During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor’s GREATEST concern with this situation?

A. Incomplete requirements

B. Inadequate deliverables

C. Unclear benefits

D. Unrealistic milestones

Which of the following is MOST likely to increase non-sampling risk?

A. Improperly stratified populations

B. Decreased tolerance rate

C. Inappropriate materiality ratings

D. Poor knowledge of the audit process

During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?

A. Re-perform the calculation with audit software.

B. Review the source code related to the calculation.

C. Review sign-off documentation.

D. Inspect user acceptance test (UAT) results.

Which of the following business continuity activities prioritizes the recovery of critical functions?

A. Business impact analysis (BIA)

B. Risk assessment

C. Business continuity plan (BCP) testing

D. Disaster recovery plan (DRP) testing

Which of the following is the MOST important feature of access control software?

A. Identification

B. Authentication

C. Violation reporting

D. Nonrepudiation

Which component of a business case provides the BEST indication that due diligence was performed during the vendor selection process?

A. Management approval

B. Problem statement

C. Alternative solutions

D. Cost-benefit analysis

Which of the following BEST enables an IS auditor to prioritize financial reporting spreadsheets for an end-user computing (EUC) audit?

A. Understanding the purpose of each spreadsheet

B. Ascertaining which spreadsheets are most frequently used

C. Identifying the spreadsheets with built-in macros

D. Reviewing spreadsheets based on file size

Which of the following is the MAIN risk associated with adding a new system functionality during the development phase without following a project change management process?

A. The new functionality may not meet requirements.

B. The project may fail to meet the established deadline.

C. The project may go over budget.

D. The added functionality has not been documented.

Which of the following is the BEST way to mitigate the risk associated with malicious changes to binary code during the software development life cycle (SDLC)?

A. Parity check

B. Digital envelope

C. Cryptographic hash

D. Segregation of duties

An organization's audit charter PRIMARILY:

A. describes the auditor’s authority to conduct audits.

B. formally records the annual and quarterly audit plans.

C. documents the audit process and reporting standards.

D. defines the auditors’ code of conduct.

Which of the following is the MOST important consideration when investigating a security breach of an e-commerce application?

A. Skill set of the response team

B. Chain of custody

C. Notifications to law enforcement

D. Procedures to analyze evidence

Which of the following would BEST protect the confidentiality of sensitive data in transit between multiple offices?

A. Digital signatures

B. Public key infrastructure (PKI)

C. Hash algorithms

D. Kerberos

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization's data center?

A. The data centers in a high flood zone.

B. Employees working in the data center have not been trained in the use of fire extinguishers.

C. The data center has a wet-pipe sprinkler system.

D. Employees working in the data center are not trained on emergency evacuation procedures.

In a data center audit, an IS auditor finds that the humidity level is very low. The IS auditor would be MOST concerned because of an expected increase in:

A. risk of fire.

B. backup tape failures.

C. static electricity problems.

D. employee discomfort.

An IS auditor is asked to review an organization's technology relationships, interfaces, and data. Which of the following enterprise architecture (EA) areas is MOST appropriate for this review?

A. Application architecture

B. Infrastructure architecture

C. Reference architecture

D. Information security architecture

An IS auditor is asked to review a large organization's change management process. Which of the following practices presents the GREATEST risk?

A. Transaction data changes can be made by a senior developer.

B. Change management tickets do not contain specific documentation.

C. A system administrator performs code migration on planned downtime.

D. Emergency code changes are promoted without user acceptance testing (UAT).

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

A. Water sprinkler

B. Fire extinguishers

C. Carbon dioxide (CO )

D. Dry pipe

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

A. use a proxy server to filter out Internet sites that should not be accessed.

B. keep a manual log of Internet access.

C. include a statement in its security policy about Internet use.

D. monitor remote access activities.

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

A. Increased number of false negatives in security logs

B. Decreased effectiveness of root cause analysis

C. Decreased overall recovery time

D. Increased demand for storage space for logs

An IS auditor notes that not all security tests were completed for an online sales system recently promoted to production. Which of the following is the auditor's
BEST course of action?

A. Determine exposure to the business.

B. Increase monitoring for security incidents.

C. Hire a third party to perform security testing.

D. Adjust future testing activities accordingly.

Which of the following provides the MOST protection against emerging threats?

A. Real-time updating of antivirus software

B. Signature-based intrusion detection system (IDS)

C. Demilitarized zone (DMZ)

D. Heuristic intrusion detection system (IDS)

Which of the following is the BEST source of information for assessing the effectiveness of IT process monitoring?

A. Performance data

B. Participative management techniques

C. Quality assurance (QA) reviews

D. Real-time audit software

On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else?

A. Send a certificate that can be verified by a certification authority with the public key.

B. Encrypt the message containing the sender’s public key, using the recipient’s public key.

C. Send the public key to the recipient prior to establishing the connection.

D. Encrypt the message containing the sender’s public key, using a private-key cryptosystem.

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

A. Implementation methodology

B. Test results

C. Purchasing guidelines and policies

D. Results of live processing

An organization has established hiring policies and procedures designed specifically to ensure network administrators are well qualified. Which type of control is in place?

A. Directive

B. Detective

C. Compensating

D. Corrective

Which of the following features of a library control software package would protect against unauthorized updating of source code?

A. Access controls for source libraries

B. Date and time stamping of source and object code

C. Required approvals at each life cycle step

D. Release-to- release comparison of source code

Which of the following BEST enables an IS auditor to understand the shared control requirements between multiple cloud service providers and the customer organization?

A. Roles and responsibilities of the IT professionals working under a shared responsibility model

B. An industry-accepted cloud security framework for which all parties have obtained certification

C. Logs produced by a cloud access security broker (CASB) monitoring the multi-cloud solution

D. A risk and controls matrix that documents a clear set of actions for each party

What is the BEST way to reduce the risk of inaccurate or misleading data proliferating through business intelligence systems?

A. Develop a metadata repository to store and access metadata.

B. Implement data entry controls for new and existing applications.

C. Implement a consistent database indexing strategy.

D. Establish rules for converting data from one format to another.

A programmer has made unauthorized changes to key fields in a payroll system report. Which of the following control weaknesses would have contributed MOST to this problem?

A. The programmer has access to the production programs.

B. The user requirements were not documented.

C. Payroll files were not under the control of a librarian.

D. The programmer did not involve the user in testing.

A PRIMARY benefit derived by an organization employing control self-assessment (CSA) techniques is that CSA:

A. can identify high-risk areas for detailed review.

B. allows IS auditors to independently assess risk.

C. can be used as a replacement for traditional audits.

D. allows management to relinquish responsibility for control.

An organization that has suffered a cyberattack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

A. The chain of custody has not been documented.

B. An imaging process was used to obtain a copy of the data from each computer.

C. Audit was only involved during extraction of the information.

D. The legal department has not been engaged.

An employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend?

A. Automated logging of changes to development libraries should be instituted.

B. Procedures should be established to ensure that program changes are identified and approved.

C. Additional staff should be recruited to provide separation of duties.

D. Access control should prevent the operator from making program modifications.

Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?

A. Variance reporting

B. Exception reporting

C. Audit trail

D. Independent reviews

Which of the following is the BEST way to address potential data privacy concerns associated with inadvertent disclosure of machine identifier information contained within security logs?

A. Only collect logs from servers classified as business critical.

B. Limit the use of logs to only those purposes for which they were collected.

C. Limit log collection to only periods of increased security activity.

D. Restrict the transfer of log files from host machine to online storage.

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

A. Completeness testing has not been performed on the log data.

B. Log feeds are uploaded via batch process.

C. The log data is not normalized.

D. Data encryption standards have not been considered.

Which of the following BEST indicates that an organization's risk management practices contribute to the effectiveness of internal IS audits?

A. The audit team participates in risk scenario development workshops.

B. The audit department utilizes the corporate risk register.

C. The audit department uses the existing risk analysis templates.

D. The audit department follows the same reporting format used by the IT risk function.

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

A. IT is not engaged in business strategic planning.

B. The business strategy meeting minutes are not distributed.

C. There is inadequate documentation of IT strategic planning.

D. There is not a defined IT security policy.

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

A. Review the changes and determine whether the risks have been addressed.

B. Accept management’s assertion and report that the risks have been addressed.

C. Report that the changes make it impractical to determine whether the risks have been addressed.

D. Determine whether the changes have introduced new risks that need to be addressed.

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center with in the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

A. Risk reduction

B. Risk acceptance

C. Risk transfer

D. Risk avoidance

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's IT process performance reports over the last quarter?

A. Metrics are not aligned with industry benchmarks.

B. Metrics were defined without stakeholder review.

C. Key performance indicators (KPIs) were met in only one month.

D. Performance reporting includes too many technical terms.

An IT steering committee assists the board of directors in fulfilling IT governance duties by:

A. overseeing major projects and IT resource allocation.

B. approving IT security awareness training content.

C. assigning IT services to infrastructure components.

D. developing IT policies and procedures for project tracking.

Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

A. Periodic tabletop exercises involving key stakeholders

B. Periodic update of incident response process documentation

C. Periodic cybersecurity training for staff involved in incident response

D. Periodic reporting of cybersecurity incidents to key stakeholders

An IS auditor is reviewing a sample of production incidents and notes that a root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?

A. The same incident may occur in the future.

B. Future incidents may not be resolved in a timely manner.

C. Future incidents may be prioritized inappropriately.

D. Service level agreements (SLAs) may not be met.

When is the BEST time to commence continuity planning for a new application system?

A. Immediately after implementation

B. Following successful user testing

C. During the design phase

D. Just prior to the handover to the system maintenance group

Which of the following is the GREATEST advantage of maintaining an internal IS audit function within an organization?

A. Better understanding of the business and processes

B. Ability to negotiate recommendations with management

C. Increased IS audit staff visibility and availability throughout the year

D. Increased independence and impartiality of recommendations

An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern?

A. Audit logging is not enabled.

B. Single sign-on is not enabled.

C. Complex passwords are not required.

D. Security baseline is not consistently applied.

Which of the following provides the MOST useful information for performing a business impact analysis (BIA)?

A. Policies for business procurement

B. Inventory of relevant business processes

C. Results of business resumption planning efforts

D. Documentation of application configurations

A contract for outsourcing IS functions should always include:

A. a provision for an independent audit of the contractor’s operations.

B. data transfer protocols.

C. the names and roles of staff to be employed in the operation.

D. full details of security procedures to be observed by the contractor.

An organization shares some of its customers' personally identifiable information (PII) with third-party suppliers for business purposes. What is MOST important for the IS auditor to evaluate to ensure that risk associated with leakage of privacy-related data during transmission is effectively managed?

A. Encrypting and masking of customer data

B. The third party’s privacy and data security policies

C. Nondisclosure and indemnity agreements

D. Service and operational level agreements

Which of the following is MOST important to consider when defining disaster recovery strategies?

A. Mean time to restore (MTTR)

B. Maximum time between failures (MTBF)

C. Maximum tolerable downtime (MTD)

D. Mean time to acknowledge (MTTA)