Where should photoelectric smoke detectors be installed to improve fire detection at an offsite data processing facility?

A. Entry points

B. Air vents

C. Server cages

D. Exit points

A checksum is classified as which type of control?

A. Preventive control

B. Detective control

C. Administrative control

D. Corrective control

Which of the following is MOST important for an IS auditor to confirm when assessing the security of a new cloud-based IT application that is linked with the organization’s existing technology?

A. The application programming interfaces (APIs) are adequately secured.

B. The on-premise database has adequate encryption at rest.

C. The cloud provider shares an external audit report.

D. The organization has a flat network structure.

As part of a recent business-critical initiative, an organization is re-purposing its customer data. However, its customers are unaware that their data is being used for another purpose What is the BEST recommendation to address the associated data privacy risk to the organization?

A. Ensure the data processing activity remains onshore.

B. Maintain an audit trail of the data analysis activity.

C. Obtain customer consent for secondary use of the data.

D. Adjust the existing data retention requirements.

The members of an emergency incident response team should be:

A. assigned at the time of each incident.

B. appointed by the CISO.

C. restricted to IT personnel.

D. selected from multiple departments.

An IS auditor finds that communication closets requiring electronic swipe card access are missing access logs. Which of the following should be done NEXT?

A. Determine whether there are video cameras covering the entrances.

B. Determine whether management approved the access policy.

C. Determine whether anything is missing from the closets.

D. Determine whether any access swipe cards have been lost or stolen.

Which of the following is the PRIMARY reason to perform a risk assessment?

A. To determine the current risk profile

B. To ensure alignment with the business impact analysis (BIA)

C. To help allocated budget for risk mitigation controls

D. To achieve compliance with regulatory requirements

Which of the following is the BEST way to ensure that business continuity plans (BCPs) will work effectively in the event of a major disaster?

A. Regularly update business impact assessments.

B. Prepare detailed plans for each business function.

C. Make senior managers responsible for their plan sections.

D. Involve staff at all levels in periodic paper walk-through exercises.

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

A. Inform senior management of the change in approach.

B. Conduct a risk analysis incorporating the change.

C. Report results of the follow-up to the audit committee.

D. Evaluate the appropriateness of the remedial action taken.

The BEST way to evaluate the effectiveness of a newly developed application is to:

A. perform a post-implementation review.

B. review acceptance testing results.

C. perform a secure code review

D. analyze load testing results.

An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

A. Developing a risk-based plan considering each entity’s business processes

B. Conducting an audit of newly introduced IT policies and procedures

C. Revising IS audit plans to focus on IT changes introduced after the split

D. Increasing the frequency of risk-based IS audits for each business entity

During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?

A. Post-implementation review phase

B. Design review phase

C. User acceptance testing (UAT) phase

D. Final implementation phase

Which of the following is the BEST evidence that a project is ready for production?

A. A parallel test over a full processing cycle has been successful.

B. A pilot implementation with reduced scope has been tested and approved.

C. A detailed conversion plan has been rehearsed in two desktop exercises.

D. Rollback procedures have been successfully tested.

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?

A. Identifying relevant roles for an enterprise IT governance framework

B. Providing independent and objective feedback to facilitate improvement of IT processes

C. Making decisions regarding risk response and monitoring of residual risk

D. Verifying that legal, regulatory, and contractual requirements are being met

A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?

A. Ensure that code has been reviewed.

B. Perform user acceptance testing (UAT).

C. Document last-minute enhancements.

D. Perform a pre-implementation audit.

A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

A. Attribute sampling

B. Quota sampling

C. Variable sampling

D. Haphazard sampling

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

A. Installing security cameras at the doors

B. Implementing a monitored mantrap at entrance and exit points

C. Changing to a biometric access control system

D. Requiring two-factor authentication at entrance and exit points

Which of the following is the MOST important feature of access control software?

A. Identification

B. Authentication

C. Violation reporting

D. Nonrepudiation

Which of the following should be of GREATEST concern to an IS auditor assessing an organization's patch management program?

A. Patches for medium- and low-risk vulnerabilities are omitted.

B. Patches are deployed from multiple deployment servers.

C. There is no process in place to quarantine servers that have not been patched.

D. There is no process in place to scan the network to identify missing patches.

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

A. The job scheduler application has not been designed to display pop-up error messages.

B. Access to the job scheduler application has not been restricted to a maximum of two staff members.

C. Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor.

D. Operations shift turnover logs are not utilized to coordinate and control the processing environment.

Which of the following access rights presents the GREATEST risk when granted to a new member of the system development staff?

A. Write access to production program libraries

B. Execute access to development program libraries

C. Write access to development data libraries

D. Execute access to production program libraries

Which of the following is the BEST way to ensure payment transaction data is restricted to the appropriate users?

A. Implementing role-based access at the application level

B. Restricting access to transactions using network security software

C. Using a single menu for sensitive application transactions

D. Implementing two-factor authentication

Which of the following provides the BEST assurance of data integrity after file transfers?

A. Cheek digits

B. Monetary unit sampling

C. Reasonableness check

D. Hash values

In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:

A. project management methodologies used.

B. allocation of IT staff.

C. major IT initiatives.

D. links to operational tactical plans.

After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

A. Updating the continuity plan for critical resources

B. Updating the security policy

C. Verifying that access privileges have been reviewed

D. Investigating access rights for expiration dates

An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor's BEST course of action is to:

A. document management’s reasons for not addressing deficiencies.

B. postpone the audit until the deficiencies are addressed.

C. provide new recommendations.

D. assess the impact of not addressing deficiencies.

Which of the following is the MOST important consideration when investigating a security breach of an e-commerce application?

A. Skill set of the response team

B. Chain of custody

C. Notifications to law enforcement

D. Procedures to analyze evidence

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

A. The exceptions are likely to continue indefinitely.

B. The exceptions may negatively impact process efficiency.

C. The exceptions may elevate the level of operational risk.

D. The exceptions may result in noncompliance.

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A. Analyze whether predetermined test objectives were met.

B. Perform testing at the backup data center.

C. Test offsite backup files.

D. Evaluate participation by key personnel.

During a post-implementation review, which of the following provides the BEST evidence that user requirements have been met?

A. Operator error logs

B. End-user documentation

C. User acceptance testing (UAT)

D. Management interviews

Which of the following is the GREATEST advantage of utilizing guest operating systems in a virtual environment?

A. They can be logged into and monitored from any location.

B. They prevent access to the greater environment via Transmission Control Protocol/Internet Protocol (TCP/IP)

C. They can be wiped quickly in the event of a security breach.

D. They are easier to containerize with minimal impact to the rest of the environment

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization that recently experienced a ransomware attack?

A. Antivirus software was unable to prevent the attack even though it was properly updated.

B. Backups were only performed within the local network.

C. The most recent security patches were not tested prior to implementation.

D. Employees were not trained on cybersecurity policies and procedures.

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled backups are timely and run to completion?

A. Reviewing a sample of system-generated backup logs

B. Interviewing key personnel involved in the backup process

C. Observing the execution of a daily backup run

D. Evaluating the backup policies and procedures

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment prior to an audit engagement?

A. Industry standards and best practices

B. The amount of time since the previous audit

C. The results of the previous audit

D. The design of controls

Which of the following BEST ensures that effective change management is in place in an IS environment?

A. Adequate testing was carried out by the development team.

B. User-prepared detailed test criteria for acceptance testing of the software.

C. User authorization procedures for application access are well established.

D. Access to production source and object programs is well controlled.

Which of the following is the GREATEST concern associated with control self-assessments (CSAs)?

A. Employees may have insufficient awareness of controls.

B. The assessment may not provide sufficient assurance to stakeholders.

C. Controls may not be assessed objectively.

D. Communication between operational management and senior management may not be effective.

During an exit meeting, an IS auditor highlights that backup cycles are being missed due to operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the associated risk?

A. Explain the impact to resource requirements.

B. Explain the impact to disaster recovery.

C. Explain the impact to backup scheduling.

D. Explain the impact to incident management.

Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?

A. Reduced oversight by the IT department

B. Inability to monitor EUC audit logs and activities

C. Errors flowed through to financial statements

D. Inconsistency of patching processes being followed

When auditing IT organizational structure, which of the following findings presents the GREATEST risk to an organization?

A. Increase in the frequency of software upgrades

B. Significantly higher turnover

C. Aging staff

D. Lack of customer satisfaction surveys

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

A. Pilot testing

B. System testing

C. Integration testing

D. Unit testing

Which of the following BEST enables an organization to control which software can be installed on a user’s computer?

A. Access list

B. Capabilities list

C. Baseline list

D. Blocked list

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

A. There are conflicting permit and deny rules for the IT group.

B. There is only one rule per group with access privileges.

C. Individual permissions are overriding group permissions.

D. The network security group can change network address translation (NAT).

Which of the following should be the PRIMARY objective of conducting an audit follow-up of management action plans?

A. To verify that risks listed in the audit report have been properly mitigated

B. To ensure senior management is aware of the audit findings

C. To identify new risks and controls for the organization

D. To align the management action plans with business requirements

Due to technical limitations, an organization is not able to implement encryption of credit card details in the customer database. Which of the following would provide the BEST assurance of data confidentiality?

A. Tokenization of credit card details

B. Encryption of credit card details in transit

C. Multi-factor authentication to access the database

D. Data masking of credit card details on screen

Which of the following provides an IS auditor assurance that the interface between a point-of-sale (POS) system and the general ledger is transferring sales data completely and accurately?

A. Electronic copies of customer sales receipts are maintained.

B. Monthly bank statements are reconciled without exception.

C. The data transferred over the POS interface is encrypted.

D. Nightly batch processing has been replaced with real-time processing.

During a database management evaluation, an IS auditor discovers that some accounts with database administrator (DBA) privileges have been assigned a default password with an unlimited number of failed login attempts. Which of the following is the auditor's BEST course of action?

A. Postpone the audit until adequate security and password management practices are established.

B. Document the finding and explain the risk of having administrator accounts with inappropriate security settings.

C. Identify accounts that have had excessive failed login attempts and request they be disabled.

D. Request the IT manager to change administrator security parameters and update the finding.

The IS quality assurance (QA) group is responsible for:

A. monitoring the execution of computer processing tasks.

B. designing procedures to protect data against accidental disclosure.

C. ensuring that program changes adhere to established standards.

D. ensuring that the output received from system processing is complete.

Which of the following is the BEST method to delete sensitive information from storage media that will be reused?

A. Re-partitioning

B. Crypto-shredding

C. Reformatting

D. Multiple overwriting

Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?

A. Determine if the organization has a secure connection to the provider.

B. Review the roles and responsibilities of the third- party provider.

C. Evaluate the organization’s third-party monitoring process.

D. Review the third party’s monitoring logs and incident handling.

An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:

A. neighboring organizations’ operations have been included.

B. the exercise was completed by local management.

C. all identified threats relate to external entities.

D. some of the identified threats are unlikely to occur.