Which of the following presents the GREATEST challenge to the alignment of business and IT?

A. Lack of information security involvement in business strategy development

B. An IT steering committee chaired by the chief information officer (CIO)

C. Insufficient IT budget to execute new business projects

D. Lack of chief information officer (CIO) involvement in board meetings

An IS auditor is reviewing security controls related to collaboration tools for a business unit responsible for intellectual property and patents. Which of the following observations should be of MOST concern to the auditor?

A. Training was not provided to the department that handles intellectual property and patents.

B. Logging and monitoring for content filtering is not enabled.

C. The collaboration tool is hosted and can only be accessed via an Internet browser.

D. Employees can share files with users outside the company through collaboration tools.

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the IS auditor?

A. Suggest hiring a third-party consultant to perform a current state assessment.

B. Issue a final report without including the opinion of the auditee.

C. Conduct further discussions with the auditee to develop a mitigation plan.

D. Accept the auditee’s response and perform additional testing.

During an IT operations audit, multiple unencrypted backup tapes containing sensitive credit card information cannot be found. Which of the following presents the
GREATEST risk to the organization?

A. Human resource cost of responding to the incident

B. Business disruption if a data restore cannot be completed

C. Reputational damage due to potential identity theft

D. The cost of recreating the missing backup tapes

Which of the following concerns is BEST addressed by securing production source libraries?

A. Changes are applied to the wrong version of production source libraries.

B. Programs are not approved before production source libraries are updated.

C. Unauthorized changes can be moved into production.

D. Production source and object libraries may not be synchronized

An IS auditor is reviewing the backup procedures in an organization that has high volumes of data with frequent changes to transactions. Which of the following is the BEST backup scheme to recommend given the need for a shorter restoration time in the event of a disruption?

A. Mirror backup

B. Differential backup

C. Full backup

D. Incremental backup

An IS auditor is reviewing a client’s outsourced payroll system to assess whether the financial audit team can rely on the application. Which of the following findings would be the auditor's GREATEST concern?

A. Payroll processing costs have not been included in the IT budget.

B. User access rights have not been periodically reviewed by the client.

C. The third-party contract does not comply with the vendor management policy.

D. The third-party contract has not been reviewed by the legal department.

Which of the following is an audit reviewer's PRIMARY role with regard to evidence?

A. Ensuring appropriate statistical sampling methods were used

B. Ensuring evidence is labeled to show it was obtained from an approved source

C. Ensuring unauthorized individuals do not tamper with evidence after it has been captured

D. Ensuring evidence is sufficient to support audit conclusions

During a post-implementation review, an IS auditor learns that while benefits were realized according to the business case, complications during implementation added to the cost of the solution. Which of the following is the auditor's BEST course of action?

A. Design controls that will prevent future added costs.

B. Verify that lessons learned were documented for future projects.

C. Determine if project deliverables were provided on time

D. Ensure costs related to the complications were subtracted from realized benefits.

When assessing a proposed project for the two-way replication of a customer database with a remote call center, the IS auditor should ensure that:

A. end users are trained in the replication process.

B. the source database is backed up on both sites.

C. user rights are identical on both databases.

D. database conflicts are managed during replication.

Which of the following should be an IS auditor's GREATEST concern when an international organization intends to roll out a global data privacy policy?

A. Requirements may become unreasonable.

B. Local management may not accept the policy.

C. Local regulations may contradict the policy.

D. The policy may conflict with existing application requirements.

Which of the following findings would be of GREATEST concern when auditing an organization's end-user computing (EUC)?

A. Reduced oversight by the IT department

B. Inability to monitor EUC audit logs and activities

C. Errors flowed through to financial statements

D. Inconsistency of patching processes being followed

An IS auditor is conducting a physical security audit of a healthcare facility and finds closed-circuit television (CCTV) systems located in a patient care area. Which of the following is the GREATEST concern?

A. There are no notices indicating recording is in progress.

B. Cameras are not monitored 24/7.

C. There are no backups of the videos.

D. The retention period for video recordings is undefined.

The implementation of an IT governance framework requires that the board of directors of an organization:

A. approve the IT strategy.

B. be informed of all IT initiatives.

C. have an IT strategy committee.

D. address technical IT issues.

When auditing the closing stages of a system development project, which of the following should be the MOST important consideration?

A. Rollback procedures

B. Control requirements

C. User acceptance test (UAT) results

D. Functional requirements documentation

Which of the following is the MOST appropriate role for an IS auditor assigned as a team member for a software development project?

A. Implementing controls within the software

B. Developing user acceptance testing (UAT) scripts

C. Performing a mid-term evaluation of the project management process

D. Monitoring assessed risk for the project

As part of a recent business-critical initiative, an organization is re-purposing its customer data. However, its customers are unaware that their data is being used for another purpose What is the BEST recommendation to address the associated data privacy risk to the organization?

A. Ensure the data processing activity remains onshore.

B. Maintain an audit trail of the data analysis activity.

C. Obtain customer consent for secondary use of the data.

D. Adjust the existing data retention requirements.

An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT?

A. Whether adequate documentation and training is available for spreadsheet users

B. Whether the spreadsheets meet the minimum IT general controls requirements

C. Whether there is a complete inventory of end-user computing (EUC) spreadsheets

D. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)

What is BEST for an IS auditor to review when assessing the effectiveness of changes recently made to processes and tools related to an organization's business continuity plan (BCP)?

A. Change management processes

B. Updated inventory of systems

C. Full test results

D. Completed test plans

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

A. The BCP has not been tested since it was first issued.

B. The BCP is not version-controlled.

C. The BCP’s contact information needs to be updated.

D. The BCP has not been approved by senior management.

Which of the following is the BEST performance indicator for the effectiveness of an incident management program?

A. Incident alert meantime

B. Number of incidents reported

C. Average time between incidents

D. Incident resolution meantime

A data center’s physical access log system captures each visitor’s identification document numbers along with the visitor’s photo. Which of the following sampling methods would be MOST useful to an IS auditor conducting compliance testing for the effectiveness of the system?

A. Attribute sampling

B. Quota sampling

C. Variable sampling

D. Haphazard sampling

Which of the following is an IS auditor’s BEST approach when low-risk anomalies have been identified?

A. Document the anomalies in audit work papers.

B. Deprioritize further testing of the anomalies and refocus on issues with higher risk.

C. Update the audit plan to include the information collected during the audit.

D. Ask auditees to promptly remediate the anomalies.

In the case of a disaster where the data center is no longer available, which of the following tasks should be done FIRST?

A. Arrange for a secondary site.

B. Analyze risk.

C. Perform data recovery.

D. Activate the call tree

Which of the following is MOST important for the effective implementation of an intrusion detection system (IDS)?

A. Providing logs for monitoring and reporting

B. Configuring the security policy in line with best practice

C. Setting alarms for late night traffic

D. Auto-installing updates

A third-party consultant is managing the replacement of an accounting system. Which of the following should be the IS auditor's GREATEST concern?

A. The replacement is occurring near year-end reporting.

B. Data migration is not part of the contracted activities.

C. Testing was performed by the third-party consultant.

D. The user department will manage access rights.

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?

A. Performing a full interruption test

B. Performing a parallel test

C. Performing a tabletop test

D. Performing a cyber-resilience test

Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

A. Remediation dates included in management responses

B. Availability of IS audit resources

C. Peak activity periods for the business

D. Complexity of business processes identified in the audit

Which of the following BEST indicates a need to review an organization's information security policy?

A. Increasing exceptions approved by management

B. Completion of annual IT risk assessment

C. High number of low-risk findings in the audit report

D. Increasing complexity of business transactions

A checksum is classified as which type of control?

A. Preventive control

B. Detective control

C. Administrative control

D. Corrective control

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

A. Obtain evidence of the vendor’s control self-assessment (CSA).

B. Periodically review the service level agreement (SLA) with the vendor.

C. Conduct periodic on-site assessments using agreed-upon criteria.

D. Conduct an unannounced vulnerability assessment of vendor’s IT systems.

Which of the following is MOST important to consider when establishing the retention period for customer data within a specific database or application?

A. Enterprise classification level

B. System performance

C. Hardware capacity

D. Minimum regulatory requirements

Which of the following is the BEST way to reduce the attack surface for a server farm?

A. Implement effective vulnerability management procedures.

B. Uninstall unnecessary applications and services.

C. Evaluate server configuration periodically.

D. Ensure applications are periodically patched.

The GREATEST limitation of a network-based intrusion detection system (IDS) is that it:

A. provides only for active rather than passive IDS monitoring

B. does not monitor for denial of service (DoS) attacks

C. consumes excessive network resources for detection

D. does not detect attacks originating on the server hosting the IDS

A firewall between internal network segments improves security and reduces risk by:

A. inspecting all traffic flowing between network segments and applying security policies.

B. ensuring all connecting systems have appropriate security controls enabled.

C. monitoring and reporting on sessions between network participants.

D. logging all packets passing through network segments.

Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)?

A. Implementing the remediation plan

B. Developing the remediation plan

C. Developing the CSA questionnaire

D. Partially completing the CSA

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

A. development methodology employed.

B. controls incorporated into the system specifications.

C. future compatibility of the design.

D. proposed functionality of the application.

An IS auditor is preparing a plan for audits to be carried out over a specified period. Which of the following activities should the IS auditor perform FIRST?

A. Allocate audit resources.

B. Determine the audit universe.

C. Prioritize risks.

D. Review prior audit reports.

What is the FIRST step when creating a data classification program?

A. Develop a policy.

B. Develop data process maps.

C. Categorize and prioritize data.

D. Categorize information by owner.

Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?

A. Audit hooks

B. Integrated test facility (ITF)

C. Snapshots

D. Data analytics

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

A. Server crashes

B. Customer service complaints

C. Penetration testing

D. Automated monitoring of logs

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

A. Outsource data cleansing activities to reliable third parties.

B. Assign responsibility for improving data quality.

C. Implement business rules to validate employee data entry.

D. Invest in additional employee training for data entry.

Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?

A. Failure to comply with data-related regulations

B. Failure to prevent fraudulent transactions

C. Inability to manage access to private or sensitive data

D. Inability to obtain customer confidence

Which of the following is MOST important to ensure when reviewing a global organization's controls to protect data held on its IT infrastructure across all of its locations?

A. The capacity of underlying communications infrastructure in the host locations is sufficient.

B. The threat of natural disasters in each location hosting infrastructure has been accounted for.

C. Relevant data protection legislation and regulations for each location are adhered to.

D. Technical capabilities exist in each location to manage the data and recovery operations.

What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?

A. Implementation plan for restricting the collection of personal information

B. Analysis of systems that contain privacy components

C. Privacy legislation in other countries that may contain similar requirements

D. Operational plan for achieving compliance with the legislation

In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

A. Execution phase

B. Planning phase

C. Selection phase

D. Follow-up phase

An external IS auditor has been engaged to determine the organization's cybersecurity posture. Which of the following is MOST useful for this purpose?

A. Capability maturity assessment

B. Compliance reports

C. Control self-assessment (CSA)

D. Industry benchmark report

Which of the following is the BEST indication of the completeness of interface control documents used for the development of a new application?

A. Failed interface data transfers prevent subsequent processes.

B. All documents have been reviewed by end users.

C. Both successful and failed interface data transfers are recorded.

D. All inputs and outputs for potential actions are included.

An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?

A. Data ownership assignments

B. Regulatory compliance requirements

C. Customer notification procedures

D. Encryption capabilities

Which of the following is MOST important for an organization to complete prior to developing its disaster recovery plan (DRP)?

A. Business impact analysis (BIA)

B. Comprehensive IT inventory

C. Support staff skills gap analysis

D. Risk assessment