Which of the following controls associated with software development would be classified as a preventive control to address scope creep?

A. Iteration retrospective

B. System demo

C. Iteration review

D. Backlog grooming

An organization is establishing a steering committee for the implementation of a new enterprise resource planning (ERP) system that uses Agile project management methodology. What is the MOST important criterion for the makeup of this committee?

A. Agile project management experience

B. Senior management representation

C. Ability to meet the time commitment required

D. ERP implementation experience

An emergency power-off switch should:

A. not be in the computer room.

B. not be identified

C. be protected.

D. be illuminated.

Which of the following is the MOST appropriate control to ensure integrity of online orders?

A. Public key encryption

B. Digital signature

C. Data Encryption Standard (DES)

D. Multi-factor authentication

An IS auditor is determining the scope for an upcoming audit. Which of the following BEST enables the auditor to ensure appropriate controls are considered?

A. Conducting interviews with IT staff

B. Reading recent industry journal articles

C. Using an IT-related framework

D. Reviewing previous audit reports

Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's release management processes?

A. Release management policies have not been updated in the past two years.

B. Identify assets to be protected.

C. Evaluate controls in place.

D. Identify potential threats.

An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework?

A. Recent third-party IS audit reports

B. Current and previous internal IS audit reports

C. IT performance benchmarking reports with competitors

D. Self-assessment reports of IT capability and maturity

Which of the following should be an IS auditor's PRIMARY consideration when evaluating the development and design of a privacy program?

A. Policies and procedures consistent with privacy guidelines

B. Industry practice and regulatory compliance guidance

C. Information security and incident management practices

D. Privacy training and awareness program for employees

Which of the following is the BEST way to mitigate risk to an organization's network associated with devices permitted under a bring your own device (BYOD) policy?

A. Implement a network access control system.

B. Require personal devices to be reviewed by IT staff.

C. Enable port security on all network switches.

D. Ensure the policy requires antivirus software on devices.

An IS auditor has been asked to investigate critical business applications that have been producing suspicious results. Which of the following should be done FIRST?

A. Evaluate control design

B. Evaluate incident management

C. Review configuration management

D. Review user access rights

Which of the following BEST enables an organization to quantify acceptable data loss in the event of a disaster?

A. Recovery time objective (RTO)

B. Recovery point objective (RPO)

C. Availability of backup software

D. Mean time to recover (MTTR)

After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:

A. review the results of compliance testing.

B. perform a gap analysis against the benefits defined in the business case.

C. quantify improvements in client satisfaction.

D. confirm that risk has declined since the application system release.

An IS auditor is conducting an IT governance audit and notices many initiatives are managed informally by isolated project managers. Which of the following recommendations would have the GREATEST impact on improving the maturity of the IT team?

A. Document and track all IT decisions in a project management tool.

B. Create an interdisciplinary IT steering committee to oversee IT prioritization and spending.

C. Schedule a follow-up audit in the next year to confirm whether IT processes have matured.

D. Discontinue all current IT projects until formal approval is obtained and documented.

Which of the following is MOST likely to ensure that an organization's systems development meets its business objectives?

A. Business owner involvement

B. A project plan with clearly identified requirements

C. A focus on strategic projects

D. Segregation of systems development and testing

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

A. Completeness testing has not been performed on the log data.

B. Log feeds are uploaded via batch process.

C. The log data is not normalized.

D. Data encryption standards have not been considered.

An organization requires any travel and entertainment expenses over $10,000 to be approved by senior management. Which of the following is the MOST effective way to mitigate the risk that employees will split invoices to avoid the approval process?

A. Develop computer-assisted audit techniques (CAATs) to check the full year’s transactions.

B. Adopt a zero-tolerance policy that requires termination of employees who submitted fraudulent claims.

C. Establish a whistle-blowing policy that allows employees to report suspicious activity anonymously.

D. Review alerts generated from continuous auditing scripts for suspicious claims submitted.

An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements.
Which of the following is the BEST way to achieve this objective?

A. Perform periodic tape backups.

B. Utilize solid state memory.

C. Stream backups to the cloud.

D. Implement a data retention policy

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

A. Access control requirements

B. Hardware configurations

C. Help desk availability

D. Perimeter network security diagram

Which of the following is a deterrent security control that reduces the likelihood of an insider threat event?

A. Removing malicious code

B. Distributing disciplinary policies

C. Creating contingency plans

D. Executing data recovery procedures

Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile- developed software?

A. Deploy changes in a controlled environment and observe for security defects.

B. Mandate that the change analyses are documented in a standard format.

C. Assign the security risk analysis to a specially trained member of the project management office.

D. Include a mandatory step to analyze the security impact when making changes.

An IS auditor assessing the controls within a newly implemented call center would FIRST:

A. gather information from the customers regarding response times and quality of service.

B. test the technical infrastructure at the call center.

C. review the manual and automated controls in the call center.

D. evaluate the operational risk associated with the call center.

A small financial institution is preparing to implement a check image processing system to support planned mobile banking product offerings. Which of the following is MOST critical to the successful implementation of the system?

A. Feasibility studies

B. Control design

C. Integration testing

D. End user training

When evaluating evidence as part of an IS audit, which of the following sources should be considered MOST reliable?

A. Evidence demonstrated in front of the auditor

B. Evidence provided directly from the auditee

C. Evidence curated by senior management

D. Evidence provided by a third party

Which of the following indicates that an internal audit organization is structured to support the independence and clarity of the reporting process?

A. The internal audit manager has a reporting line to the audit committee.

B. The internal audit manager reports functionally to a senior management official.

C. Auditors are responsible for assessing and operating a system of internal controls.

D. Auditors are responsible for performing operational duties or activities.

Following a security incident, which of the following BEST enables the integrity of the data captured during a forensic investigation?

A. An expert presenting the results of forensic analysis

B. Comparison of the hash of data files in storage

C. Comparison of the data with printouts from the investigation

D. Maintenance of chain of custody

Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

A. Performing a quarterly tabletop exercise

B. Reviewing documented backup and recovery procedures

C. Performing an unannounced shutdown of the computing facility after hours

D. Testing at a secondary site using offsite data backups

An organization is experiencing a large number of phishing attacks targeting employees and executives following a press release announcing an acquisition.
Which of the following would provide the BEST defense against these attacks?

A. Conduct organization-wide awareness training.

B. Deploy intrusion detection and prevention systems.

C. Install spam filters on the acquired systems.

D. Require signed acknowledgment of the organization’s security policy.

Which of the following establishes the role of the internal audit function?

A. Audit project plan

B. Audit objectives

C. Audit charter

D. Audit governance

Which of the following is a challenge in developing a service level agreement (SLA) for network services?

A. Finding performance metrics that can be measured properly

B. Reducing the number of entry points into the network

C. Ensuring that network components are not modified by the client

D. Establishing a well-designed framework for network services

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

A. Data classification

B. Vendor cloud certification

C. Data storage costs

D. Service level agreements (SLAs)

Which of the following demonstrates the use of data analytics for a loan origination process?

A. Evaluating whether loan records are included in the batch file and are validated by the servicing system.

B. Validating whether reconciliations between the two systems are performed and discrepancies are investigated.

C. Comparing a population of loans input in the origination system to loans booked on the servicing system.

D. Reviewing error handling controls to notify appropriate personnel in the event of a transmission failure.

Following the sale of a business division, employees will be transferred to a new organization, but they will retain access to IT equipment from the previous employer. An IS auditor has recommended that both organizations agree to and document an acceptable use policy for the equipment. What type of control has been recommended?

A. Corrective control

B. Preventive control

C. Detective control

D. Directive control

Which of the following application input controls would MOST likely detect data input errors in the customer account number field during the processing of an accounts receivable transaction?

A. Limit check

B. Reasonableness check

C. Validity check

D. Parity check

An algorithm in an email program analyzes traffic to quarantine emails identified as spam. The algorithm in the program is BEST characterized as which type of control?

A. Detective

B. Directive

C. Preventive

D. Corrective

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

A. Analyze whether predetermined test objectives were met.

B. Perform testing at the backup data center.

C. Test offsite backup files.

D. Evaluate participation by key personnel.

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

A. Project plan

B. Requirements analysis

C. Implementation plan

D. Project budget provisions

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A. Ad hoc monitoring of firewall activity

B. Use of stateful firewalls with default configuration

C. Potential back doors to the firewall software

D. Misconfiguration of the firewall rules

Which of the following would be MOST useful when analyzing computer performance?

A. Tuning of system software to optimize resource usage

B. Operations report of user dissatisfaction with response time

C. Statistical metrics measuring capacity utilization

D. Report of off-peak utilization and response time

Which of the following should be an IS auditor's PRIMARY consideration when determining which issues to include in an audit report?

A. Inherent risk

B. Materiality

C. Professional skepticism

D. Management’s agreement

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

A. Including project team members who can provide security expertise

B. Reverting to traditional waterfall software development life cycle (SDLC) techniques

C. Documenting security control requirements and obtaining internal audit sign off

D. Requiring the project to go through accreditation before release into production

Which of the following BEST protects evidence in a forensic investigation?

A. Protecting the hardware of the affected system

B. Powering down the affected system

C. Imaging the affected system

D. Rebooting the affected system

Which of the following findings from an IT governance review should be of GREATEST concern?

A. IT value analysis has not been completed.

B. All IT services are provided by third parties.

C. IT supports two different operating systems.

D. The IT budget is not monitored.

Which of the following is an objective of IT project portfolio management?

A. Selection of sound, strategically aligned investment opportunities

B. Successful implementation of projects

C. Validation of business case benefits

D. Establishment of tracking mechanisms

Cross-site scripting (XSS) attacks are BEST prevented through:

A. secure coding practices.

B. use of common industry frameworks.

C. a three-tier web architecture.

D. application firewall policy settings.

Audit frameworks can assist the IS audit function by:

A. outlining the specific steps needed to complete audits.

B. defining the authority and responsibility of the IS audit function.

C. providing details on how to execute the audit program.

D. providing direction and information regarding the performance of audits.

An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?

A. Information security officer

B. Data architect

C. Database administrator (DBA)

D. Information owner

An organization that has suffered a cyberattack is performing a forensic analysis of the affected users' computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

A. The chain of custody has not been documented.

B. An imaging process was used to obtain a copy of the data from each computer.

C. Audit was only involved during extraction of the information.

D. The legal department has not been engaged.

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

A. Compliance with industry standards and best practice

B. Compliance with action plans resulting from recent audits

C. Compliance with local laws and regulations

D. Compliance with the organization’s policies and procedures

The PRIMARY role of a control self-assessment (CSA) facilitator is to:

A. provide solutions for control weaknesses.

B. focus the team on internal controls.

C. report on the internal control weaknesses.

D. conduct interviews to gain background information.

Which of the following is the FIRST step in initiating a data classification program?

A. Inventory of data assets

B. Assignment of data ownership

C. Assignment of sensitivity levels

D. Risk appetite assessment