self-assessment (CSA)

C. The organization’s procurement policy

D. Independent audit reports

Which of the following would be of GREATEST concern to an IS auditor when evaluating governance processes for a user-developed tool?

A. Penetration testing has not been conducted.

B. Significant changes to the tool were not documented.

C. The backup strategy has not been tested.

D. A risk assessment has not been performed.

Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

A. Packet filtering router

B. Circuit gateway

C. Application level gateway

D. Screening router

The BEST way to evaluate the effectiveness of a newly developed application is to:

A. perform a post-implementation review.

B. review acceptance testing results.

C. perform a secure code review

D. analyze load testing results.

Which of the following findings should be of MOST concern to an IS auditor assessing agile software development practices?

A. There is a low acceptance rate by the business of delivered software.

B. Testing is performed by both software developers and testers.

C. Release plans have been revised several times before actual release.

D. The IT team feels unable to strictly follow standard agile practices.

During a post-implementation review, which of the following provides the BEST evidence that user requirements have been met?

A. Operator error logs

B. End-user documentation

C. User acceptance testing (UAT)

D. Management interviews

Which of the following is the PRIMARY concern when negotiating a contract for a hot site?

A. Complete testing of the recovery plan

B. Availability of the site in the event of multiple disaster declarations

C. Reciprocal agreements with other organizations

D. Coordination with the site staff in the event of multiple disaster declarations

Which of the following is necessary for effective risk management in IT governance?

A. Local managers are solely responsible for risk evaluation.

B. Risk management strategy is approved by the audit committee.

C. Risk evaluation is embedded in management processes.

D. IT risk management is separate from corporate risk management.

An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework?

A. Recent third-party IS audit reports

B. Current and previous internal IS audit reports

C. IT performance benchmarking reports with competitors

D. Self-assessment reports of IT capability and maturity

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?

A. Some KPIs are not documented.

B. KPIs are not clearly defined.

C. KPIs have never been updated.

D. KPI data is not being analyzed.

Which of the following is MOST important for an IS auditor to confirm when assessing the security of a new cloud-based IT application that is linked with the organization’s existing technology?

A. The application programming interfaces (APIs) are adequately secured.

B. The on-premise database has adequate encryption at rest.

C. The cloud provider shares an external audit report.

D. The organization has a flat network structure.

Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor’s MOST appropriate course of action?

A. Report to audit management that the actions taken have not effectively addressed the original risk.

B. Make an additional recommendation on how to remediate the finding.

C. Perform testing or other audit procedures to confirm the status of the original risk.

D. Recommend external verification of management’s preferred actions.

Which of the following should be restricted from a network administrator’s privileges in an adequately segregated IT environment?

A. Hardening network ports

B. Monitoring network traffic

C. Changing existing configurations for applications

D. Ensuring transmission protocols are functioning correctly

When an IS auditor evaluates key performance indicators (KPIs) for IT initiatives, it is MOST important that the KPIs indicate:

A. IT deliverables are process driven.

B. IT objectives are measured.

C. IT resources are fully utilized.

D. IT solutions are within budget.

Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?

A. Data security requirements are not considered.

B. Additional training is required for end users.

C. The system is not supported by the IT department.

D. Corporate procurement standards are not followed.

Which of the following establishes the role of the internal audit function?

A. Audit project plan

B. Audit objectives

C. Audit charter

D. Audit governance

For the implementation of a program change in a production environment, the MOST important approval required is from:

A. the security administrator

B. the project manager

C. user management

D. IS management

A network review is being undertaken to evaluate security risks. Which of the following would be of MOST concern if identified during the review?

A. Router access to the Internet from the internal network

B. Direct network access from PCs to the Internet

C. Firewall access to the internal network from the Internet

D. Remote access to the internal network from internal PCs

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

A. Globally accepted privacy best practices

B. Historical privacy breaches and related root causes

C. Benchmark studies of similar organizations

D. Local privacy standards and regulations

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

A. Post-implementation review objectives

B. Business case

C. Rollback strategy

D. Test cases

An organization has decided to outsource a critical application due to a lack of specialized resources. Which risk response has been adopted?

A. Mitigation

B. Avoidance

C. Sharing

D. Acceptance

Which of the following BEST enables a benefits realization process for a system development project?

A. Metrics are evaluated immediately after the project has been implemented.

B. Metrics for the project have been selected before the project begins.

C. Project budget includes costs to execute the project and costs associated with the solution.

D. Estimates of business benefits are backed by similar previously completed projects.

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the
MOST significant risk?

A. Data center environmental controls not aligning with new configuration

B. System documentation not being updated to reflect changes in the environment

C. Vulnerability in the virtualization platform affecting multiple hosts

D. Inability of the network intrusion detection system (IDS) to monitor virtual server-to-server communications.

Which of the following would be of GREATEST concern to an IS auditor reviewing an organization's security incident handling procedures?

A. Annual tabletop exercises are performed instead of functional incident response exercises.

B. Roles for computer emergency response team (CERT) members have not been formally documented.

C. Guidelines for prioritizing incidents have not been identified.

D. Workstation antivirus software alerts are not regularly reviewed.

Which of the following is the MOST effective way for an organization to protect against data loss?

A. Conduct periodic security awareness training.

B. Limit employee Internet access.

C. Review firewall logs for anomalies.

D. Implement data classification procedures.

In a small IT web development company where developers must have write access to production, the BEST recommendation of an IS auditor would be to:

A. perform a user access review for the development team.

B. hire another person to perform migration to production.

C. implement continuous monitoring controls.

D. remove production access from the developers.

Which of the following statements appearing in an organization's acceptable use policy BEST demonstrates alignment with data classification standards related to the protection of information assets?

A. Information assets should only be accessed by persons with a justified need.

B. All information assets must be encrypted when stored on the organization’s systems.

C. Any information assets transmitted over a public network must be approved by executive management.

D. All information assets will be assigned a clearly defined level to facilitate proper employee handling.

A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

A. Attribute sampling

B. Quota sampling

C. Variable sampling

D. Haphazard sampling

An e-commerce company wants to ensure customers can update payment information securely through their phones. On which servers should Transport Layer Security (TLS) certificates be installed?

A. Proxy servers

B. Web servers

C. Database servers

D. Application servers

What is the MOST difficult aspect of access control in a multiplatform, multiple-site client/server environment?

A. Restricting a local user to necessary resources on a local platform

B. Creating new user IDs valid only on a few hosts

C. Maintaining consistency throughout all platforms

D. Restricting a local user to necessary resources on the host server

Which of the following is the BEST control to mitigate the malware risk associated with an instant messaging (IM) system?

A. Blocking external IM traffic

B. Blocking attachments in IM

C. Allowing only corporate IM solutions

D. Encrypting IM traffic

Which of the following software versions would an IS auditor MOST likely find in the production environment during a post-deployment review?

A. The version used in the test environment

B. The version used in the staging environment

C. The version used in the development environment

D. The version used in the integration environment

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's
BEST course of action?

A. Determine exposure to the business.

B. Increase monitoring for security incidents.

C. Hire a third party to perform security testing.

D. Adjust future testing activities accordingly.

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA) to automate routine business tasks?

A. A benchmarking exercise of industry peers who use RPA has been completed.

B. The end-to-end process is understood and documented.

C. A request for proposal (RFP) has been issued to qualified vendors.

D. Roles and responsibilities are defined for the business processes in scope.

Which of the following is the GREATEST benefit of adopting an international IT governance framework rather than establishing a new framework based on the actual situation of a specific organization?

A. Comprehensive coverage of fundamental and critical risk and control areas for IT governance

B. Fewer resources expended on trial-and-error attempts to fine-tune implementation methodologies

C. Readily available resources such as domains and risk and control methodologies

D. Wide acceptance by different business and support units with IT governance objectives

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture (EA) principles and requirements?

A. Consider stakeholder concerns when defining the EA.

B. Conduct EA reviews as part of the change advisory board.

C. Perform mandatory post-implementation reviews of IT implementations.

D. Document the security view as part of the EA.

An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor's FIRST action should be to:

A. recommend that the system require two persons to be involved in modifying the database.

B. determine whether the log of changes to the tables is backed up.

C. determine whether the audit trail is secured and reviewed.

D. recommend that the option to directly modify the database be removed immediately.