Which of the following is the BEST way to ensure that an application is performing according to its specifications?

A. Pilot testing

B. System testing

C. Integration testing

D. Unit testing

An organization's audit charter PRIMARILY:

A. describes the auditor’s authority to conduct audits.

B. formally records the annual and quarterly audit plans.

C. documents the audit process and reporting standards.

D. defines the auditors’ code of conduct.

An employee transfers from an organization's risk management department to become the lead IS auditor. While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?

A. Evaluating the effectiveness of IT risk management processes

B. Recommending controls to address the IT risks identified by KPIs

C. Developing KPIs to measure the internal audit team

D. Training the IT audit team on IT risk management processes

An organization has recently become aware of a pervasive chip-level security vulnerability that affects all of its processors. Which of the following is the BEST way to prevent this vulnerability from being exploited?

A. Install vendor patches.

B. Review security log incidents.

C. Implement security awareness training.

D. Review hardware vendor contracts.

A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?

A. Ensure that code has been reviewed.

B. Perform user acceptance testing (UAT).

C. Document last-minute enhancements.

D. Perform a pre-implementation audit.

Which of the following should be an IS auditor’s GREATEST concern when reviewing an organization’s capacity management planning?

A. Many of the resource requirements are based on estimates

B. The organization is increasingly dependent on the use of cloud providers

C. Some planning areas are not well developed

D. Current resource utilization is not monitored

An organization requires any travel and entertainment expenses over $10,000 to be approved by senior management. Which of the following is the MOST effective way to mitigate the risk that employees will split invoices to avoid the approval process?

A. Develop computer-assisted audit techniques (CAATs) to check the full year’s transactions.

B. Adopt a zero-tolerance policy that requires termination of employees who submitted fraudulent claims.

C. Establish a whistle-blowing policy that allows employees to report suspicious activity anonymously.

D. Review alerts generated from continuous auditing scripts for suspicious claims submitted.

Which of the following is the BEST indicator that an application system's agreed-upon level of service has been met?

A. Transaction response time

B. Bandwidth usage logs

C. CPU utilization reports

D. Security incident reports

Which of the following is the MOST effective way to assess the controls over the hardware maintenance process?

A. Review the hardware maintenance logs to confirm all recorded dates are within one year

B. Compare the hardware maintenance log with the recommended maintenance schedule

C. Validate that management tracks the mean time between failures (MTBFs)

D. Identify the required maintenance procedures and ensure the maintenance policy is in alignment

Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

A. Validating enterprise risk management (ERM)

B. Establishing a risk management framework

C. Operating the risk management framework

D. Establishing a risk appetite

Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?

A. Reviewing the system log

B. Reviewing the actual procedures

C. Reviewing the parameter settings

D. Interviewing the firewall administrator

Which of the following should be the FIRST step in the incident response process for a suspected breach?

A. Engage a third party to independently evaluate the alerted breach.

B. Notify business management of the security breach.

C. Inform potentially affected customers of the security breach.

D. Research the validity of the alerted breach.

Which of the following is the BEST indicator of the effectiveness of an organization's portfolio management program?

A. Percentage of investments achieving their forecasted value

B. Maturity levels of the value management processes

C. Experience of the portfolio management personnel

D. Stakeholder’s perception of IT’s value

Which of the following would MOST likely impair the independence of the IS auditor when performing a post-implementation review of an application system?

A. The IS auditor implemented a specific control during the development of the application system.

B. The IS auditor designed an embedded audit module exclusively for auditing the application system.

C. The IS auditor participated as a member of the application system project team, but did not have operational responsibilities.

D. The IS auditor provided consulting advice concerning application system best practices.

Which of the following indicators would BEST demonstrate the efficiency of a help desk operation?

A. The percentage of system uptime supported

B. The percentage of tickets resolved over a period of time

C. Number of calls received per day

D. The number of users supported

Which of the following provides the MOST comprehensive description of IT's role in an organization?

A. IT job descriptions

B. IT project portfolio

C. IT organizational chart

D. IT charter

Which of the following would MOST effectively help to reduce the number of repeated incidents in an organization?

A. Linking incidents to problem management activities

B. Training incident management teams on current incident trends

C. Prioritizing incidents after impact assessment

D. Testing incident response plans with a wide range of scenarios

Which of the following is BEST used for detailed testing of a business application's data and configuration files?

A. Utility software

B. Audit hooks

C. Audit analytics tool

D. Version control software

Which of the following is the PRIMARY objective of baselining the IT control environment?

A. Define process and control ownership.

B. Ensure IT security strategy and policies are effective.

C. Align IT strategy with business strategy.

D. Detect control deviations.

While planning a review of IT governance, the IS auditor is MOST likely to:

A. obtain information about the framework of control adopted by management.

B. examine audit committee minutes for IS-related matters and their control.

C. assess whether business process owner responsibilities are consistent across the organization.

D. review compliance with policies and procedures issued by the board of directors.

Which of the following is the BEST way to determine if IT is delivering value to the business?

A. Analyze downtime frequency and duration.

B. Interview key IT managers and service providers.

C. Perform control self-assessments (CSAs).

D. Review IT service level agreement (SLA) results.

What is the MAIN purpose of an organization's internal IS audit function?

A. Provide assurance to management about the effectiveness of the organization’s risk management and internal controls.

B. Identify and initiate necessary changes in the control environment to help ensure sustainable improvement.

C. Review the organization’s policies and procedures against industry best practice and standards.

D. Independently attest the organization’s compliance with applicable legal and regulatory requirements.

During a project assessment, an IS auditor finds that business owners have been removed from the project initiation phase. Which of the following should be the auditor’s GREATEST concern with this situation?

A. Incomplete requirements

B. Inadequate deliverables

C. Unclear benefits

D. Unrealistic milestones

What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?

A. Determine service level requirements.

B. Perform a business impact analysis (BIA).

C. Complete a risk assessment.

D. Conduct a vendor audit.

Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

A. Producing a header page with classification level for printed documents

B. Encrypting the data stream between the user’s computer and the printer

C. Using passwords to allow authorized users to send documents to the printer

D. Requiring a key code to be entered on the printer to produce hard copy

To confirm integrity for a hashed message, the receiver should use:

A. the same hashing algorithm as the sender’s to create a binary image of the file.

B. a different hashing algorithm from the sender’s to create a numerical representation of the file.

C. a different hashing algorithm from the sender’s to create a binary image of the file.

D. the same hashing algorithm as the sender’s to create a numerical representation of the file.

Which of the following is the BEST way to ensure an organization's data classification policies are preserved during the process of data transformation?

A. Conduct a data discovery exercise across all business applications.

B. Control access to extract, transform, and load (ETL) tools.

C. Implement classification labels in metadata during data creation.

D. Map data classification controls to data sets.

An organization's security team created a simulated production environment with multiple vulnerable applications. What would be the PRIMARY purpose of creating such an environment?

A. To collect digital evidence of cyberattacks

B. To provide training to security managers

C. To attract attackers in order to study their behavior

D. To test the intrusion detection system (IDS)

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

A. Preserving the same data structure

B. Preserving the same data interfaces

C. Preserving the same data inputs

D. Preserving the same data classifications

For an organization that has plans to implement web-based trading, it would be MOST important for an IS auditor to verify the organization's information security plan includes:

A. security training prior to implementation,

B. the firewall configuration for the web server.

C. security requirements for the new application.

D. attributes for system passwords.

In an organization's feasibility study to acquire hardware to support a new web server, omission of which of the following would be of MOST concern?

A. Reputation of potential vendors

B. Alternatives for financing the acquisition

C. Financial stability of potential vendors

D. Cost-benefit analysis of available products

Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?

A. The standards have no reference to an industry-recognized framework.

B. The standards are not detailed in policies and procedures.

C. The standards are not readily available to organization-wide users.

D. The standards have not been revised within the last year.

Which of the following is the BEST way for an IS auditor to determine the completeness of data migration?

A. Review migration logs to identify possible failures.

B. Review the implemented data cleanup process.

C. Reconcile migrated records with records in the source system.

D. Examine formal departmental review of the data migration.

Prior to the migration of acquired software into production, it is MOST important that the IS auditor review the:

A. user acceptance test (UAT) report.

B. vendor testing report.

C. system documentation.

D. source code escrow agreement.

Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?

A. Employees do not receive immediate notification of results.

B. Only new employees are required to attend the program.

C. The timing for program updates has not been determined.

D. Metrics have not been established to assess training results.

A secure server room has a badge reader system that records name, date, and time information whenever a staff member uses a badge to enter or exit. When reviewing the system logs, an IS auditor notices records for some employees entering, but not exiting, the room. Which of the following would be the MOST effective compensating control to recommend?

A. Installing security cameras at the doors

B. Implementing a monitored mantrap at entrance and exit points

C. Changing to a biometric access control system

D. Requiring two-factor authentication at entrance and exit points

When evaluating information security governance within an organization, which of the following findings should be of MOST concern to an IS auditor?

A. An information security governance audit was not conducted with in the past year.

B. Information security policies are updated annually.

C. The data center manager has final sign-off on security projects.

D. The information security department has difficulty filling vacancies.

When implementing a new IT maturity model, which of the following should occur FIRST?

A. Determine the model elements to be evaluated.

B. Benchmark with industry peers.

C. Define the target IT maturity level.

D. Develop performance metrics.

Which of the following is a threat to IS auditor independence?

A. Internal auditors recommend appropriate controls for systems in development

B. Internal auditors attend IT steering committee meetings.

C. Internal auditors design remediation plans to address control gaps identified by internal audit

D. Internal auditors share the audit plan and control test plans with management prior to audit commencement.

Which of the following yields the HIGHEST level of system availability?

A. Backups

B. Real-time replication

C. Cloud storage

D. Hot swaps

An external IS auditor has been engaged to determine the organization's cybersecurity posture. Which of the following is MOST useful for this purpose?

A. Capability maturity assessment

B. Compliance reports

C. Control self-assessment (CSA)

D. Industry benchmark report

Which of the following is MOST important to review when planning for an IS audit of an organization's cross-border data transfers?

A. Previous external audit reports

B. Applicable regulatory requirements

C. Offshore supplier risk assessments

D. Long-term IS strategy

An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.
What is the BEST way for the auditor to address this issue?

A. Inform the IT director of the policy noncompliance.

B. Verify management has approved a policy exception to accept the risk.

C. Recommend the application be patched to meet requirements.

D. Take no action since the application will be decommissioned in three months.

Which of the following is MOST important to the effectiveness of smoke detectors installed in a data processing facility?

A. Detectors are linked to wet pipe fire suppression systems.

B. Detectors are linked to dry pipe fire suppression systems.

C. Detectors have the correct industry certification.

D. Detectors trigger audible alarms when activated.

Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization's information security policy is adequate?

A. Risk assessment results

B. Penetration test results

C. Industry benchmarks

D. Information security program plans

Which of the following is the MOST effective control to ensure electronic records beyond their retention periods are deleted from IT systems?

A. Execute all data deletions at a predefined month during the year.

B. Build in system logic to trigger data deletion at predefined times.

C. Review the record retention register regularly to initiate data deletion.

D. Perform a sample check of current data against the retention schedule.

An IS auditor is reviewing an organization’s incident management processes and procedures. Which of the following observations should be the auditor’s GREATEST concern?

A. Ineffective incident classification

B. Ineffective post-incident review

C. Ineffective incident prioritization

D. Ineffective incident detection

Which of the following is the BEST indicator for measuring performance of the IT help desk function?

A. Percentage of problems raised from incidents

B. Number of reopened tickets

C. Number of incidents reported

D. Mean time to categorize tickets

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

A. Assurance that the new system meets functional requirements

B. Significant cost savings over other system implementation approaches

C. More time for users to complete training for the new system

D. Assurance that the new system meets performance requirements

Which of the following is the BEST preventative control to ensure that database integrity is maintained?

A. Mandatory annual user access reviews

B. Biometric authentication

C. Role-based access

D. Mandatory password changes