Cisa V26.75 - 1

IT Certification Guaranteed, The Easy Way!
Exam : CISA
Title : Certified Information Systems

Auditor
Vendor : ISACA
1
NO.1 An IS auditor is assessing an organization's data loss prevention (DLP) solution for protecting
intellectual property from insider theft. Which of the following would the auditor consider MOST
important for effective data protection?
A. Creation of DLP policies and procedures
B. Encryption of data copied to flash drives
C. Employee training on information handling
D. Identification and classification of sensitive data
Answer: D
NO.2 While reviewing similar issues in an organization s help desk system, an IS auditor finds that
they were analyzed independently and resolved differently This situation MOST likely indicates a
deficiency in:
A. problem management
B. IT service level management
C. change management
D. configuration management
Answer: D
NO.3 To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should review
the:
A. test plan and results of past tests.
B. plans and procedures in the business continuity plan
C. capacity of backup facilities.
D. hardware and software inventory.
Answer: A
NO.4 In which phase of penetration testing would host detection and domain name system (DNS)
interrogation be performed?
A. Attacks
B. Planning
C. Discovery
D. Reporting
Answer: C
NO.5 Which of the following is the MOST effective approach in assessing the quality of modifications
made to financial software?
A. The quality plan will be assessed during the design phase of development
B. An independent auditor will be engaged to undertake a pre-implementation review
C. Independent quality assurance (QA) activities will be undertaken at various phases of the project
D. The quality of the implemented product will be assessed during acceptance testing
Answer: C
NO.6 To develop a robust data security program, the FIRST course of action should be to:
2
A. perform an inventory of assets.

B. implement data loss prevention controls.
C. interview IT senior management.
D. implement monitoring, controls
Answer: A
NO.7 Which of the following should be a concern to an IS auditor reviewing a digital forensic process
for a security incident?
A. The media with the original evidence was not write-blocked.
B. The forensic expert used open-source forensic tools.
C. The affected computer was not immediately shut down after the incident.
D. Analysis was performed using an image of the original media.
Answer: A
NO.8 What is the BEST way (or an IS auditor to assess the adequacy of an expert consultant who was
selected to be involved in an audit engagement?
A. Review the independence and objectivity of the expert.
B. Verify that the engagement letter outlines the expert's responsibilities.
C. Obtain an understanding of the expert's relevant experience.
D. Review the industry reputation of the expert consultant's firm.
Answer: C
NO.9 Which of the following applications has the MOST inherent risk and should be prioritized
during audit planning?
A. An internally developed application
B. A decommissioned legacy application
C. An outsourced accounting application
D. An onsite application that is unsupported
Answer: D
NO.10 The PRIMARY benefit of information asset classification is that it:

A. facilitates budgeting accuracy.
B. enables risk management decisions.
C. prevents loss of assets.
D. helps to align organizational objectives.
Answer: B
NO.11 Which of the following should be reviewed FIRST when assessing the effectiveness of an
organization's network security procedures and controls?
A. Vulnerability remediation
B. Inventory of authorized devices
C. Malware defenses
D. Data recovery capability
3
Answer: B
NO.12 Which of the following is the BEST development methodology to help manage project
requirements in a rapidly changing environment?
A. Prototyping
B. Iterative development process
C. Object-oriented system development
D. Waterfall development process
Answer: B
NO.13 During a review of a production schedule, an IS auditor observes that a staff member is not
complying with mandatory operational procedures. The auditor's NEXT step should be to:
A. Issue an audit memorandum identifying the incompliance
B. Include the noncompliance in the audit report
C. Determine why the procedures were not followed
D. Note the noncompliance in the audit working papers
Answer: D
NO.14 Which of the following would BEST help prioritize various projects in an organization's IT
portfolio?
A. Business cases
B. Industry trends
C. Enterprise architecture (EA)
D. Total cost of ownership (TCO)
Answer: A
NO.15 Which of the following is the BEST IS audit strategy?

A. Limit audits to new application system developments
B. Conduct general control audits annually and application audits in alternating years
C. Perform audits based on Impact and probability of error and failure.
D. Cycle general control and application audits over a two-year period
Answer: C
NO.16 In the risk assessment process, which of the following should be identified FIRST?
A. Impact
B. Threats
C. Assets
D. Vulnerabilities
Answer: C
NO.17 To ensure the integrity of a recovered database, which of the following would be MOST
useful?
A. Database defragmentation tools
4
B. Application transaction logs

C. A copy of the data dictionary
D. Before-and-after transaction images
Answer: D
NO.18 An organization has implemented periodic reviews of logs showing privileged user activity
production servers. Which type of control has been established?
A. Protective
B. Detective
C. Preventive
D. Corrective
Answer: B
NO.19 Which of the following should be included in emergency change control procedures?
A. Use an emergency ID to move production programs into development.
B. Request that the help desk make the changes.
C. Update production source libraries to reflect changes.
D. Obtain user management approval before implementing the changes.
Answer: D
NO.20 An IT organization's incident response plan is which type of control?

A. Detective
B. Directive
C. Preventive
D. Corrective
Answer: D
NO.21 An IS auditor is reviewing the business requirements for the deployment of a new website
Which of the following cryptographic systems would provide the BEST evidence of secure
communications on the internet?
A. Secure Shell (SSH)
B. Wi-Fi Protected Access 2 (WPA2)
C. IP Security (IPSEC)
D. Transport Layer Security (TLS)
Answer: D
NO.22 Which of the following is MOST likely to be included in computer operating procedures in a
large data center?
A. Guidance on setting security parameters
B. Procedures for resequencing source code
C. Procedures for utility configuration
D. Instructions for job scheduling
Answer: D
5
NO.23 Which of the following is MOST important to consider when assessing the scope of privacy
concerns for an IT project?
A. Applicable laws and regulations
B. End user access rights
C. Data ownership
D. Business requirements and data flows
Answer: A
NO.24 Which of the following should be the MOST important consideration when prioritizing the
funding for competing IT projects?
A. Quality and accuracy of the IT project inventory
B. Senior management preferences
C. Criteria used to determine the benefits of projects
D. Skill and capabilities within the project management team
Answer: B
NO.25 Which of the following is an example of a corrective control?

A. Generating automated batch job failure notifications
B. Employing only qualified personnel to execute tasks
C. Restoring system information from data backups
D. Utilizing processes that enforce segregation of duties
Answer: C
NO.26 When developing a business continuity plan (BCP), which of the following should be
performed FIRST?
A. Classify operations.
B. Conduct a business impact analysis (BIA)
C. Develop business continuity training.
D. Establish a disaster recovery plan (DRP)
Answer: B
NO.27 Which of the following focus areas is a responsibility of IT management rather than IT
governance?
A. IT controls implementation
B. Risk optimization
C. IT resource optimization
D. Benefits realization
Answer: A
NO.28 Which of the following is the BEST way for an IS auditor to reduce sampling risk when
performing audit sampling to verify the adequacy of an organization's internal controls?
A. Lower the sample standard deviation
6
B. Decrease the sampling size

C. Outsource the sampling process.
D. Use a statistical sampling method
Answer: A
NO.29 When determining which IS audits to conduct during the upcoming year, internal audit has
received a request from management for multiple audits of the contract division due to fraud
findings during the prior year Which of the following is the BEST basis for selecting the audits to be
performed?
A. Select audits based on management's suggestion
B. Select audits based on the skill sets of the IS auditors.
C. Select audits based on collusion risk
D. Select audits based on an organizational risk assessment.
Answer: D
NO.30 A data Breach has occurred due to malware. Which of the following should be the
FIRST course of action?
A. Notify the cyber insurance company.
B. Notify customers of the breach.
C. Shut down the affected systems.
D. Quarantine the impacted systems.
Answer: D
NO.31 Which of the following should be an IS auditor's GREATEST concern when reviewing an
outsourcing arrangement with a third-party cloud service provider to host personally identifiable
data?
A. The data is not adequately segregated on the host platform.
B. Fees are charged based on the volume of data stored by the host.
C. The outsourcing contract does not contain a right-to-audit clause.
D. The organization's servers are not compatible with the third party's infrastructure
Answer: A
NO.32 An IS auditor finds that one employee has unauthorized access to confidential dat a. The IS
auditor's BEST recommendation should be to:
A. recommend corrective actions to be taken by the security administrator.
B. reclassify the data to a lower level of confidentiality.
C. implement a strong password schema for users,
D. require the business owner to conduct regular access reviews.
Answer: D
NO.33 What is the MOST important business concern when an organization is about to migrate a
mission-critical application to a virtual environment?
A. Adequacy of the fallback procedures
7
B. Adequacy of the virtual architecture

C. The organization's experience with virtual applications
D. Confidentiality of network traffic
Answer: B
NO.34 Which of the following is the PRIMARY purpose of conducting follow-up audits for material
observations?
A. To assess evidence for management reporting
B. To validate the correctness of reported findings
C. To validate remediation efforts
D. To assess the risk of the audit environment
Answer: C
NO.35 In the case of a disaster where the data center is no longer available which of the following
tasks should be done FIRST?
A. Perform data recovery
B. Activate the call tree
C. Analyze risk
D. Arrange for a secondary site
Answer: A
NO.36 During an exit interview senior management disagrees with some of the facts presented in
the draft audit report and wants them removed from the report Which of the following would be the
auditor's BEST course of action?
A. Gather evidence to analyze senior management's objections
B. Finalize the draft audit report without changes
C. Revise the assessment based on senior management's objections.
D. Escalate the issue to audit management
Answer: A
NO.37 Which of the following is the GREATEST benefit of implementing an incident management
process?
A. Reduction in security threats
B. Opportunity for frequent reassessment of incidents
C. Reduction in the business impact of incidents
D. Reduction of cost by the efficient use of resources
Answer: C
NO.38 Which of the following is the MOST reliable network connection medium in an environment
where there is strong electromagnetic interface?
A. Fiber optic cable
B. Coaxial cable
C. Shielded twisted-pair cable
8
D. Wireless link
Answer: A
NO.39 A user of a telephone banking system has forgotten his personal identification number (PIN),
after the user has been authenticated, the BEST method of issuing a new pin is to have:
A. A randomly generated pin communicated by banking personnel
B. Banking personnel assign the user a new PIN via email
C. The user enter a new PIN twice
D. Banking personnel verbally assign a new PIN
Answer: C
NO.40 The BEST way to prevent fraudulent payments is to implement segregation of duties between
the vendor setup and:
A. product registration
B. payroll processing
C. payment processing
D. procurement
Answer: C
NO.41 When is it MOST important for an IS auditor to apply the concept of materiality in an audit?
A. When a violation of a regulatory requirement has been identified
B. When evaluating representations from the auditee
C. When gathering information for the fieldwork
D. When planning an audit engagement
Answer: D
NO.42 Which of the following is MOST important for an IS auditor to do during an exit meeting with
an auditee?
A. Ensure that the facts presented in the report are correct.
B. Specify implementation dates for the recommendations.
C. Request input in determining corrective action.
D. Communicate the recommendations to senior management
Answer: D
NO.43 When an IS auditor evaluates key performance indicators (KPls) (or IT initiatives, it is MOST
important that the KPIs indicate.
A. IT solutions are within budget
B. IT objectives are measured
C. IT resources are fully utilized
D. IT deliverables are process driven.
Answer: B
NO.44 An organization has decided to implement a third-party system in its existing IT environment
9
Which of the following is MOST important for the IS auditor to confirm?

A. The organization has created a clone of the third party's IT infrastructure to host the IT system
B. The organization has maintained a clone of the existing infrastructure as backup.
C. The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT
system.
D. The organization has purchased a newly released IT infrastructure environment relevant to the IT
system
Answer: C
NO.45 An IS auditor was involved in the design phase for a new system's security architecture. For
the planned post-implementation audit which of the following would be the MOST appropriate
course of action for the auditor?
A. Have another auditor review the security architecture.
B. Disclose the independence Issues in the audit report.
C. Change the audit scope to exclude security architecture.
D. Postpone the post-implementation audit to a later date.
Answer: A
NO.46 Which of the following is the BEST way to address potential data privacy concerns associated
with inadvertent disclosure of machine identifier information contained within security logs?
A. Restrict the transfer of log files from host machine to online storage.
B. Limit log collection to only periods of increased security activity.
C. Limit the use of logs to only those purposes for which they were collected.
D. Only collect logs from servers classified as business critical.
Answer: C
NO.47 An IS auditor is evaluating a virtual server environment and learns that the production server,
development server, and management console are housed in the same physical host. What should be
the auditor's PRIMARY concern?
A. The physical host is a single point of failure
B. The management console is a single point of failure.
C. The development server and management console share the same host
D. The development and production servers share the same host
Answer: B
NO.48 When is the BEST time to commence continuity planning for a new application system?
A. immediately after implementation
B. During the design phase
C. Following successful user testing
D. Just prior to the handover to the system maintenance group
Answer: B
NO.49 Which of the following is the BEST sampling method to ensure only active users have access
10
to critical systems?
A. Substantive testing
B. Difference estimation
C. Unstratified mean per unit
D. Compliance testing
Answer: D
NO.50 An organization has begun using social media to communicate with current and potential
clients. Which of the following should be of PRIMARY concern to the auditor?
A. Reduced productivity of staff using social media
B. Using a third-party provider to host and manage content
C. Lack of guidance on appropriate social media usage and monitoring
D. Negative posts by customers affecting the organization's image
Answer: C
NO.51 An IS auditor observes that a business-critical application does not currently have any level of
fault tolerance Which of the following is the GREATEST concern with this situation?
A. Single point of failure
B. Limited tolerance for damage
C. Degradation of services
D. Decreased mean time between failures (MTBF)
Answer: A
NO.52 An algorithm in an email program analyzes traffic to quarantine emails identified as spam The
algorithm in the program is BEST characterized as which type of control?
A. Directive
B. Preventive
C. Corrective
D. Detective
Answer: B
NO.53 Which of the following is necessary for effective risk management in IT governance?
A. Risk management strategy is approved by the audit committee
B. Risk evaluation is embedded in management processes.
C. Local managers are solely responsible for risk evaluation
D. IT risk management is separate from corporate risk management
Answer: B
NO.54 Which of the following controls BEST ensures appropriate segregation of duties within an
accounts payable department?
A. Restricting program functionality according to user security profiles
B. Restricting access to update programs to accounts payable staff only
C. Including the creators user ID as a field in every transaction record created
11
D. Ensuring that audit trails exist for transactions

Answer: A
NO.55 Which of the following is the MOST important reason to use statistical sampling?
A. The results can reduce error rates.
B. It reduces time required for testing.
C. The results are more defensible *
D. It ensures that all relevant cases are covered.
Answer: D
NO.56 An IS auditor performing an application development review attends development team

meetings. The IS auditor's independence will be compromised if the IS auditor:
A. designs and executes the user's acceptance test plan.
B. assists in developing an integrated test facility on the system.
C. reviews the result of systems tests that were performed by the development team.
D. re-performs test procedures used by the development team.
Answer: A
NO.57 Which of the following represents a potential single point of failure in the virtualized
environment that could result in a compromise with greater scope and impact?
A. Underlying hardware on the guest operating system
B. Dual operating system
C. The host operating system
D. Applications installed on the guest operating system
Answer: C
NO.58 Which of the following is an objective of data transfer controls?

A. To ensure there are sufficient dedicated resources in place to facilitate data transfer
B. To ensure receiving data fields have been configured according to the structure of the transmitted
data
C. To ensure the data is backed up on a regular basis
D. To ensure access control lists are accurately and completely maintained
Answer: B
NO.59 Which of the following network management toots should an IS auditor use to review the
type of packets flowing along a monitored link'?
A. Response time reports
B. Network monitors
C. Protocol analyzers
D. Online monitors
Answer: B
NO.60 Which of the following is the MAIN purpose of data classification?
12
A. Defining parameter requirements for security labels

B. Ensuring integrity of sensitive information
C. Applying the appropriate protective measures
D. Ensuring the segregation of duties
Answer: C
NO.61 Which of the following is the BEST way for an IS auditor to ensure the completeness of data
collected for advanced analytics during an audit?
A. Perform additional quality control steps after selecting the samples
B. Review the query or parameters used to download the data before selecting samples
C. Obtain access to the quality assurance (QA) system to independently download the information
D. Request the data owner to verify and approve the information
Answer: B
NO.62 Which of the following is the MOST important determining factor when establishing
appropriate timeframes for follow-up activities related to audit findings?
A. Complexity of business processes identified in the audit
B. Remediation dates included m management responses
C. Availability of IS audit resources
D. Peak activity periods for the business
Answer: B
NO.63 When planning an end-user computing (EUC) audit, it is MOST important for the IS auditor to:
A. determine EUC materiality and complexity thresholds.
B. evaluate EUC threats and vulnerabilities.
C. obtain an inventory of EUC applications.
D. evaluate the organization's EUC policy.
Answer: D
NO.64 Which of the following provides the MOST assurance that new information systems are ready
for migration to the production environment?
A. Results of penetration testing performed by the development team
B. System quality assurance (QA) performed by an in-house team
C. Approval by the change advisory board
D. Results of end user acceptance testing (UAT)
Answer: D
NO.65 An IS auditor is assessing the results of an organization's post-implementation review of a

newly developed information system. Which of the following should be the auditor's MAIN focus?
A. Benefits realization analysis has been completed
B. The disaster recovery plan (DRP) has been updated
C. The procurement contract has been closed
D. Lessons learned have been identified
13
Answer: A
NO.66 Which of the following would be a result of utilizing a top-down maturity model process?
A. Identification of older, more established processes to ensure timely review
B. Identification of processes with the most improvement opportunities
C. A means of comparing the effectiveness of other processes within the enterprise
D. A means of benchmarking the effectiveness of similar processes with peers
Answer: B
NO.67 The BEST indicator of an optimized quality management system (QMS) is that it
A. is endorsed by senior management
B. is integrated and enforced in all IT activities
C. defines and monitors all IT QMS activities
D. aligns with an industry recognized framework
Answer: B
NO.68 An organization's IT security policy requires annual security awareness training for all
employees. Which of the following would provide the BEST evidence of the training's effectiveness?
A. Results of a social engineering test
B. Interviews with employees
C. Decreased calls to the incident response team
D. Surveys completed by randomly selected employees
Answer: A
NO.69 A financial institution has a system interface that is used by its branches to obtain applicable
currency exchange rates when processing transactions Which of the following should be the
PRIMARY control objective for maintaining the security of the system interface?
A. Preventing unauthorized access to the data via malicious activity
B. Preventing unauthorized access to the data via interception
C. Ensuring the integrity of the data being transferred
D. Ensuring the availability of the data being transferred
Answer: C
NO.70 An organization is developing data classification standards and has asked internal audit for
advice on aligning the standards with best practices. Internal audit would MOST likely recommend
the standards should be:
A. based on the results of an organization -wide risk assessment.
B. based on the business requirements for authentication of the information.
C. aligned with the organization's segregation of duties requirements.
D. based on the business requirements for confidentiality of the information.
Answer: A
NO.71 Which of the following should be done FIRST when developing a business continuity plan
14
(BCP)?
A. Review environmental controls.
B. Conduct a business impact analysis (BIA).
C. Perform a business threat assessment.
D. Perform a vulnerability analysis
Answer: B
NO.72 Which of the following is the BEST preventive control to ensure the integrity of server
operating systems?
A. Monitoring server performance
B. Protecting the server in a secure data center
C. Logging all activity on the server
D. Hardening the server configurations
Answer: D
NO.73 Which of the following is MOST likely to ensure that an organization's systems development
meets its business objectives?
A. A focus on strategic projects
B. Business owner involvement
C. A project plan with clearly identified requirements
D. Segregation of systems development and testing
Answer: B
NO.74 An organization is using a single account shared by personnel for its social networking
marketing page. Which of the following is the BEST method to maintain accountability over the
account?
A. Reviewing access rights on a periodic basis
B. Integrating the account with single sign-on
C. Regular monitoring of proxy server logs
D. Implementing an account password check-out process
Answer: A
NO.75 An IS auditor learns the organization has experienced several server failures in its distributed
environment. Which of the following is the BEST recommendation to limit the potential Impact of
server failures in the future?
A. Failover power
B. Clustering
C. Parallel testing
D. Redundant pathways
Answer: C
NO.76 Which of the following BEST demonstrates that IT strategy is aligned with organizational goals
and objectives?
15
A. Business stakeholders are involved in approving the IT strategy.

B. IT strategies are communicated to all business stakeholders
C. Organizational strategies are communicated to the chief information officer (CIO)
D. The chief information officer (CIO) is involved in approving the organizational strategies
Answer: A
NO.77 An organization processing high volumes of financial transactions has implemented log file
analysis on a central log server to continuously monitor compliance with its fraud policy. Which of the
following poses the GREATEST risk to this control?
A. IT operations staff have the right to restart the log server.
B. Data entry staff have privileged access to the log server.
C. IT operations staff are able to stop the payment processing system.
D. Software developers have read access to the log server.
Answer: B
NO.78 Which type of attack poses the GREATEST risk to an organization's most sensitive data?
A. Insider attack
B. Eavesdropping attack
C. Spear phishing attack
D. Password attack
Answer: A
NO.79 An organization maintains an inventory of the IT applications used by its staff Which of the
following would pose the GREATEST concern with regard to the quality of the inventory data?
A. Inventory data is available on and downloadable from the corporate intranet
B. The application owner and contact information fields are not required to be completed
C. The inventory does not contain a formal risk ranking for all the IT applications
D. The organization has not established a formal recertification process for the inventory data
Answer: A
NO.80 An audit of environmental controls at a data center could include a review of the
A. logs recording visitors to the data center
B. local alarms on emergency exits
C. list of employees authorized to enter the data center
D. ceiling space to ensure that there are no wet pipes
Answer: C
NO.81 Which of the following would provide an IS auditor with the MOST assurance when auditing
the implementation of a new application system?
B. Statistical sampling
C. Sign-off by system owner
D. Attribute sampling
16
Answer: A
NO.82 Which of the following is the BEST way to confirm that a digital signature is valid?
A. Confirm that the sender's public key certificate is from a trusted certificate authority (CA).
B. Compare the hash value of the digital signature manually
C. Verify the digital signature by obtaining the senders public key
D. Request a valid private key from the sender and compare it with the public key
Answer: A
NO.83 Which of the following is MOST critical to include when developing a data loss prevention
(DIP) policy?
A. Identification of enforcement actions
B. Identification of the relevant network channels requiring protection
C. Identification of the users, groups, and roles to whom the policy will apply
D. Identification of the content to protect
Answer: D
NO.84 An internal audit department recently established a quality assurance (QA) program as part
of its overall audit program. Which of the following activities is MOST important to rlude as part of
the QA program requirements?
A. Implementing corrective action plans
B. Creating a long-term plan for internal audit staffing
C. Analyzing user satisfaction reports from business lines
D. Reviewing audit standards periodically
Answer: A
NO.85 An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the
following should be the auditor s NEXT course of action?
A. Report the security posture of the organization.
B. Report the mitigating control
C. Determine the value of the firewall.
D. Determine the risk of not replacing the firewall
Answer: D
NO.86 Which of the following should an IS auditor validate FIRST when reviewing the security of an
organization's IT infrastructure as it relates to Internet of Things (loT) devices?
A. Identification and inventory of loT devices
B. Access control and network segmentation for loT devices
C. Strong password protection for loT devices
D. Physical security of loT devices
Answer: A
NO.87 Batch processes running in multiple countries are merged to one batch job to be executed in
17
a single data center. Which of the following is the GREATEST concern with this approach?
A. The knowledge base maintained by current staff may be lost.
B. Change management may become highly complex after job integration
C. The job execution approval process at the regional level may be compromised.
D. Restart of the batch job after disruption may impair the integrity of databases.
Answer: B
NO.88 Which of the following is the BEST way to ensure payment transaction data is restricted to
the appropriate users?
A. Implementing two-factor authentication
B. Using a single menu for sensitive application transactions
C. Implementing role-based access at the application level
D. Restricting access to transactions using network security software
Answer: C
NO.89 When evaluating an IT organizational structure, which of the following is MOST important to
ensure has been documented?
A. Human resources (HR) policy on organizational changes
B. Provisions for cross-training
C. Succession and promotion plans
D. Job functions and duties
Answer: C
NO.90 An IS auditor finds that the process for removing access for terminated employee is not
documented. What is the MOST significant risk from this observation?
A. Access rights may not be removed in a timely manner
B. Unauthorized access cannot be identified
C. Procedures may not align with the practices
D. HR records may not match system access
Answer: A
NO.91 servDuring an internal audit review of a human resources (HR) recruitment system
implementation the IS auditor notes that several defects were unresolved at the time the system
went live Which of the following is the auditor's MOST important task prior to formulating an audit
opinion?
A. Review the initial implementation plan for timelines.
B. Confirm the project plan was approved.
C. Review the user acceptance test (UAT) results for defects
D. Confirm the seventy of the identified defects.
Answer: D
NO.92 Which of the following is the MAIN purpose of an information security management system?
A. To reduce the frequency and impact of information security incidents
18
B. To identify and eliminate the root causes of information security incidents

C. To keep information security policies and procedures up-to-date
D. To enhance the impact of reports used to monitor information security incidents
Answer: A
NO.93 Which of the following is MOST influential when defining disaster recovery strategies?
A. Annual loss expectancy
B. Maximum tolerable downtime
C. Data classification scheme
D. Existing server redundancies
Answer: A
NO.94 Which of the following is the BEST method to prevent wire transfer fraud by bank
employees?
A. Re-keying of wire dollar amounts
B. Two-factor authentication control
C. Independent reconciliation
D. System-enforced dual control
Answer: D
NO.95 Which of the following observations should be of GREATEST concern to an IS auditor

reviewing a large organization's virtualization environment?
A. An unused printer has been left connected to the host system.
B. Guest tools have been installed without sufficient access control,
C. A rootkit was found on the host operating system
D. Host inspection capabilities have been disabled
Answer: B
NO.96 Which of the following would an IS auditor PRIMARILY review to understand key drivers of a
project?
A. Earned value analysis (EVA)
B. Project risk matrix
C. IT strategy and objectives
D. Business case
Answer: B
NO.97 Which of the following would BEST demonstrate that an effective disaster recovery plan
(DRP) is in place?
A. Periodic risk assessment
B. Full operational test
C. Frequent testing of backups
D. Annual walk-through testing
Answer: B
19
NO.98 Which of the following is the BEST way for an IS auditor to determine how well an
information security program has been implemented throughout the organization?
A. Evaluate the percentage of employees who have taken security awareness training.
B. Review security awareness training content for completeness.
C. Evaluate the integration of security best practices into business workflows.
D. Perform security risk assessments for the organization's business units
Answer: C
NO.99 The application systems quality assurance (QA) function should:

A. assist programmers in designing and developing applications.
B. design and develop quality applications by employing system development methodology.
C. ensure adherence of programs to standards.
D. compare programs to approved system changes.
Answer: C
NO.100 To help ensure the accuracy and completeness of end-user computing output it is MOST
important to include strong:
A. documentation controls.
B. change management controls.
C. access management controls
D. reconciliation controls
Answer: D
NO.101 Which of the following provides the MOST reliable audit evidence on the validity of
transactions in a financial application?
B. Compliance testing
C. Walk-through reviews
D. Design documentation reviews
Answer: A
NO.102 Which of the following is an example of a preventive control?

A. Purchase orders in the system being checked by a supervisor prior to execution to identify errors
during entry
B. An online retailer's daily review of transactions processed to identify trends and changes in
customer demand
C. Regular assessments of the sales department to identify the most profitable sales strategies used
by sales staff
D. Continuous operation of a screening system to identify fraudulent patterns in recent transactions
Answer: A
NO.103 Which of the following should be of GREATEST concern to an IS auditor reviewing project
20
documentation for a client relationship management (CRM) system migration project?

A. Employees are concerned that data representation in the new system is completely different from
the old system.
B. Five weeks prior to the target date, there are still numerous defects in the printing functionality.
C. A single implementation phase is planned and the legacy system will be immediately
decommissioned.
D. The technical migration is planned for a holiday weekend and end users may not be available.
Answer: C
NO.104 A 5 year audit plan provides for general audits every year and application audits on
alternating years. To achieve higher efficiency, the IS audit manager would MOST likely:
A. Alternate between control self-assessment (CSA) and general audits every year.
B. Have control self-assessments (CSAs) and formal audits of application on alternating years
C. Implement risk assessment criteria to determine audit priorities
D. Proceed with the plan and integrate all new applications
Answer: C
NO.105 An IS auditor is reviewing the implementation of an international quality management

standard Which of the following provides the BEST evidence that quality management objectives
have been achieved?
A. Reduction in risk profile
B. Quality assurance (QA) documentation
C. Measurable processes
D. Enhanced compliance with laws and regulations
Answer: C
NO.106 When a firewall is subjected to a probing attack, the MOST appropriate first response is for
the firewall to:
A. alert the administrator.
B. break the Internet connection.
C. drop the packet
D. reject the packet.
Answer: C
NO.107 Which of the following is the PRIMARY purpose of using data analytics when auditing an
enterprise resource planning (ERP) system for a large organization?
A. To determine recovery point objectives (RPOs)
B. To identify business processing errors
C. To select sampling methods
D. To identify threats to the ERP
Answer: B
NO.108 Which of the following BEST enables an IS auditor to detect incorrect exchange rates applied
21
to outward remittance transactions at a financial institution?

A. Developing computer-assisted audit techniques (CAATs) during transaction audits
B. Performing sampling tests on transactions processed at the end of each day
C. Running continuous auditing scripts at the end of each day
D. Using supervised machine learning techniques to develop a regression model to predict incorrect
input
Answer: A
NO.109 An IS auditor notes that help desk personnel are required to make critical decisions during
major service disruptions. Which of the following is the auditor's BEST recommendation to address
this situation?
A. Introduce classification of disruptions by risk category.
B. Provide historical incident response information for the help desk
C. Implement an incident response plan
D. Establish shared responsibility among business peers.
Answer: C
NO.110 Which of the following is the BEST control to help prevent sensitive data leaving an
organization via email?
A. Providing encryption solutions for employees
B. Conducting periodic phishing tests
C. Blocking outbound emails sent without encryption
D. Scanning outgoing emails
Answer: C
NO.111 An organization's IT security policy states that user ID's must uniquely identify individual's
and that user should not disclose their passwords. An IS auditor discovers that several generic user
ID's are being used. Which of the following is the MOST appropriate course of action for the auditor?
A. Recommend a change in security policy.
B. Include the finding in the final audit report.
C. Investigate the noncompliance.
D. Recommend disciplinary action.
Answer: A
NO.112 Which of the following should the IS auditor do FIRST to ensure data transfer integrity for
Internet of Things (loT) devices?
A. Verify access control lists to the database where collected data is stored.
B. Determine how devices are connected to the local network.
C. Confirm that acceptable limits of data bandwidth are defined for each device.
D. Ensure that message queue telemetry transport (MQTT) is used.
Answer: B
NO.113 A senior auditor is reviewing work papers prepared by a junior auditor indicating that a
22
finding was removed after the auditee said they corrected the problem. Which of the following is the
senior auditor's MOST appropriate course of action?
A. Have the finding reinstated
B. Ask the auditee to retest
C. Refer the issue to the audit director
D. Approve the work papers as written
Answer: B
NO.114 After an employee termination, a network account was removed, but the application
account remained active. To keep this issue from recurring, which of the following is the BEST
recommendation?
A. Leverage shared accounts for the application.
B. Perform periodic access reviews.
C. Retrain system administration staff.
D. Integrate application accounts with network single sign-on.
Answer: D
NO.115 IS management has recently disabled certain referential integrity controls in the
database management system (DBMS) software to provide users increased query performance
Which of the following controls win MOST effectively compensate for the lack of referential
integrity?
A. Periodic table link checks
B. Concurrent access controls
C. Performance monitoring tools
D. More frequent data backups
Answer: A
NO.116 A review of an organization's IT portfolio revealed several applications that are not in use.
The BEST way to prevent this situation from recurring would be to implement.
A. A formal request for proposal (RFP) process
B. Business case development procedures
C. An information asset acquisition policy
D. Asset life cycle management.
Answer: C
NO.117 Many departments of an organization have not implemented audit recommendations by

their agreed upon target dates. Who should address this situation?
A. External auditor
B. Head of internal audit
C. Department managers
D. Senior management
Answer: D
NO.118 The objective of a vulnerability identification step in a risk assessment process is to.
23
A. determine the impact of compromise

B. develop a list of weaknesses
C. identify the compensating controls
D. determine the likelihood of a threat
Answer: B
NO.119 Following a significant merger and acquisition, which of the following should the chief audit
executive (CAE) do FIRST to evaluate the performance of the combined internal audit function?
A. Conduct performance benchmarking.
B. Identify key performance indicators (KPIs).
C. Set process maturity levels.
D. Review internal audit department procedures.
Answer: D
NO.120 The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which
type of audit risk?
A. Technology risk
B. Inherent risk
C. Control risk
D. Detection risk
Answer: D
NO.121 An emergency power-off switch should:

A. not be identified.
B. be illuminated.
C. be protected
D. not be in the computer room
Answer: B
NO.122 Which of the following would lead an IS auditor to conclude that the evidence collected
during a digital forensic investigation would not be admissible in court?
A. The evidence was not fully backed up using a cloud-based solution prior to the trial.
B. The evidence was collected by the Internal forensics team.
C. The logs failed to identify the person handling the evidence.
D. The person who collected the evidence is not qualified to represent the case.
Answer: C
NO.123 Which of the following is the PRIMARY benefit of using a capability maturity model?
A. It provides detailed changes management strategies for performance improvement.
B. It helps the organization estimate how long it will lake to reach the highest level of maturity in
each area
C. It provides a way to compare against similar organizations' maturity levels
D. It helps the organization develop a roadmap toward its desired level of n each area
24
Answer: D
NO.124 An IS audit reveals that many of an organization's Internet of Things (loT) devices have not
been patched. Which of the following should the auditor do FIRST when determining why these
devices have not received the required patches?
A. Determine the physical location of the deployed devices
B. Review the organization's patching policy and process documentation
C. Ensure the devices are listed in the asset inventory database
D. Review the organization's most recent risk assessment on loT devices
Answer: B
NO.125 These members of an emergency incident response team should be:

A. restricted to IT personnel
B. appointed by the CISO
C. selected from multiple departments
D. assigned at the time of each incident
Answer: C
NO.126 An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of
the following should present the GREATEST concern to the auditor?
A. Access control requirements
B. Hardware configurations
C. Perimeter network security diagram
D. Help desk availability
Answer: A
NO.127 Which of the following governance functions is responsible for ensuring IT projects have
sufficient resources and are prioritized appropriately?
A. Executive management
B. IT management
C. IT steering committee
D. Board of directors
Answer: C
NO.128 Which of the following should an IS auditor recommend to reduce the likelihood of
potential intruders using social engineering?
A. Prohibit the use of social networking platforms
B. Deploy a security awareness program
C. Perform simulated attacks
D. Implement an intrusion detection system (IDS)
Answer: B
NO.129 A software development organization with offshore personnel has implemented a third-
25
party virtual workspace to allow the teams to collaborate. Which of the following should be of
GREATEST concern?
A. Team collaboration sessions are not monitored.
B. The team's work products are not properly classified as intellectual property.
C. The virtual workspace is configured to interface with other applications.
D. Exfiltration of data could occur through the virtual workspace.
Answer: D
NO.130 Which of the following technologies has the SMALLEST maximum range for data
transmission between devices?
A. Near-field communication (NFC)
B. Long-term evolution (LTE)
C. Bluetooth
D. Wi-Fi
Answer: A
NO.131 Which of the following MUST be completed before selecting and deploying a biometric
system that uses facial recognition software?
A. Privacy impact analysts
B. Vulnerability assessment
C. Image interference review
D. False acceptance testing
Answer: D
NO.132 During business process reengineering (BPR) of a bank's teller activities, an IS auditor should
evaluate:
A. the impact of changed business processes.
B. the cost of new controls.
C. BPR project plans
D. continuous improvement and monitoring plans.
Answer: A
NO.133 Compared to developing a system in-house, acquiring a software package means that the
need for testing by end users is:
A. eliminated.
B. increased.
C. reduced.
D. unchanged.
Answer: B
NO.134 One advantage of monetary unit sampling is the fact that:

A. it increases the likelihood of selecting material items from the population,
B. large-value population items are segregated and audited separately
26
C. it can easily be applied manually when computer resources are not available
D. results are stated in terms of the frequency of items in error
Answer: A
NO.135 A banking organization has outsourced its customer data processing facilities to an external
service provider. Which of the following roles is accountable for ensuring the security of customer
data?
A. The service provider's data privacy officer
B. The bank's vendor risk manager
C. The service provider's data processor
D. The bank's senior management
Answer: D
NO.136 When conducting a post-implementation review of a new software application, an IS

auditor should be MOST concerned with an increasing number of
A. updates required for the end-user operations manual
B. change requests approved to add new services
C. operational errors impacting service delivery
D. help desk calls requesting future enhancements
Answer: A
NO.137 An IS auditor reviewing a job scheduling tool notices performance and reliability problem.
Which of the following is MOST likely affecting the tool?
A. The number of support staff responsible for job scheduling has been reduced.
B. Maintaining patches and the latest enhancement upgrades are missing./
C. The scheduling tool was not classified as business-critical by the IT department.
D. Administrator passwords do not organizational security and complicity requirements.
Answer: B
NO.138 Which sampling method should an IS auditor employ when the likelihood of exceptions
existing in the population is low?
A. Discovery sampling
B. Random sampling
C. Interval sampling
D. Unit sampling
Answer: A
NO.139 Which of the following system conversion strategies provides the GREATEST redundancy?
A. Pilot study
B. Phased approach
C. Direct cutover
D. Parallel run
Answer: D
27
NO.140 During an audit of a data classification policy, an IS auditor finds that many documents are
inappropriately classified as confidential. Which of the following is the GREATEST concern?
A. Information may be underprotected.
B. Data integrity issues may occur.
C. Industry security best practices are violated.
D. Information may generally be overprotected.
Answer: D
NO.141 An IS audit manager was temporarily tasked with supervising a project manager assigned to
the organization's payroll application upgrade Upon returning to the audit department, the audit
manager has been asked to perform an audit to validate the implementation of the payroll
application The audit manager Is the only one in the audit department with IT project management
experience. What is the BEST course of action?
A. Manage the audit since there is no one else with the appropriate experience
B. Outsource the audit to independent and qualified resources
C. Have a senior IS auditor manage the project with the IS audit manager performing final review
D. Transfer the assignment to a different audit manager despite lack of IT project management
experience
Answer: B
NO.142 An organization has agreed to perform remediation related to high-risk audit findings. The
remediation process involves a complex reorganization of user roles as well as the Implementation of
several compensating controls that may not be completed within the next audit cycle Which of the
following is the BEST way for an IS auditor to follow up on their activities?
A. Provide management with a remediation timeline and verity adherence
B. Schedule a review of the controls after the projected remediation date
C. Review the progress of remediation on a regular basis
D. Continue to audit the failed controls according to the audit schedule
Answer: A
NO.143 Which of the following is MOST important to review when planning lor an IS audit of an
organization's cross-border data Translators?
A. Long-term IS strategy
B. Offshore supplier risk assessments
C. Previous external audit reports
D. Applicable regulatory requirements
Answer: D
NO.144 An organization recently switched vendors to perform hardware service and maintenance.
The new contract specifies a longer response time than the organization's requirement's. Which of
the following is the GREATEST risk of this change?
A. Disaster recovery plans (DRPs) may have increased dependence on the new vendor.
B. There may be an increase of shadow IT occurrences.
28
C. Unexpected downtime may impact key business processes.

D. Business data may be lost in the event of system failure.
Answer: D
NO.145 An IS audit manager is preparing the starling plan for an audit engagement of a cloud service
provider What should be the manager's PRIMARY concern when made aware that a new auditor in
the department previous worked for this provider?
A. Integrity
B. Professional conduct
C. Independence
D. Competency
Answer: A
NO.146 An organization is shifting to a remote workforce. In preparation, the IT department is

performing stress and capacity testing of remote access infrastructure and systems. What type of
control is being implemented?
A. Directive
B. Preventive
C. Compensating
D. Detective
Answer: B
NO.147 Which of the following is the MOST effective control against injection attacks on a web
application?
A. Setting up the application and database on different servers
B. Validation of data provided by application users
C. Modern application firewalls
D. Strong identity controls for application users
Answer: D
NO.148 Which of the following information security requirements BEST enables the tracking of
organizational data in a bring your own device (BYOD) environment?
A. Employees must immediately report lost or stolen mobile devices containing organizational data.
B. Employees must enroll their personal devices in the organization's mobile device management
program
C. Employees must sign acknowledgment of the organization's mobile device acceptable use policy.
D. Employees must use auto-lock features and complex passwords on personal devices.
Answer: B
NO.149 Which of the following is the BEST way to ensure that business continuity plans (BCPs) will
work effectively in the event of a major disaster?
A. Regularly update business impact assessments
B. Prepare detailed plans for each business function.
29
C. Involve staff at all levels in periodic paper walk-through exercises

D. Make senior managers responsible for their plan sections.
Answer: C
NO.150 Which of the following BEST facilitates the management of assets during the
implementation of an information system?
A. Decision support system
B. Quality management controls
C. Configuration management database (CMDB)
D. Asset procurement system
Answer: C
NO.151 An internal audit department reports directly to the chief financial officer (CFO) of an
organization This MOST likely leads to
A. audit findings becoming more business-oriented
B. biased audit findings and recommendations.
C. concern over the independence of the auditor
D. audit recommendations receiving greater attention.
Answer: C
NO.152 An IS auditor is conducting a pre-implementation review to determine a new system's

production readiness. The auditor's PRIMARY concern should be whether:
A. benefits realization has been evidenced
B. there are unresolved high-risk items
C. the project adhered to the budget and target date.
D. users were involved in the quality assurance (QA) testing.
Answer: B
NO.153 Which of the following would provide the BEST evidence for use in a forensic investigation
of an employee's hard drive?
A. Prior backups
B. Bit-stream copy of the hard drive
C. A file level copy of the hard drive
D. Memory dump to an external hard drive
Answer: B
NO.154 To enable the alignment of IT staff development plans with IT strategy, which of the
following should be done FIRST?
A. Include strategic objectives in IT staff performance objectives.
B. Develop quarterly training for each IT staff member.
C. Review IT staff job descriptions for alignment.
D. Identify required IT skill sets that support key business processes.
Answer: D
30
NO.155 A PRIMARY benefit derived by an organization employing control self-assessment (CSA)

techniques is that CSA
A. allows IS auditors to independently assess risk
B. allows management to relinquish responsibility for control.
C. can be used as a replacement for traditional audits.
D. can identify nigh-risk areas for detailed review
Answer: D
NO.156 Which of the following is the MOST important prerequisite for Implementing a data loss
prevention (DLP) tool?
A. Developing a DLP policy and requiring signed acknowledgement by users.
B. Requiring users to save files in secured folders instead of company-wide shared drive
C. Identifying where existing data resides and establishing a data classification matrix.
D. Reviewing data transfer logs to determine historical patterns of data flow
Answer: C
NO.157 Both statistical and nonstatistical sampling techniques:

A. permit the auditor to quantify and fix the level of risk
B. permit the auditor to quantity the probability of error,
C. provide each item an equal opportunity of being selected.
D. require judgment when defining population characteristics
Answer: D
NO.158 An IS auditor learns a server administration team regularly applies workarounds to address
repeated failures of critical data processing services. Which of the following would BEST enable the
organization to resolve this issue?
A. Service level management
B. Problem management
C. Change management
D. Incident management
Answer: B
NO.159 For a company that outsources payroll processing, which of the following is the BEST way to
ensure that only authorized employees are paid?
A. Only payroll employees should be given the password for data entry and report retrieval.
B. Employees should receive pay statements showing gross pay, net pay. and deductions.
C. The company's bank reconciliations should be independently prepared and checked.
D. Electronic payroll reports should be independently reviewed.
Answer: D
NO.160 An IS auditor is reviewing environmental controls and finds extremely high levels of
humidity in the data center. Which of the following is the PRIMARY risk to computer equipment from
31
this condition?
A. Corrosion
B. Static electricity
C. Brownout
D. Fire
Answer: A
NO.161 An IS auditor notes that IT and the business have different opinions on the availability of
their application servers Which of the following should the IS auditor review FIRST in order to
understand the problem?
A. The regular performance-reporting documentation
B. The alerting and measurement process on the application servers
C. The actual availability of the servers as part of a substantive test
D. The exact definition of the service levels and their measurement
Answer: D
NO.162 Which of the following should an IS auditor expect to see in a network vulnerability
assessment?
A. Misconfiguration and missing updates
B. Malicious software and spyware
C. Zero-day vulnerabilities
D. Security design flaws
Answer: A
NO.163 Which of the following is MOST important to include within a business continuity plan (BCP)
so that backup and replication is configured in a way that ensures data availability?
A. Recovery time objective (RTO)
B. Resource management plan
C. Disaster recovery location site
D. Recovery point objective (RPO)
Answer: D
NO.164 A security company and service provider have merged and the CEO has requested one
comprehensive set of security policies be developed for the newly formed company. The IS auditor s
BEST recommendation would be to:
A. implement the service provider's policies
B. implement the security company s policies,
C. adopt an industry standard security policy
D. conduct a policy gap assessment
Answer: D
NO.165 Which of the following factors constitutes a strength in regard to the use of a disaster
recovery planning reciprocal agreement?
32
A. Reciprocal agreements may not be formally established in a contract.

B. The two companies might share a need for a specialized piece of equipment
C. Changes to the hardware or software environment by one company could make the agreement
ineffective or obsolete.
D. A disaster could occur that would affect both companies.
Answer: B
NO.166 The recovery time objective (RTO) is normally determined on the basis of the:
A. acceptable downtime of the alternate site,
B. risk of occurrence.
C. criticality of the systems affected.
D. cost of recovery of all systems.
Answer: C
NO.167 Which of the following is a directive control?

A. Establishing an information security operations team
B. Updating data loss prevention software
C. Implementing an information security policy
D. Configuring data encryption software
Answer: C
NO.168 A post-implementation review of a development project concludes that several business

requirements were not reflected in the software requirement specifications. Which of the following
should an IS auditor recommend to reduce this problem in the future?
A. Appoint a business unit representative.
B. Write test cases from the user requirements.
C. Trace the changes to requirements back to all affected products.
D. Set up a configuration control board.
Answer: A
NO.169 Which of the following should be included in a business impact analysis (BIA)
A. identification of IT resources that support key business processes
B. Recovery strategy for significant business interruptions
C. Support documentation for the recovery alternative
D. Roles and responsibilities for the business continuity process
Answer: A
NO.170 During an audit of a financial application, it was determined that many terminated users'
accounts were not disabled. Which of the following should be the IS auditors NEXT step?
A. Conclude that IT general controls are ineffective.
B. Perform a review of terminated users' account activity.
C. Communicate risks to the application owner.
D. Perform substantive testing of terminated users' access rights.
33
Answer: B
NO.171 An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported
technology in the scope of an upcoming audit. What should the auditor consider the MOST significant
concern?
A. There is a greater risk of system exploitation.
B. Technical specifications are not documented.
C. Disaster recovery plans (DRPs) are not in place.
D. Attack vectors are evolving for industrial control systems.
Answer: C
NO.172 During a review of an organizations network threat response process, the IS auditor noticed
that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence,
and therefore the support team is allowed to close them. What is the BEST way for the auditor to
address this situation?'
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Omit the finding from the report as this practice is in compliance with the current policy.
C. Recommend that management enhance the policy and improve threat awareness training.
D. Reopen unactioned alerts and report to the audit committee.
Answer: A
NO.173 The purpose of data migration testing is to validate data:

A. retention.
B. completeness.
C. availability.
D. confidentiality.
Answer: B
NO.174 Which of the following is MOST important when duties in a small organization cannot be
appropriately segregated?
A. Variance reporting
B. Audit trail
C. Exception reporting
D. independent reviews
Answer: D
NO.175 Which of the following is the BEST way to determine il IT is delivering value to the business?
A. Review IT service level agreement (SLA) results.
B. Interview key IT managers and service providers.
C. Analyze downtime frequency and duration.
D. Perform control self-assessments (CSAs).
Answer: A
34
NO.176 Which of the following is the PRIMARY purpose for external assessments of internal audit's
quality assurance (OA) systems and frameworks?
A. To confirm the internal audit department has adequate budget to perform its duties
B. To provide assurance that the internal audit function conforms with established professional
practices
C. To confirm the accuracy and reliability of prior internal audit results
D. To provide assurance that internal audit staff are qualified to perform their responsibilities
Answer: B
NO.177 Demonstrated support from which of the following roles in an organization has the MOST
influence over information security governance?
A. Board of directors
B. Chief information officer (CID)
C. Information security steering committee
D. Chief information security officer (CISO)
Answer: A
NO.178 Which of the following is the GREATEST advantage of vulnerability scanning over
penetration testing'?
A. The testing process can be automated to cover large groups of assets
B. Network bandwidth is utilized more efficiently.
C. Custom-developed applications can be tested more accurately
D. The testing produces a lower number of false positive results
Answer: B
NO.179 An IS auditor has obtained a large complex data set for analysis. Which of the following
activities will MOST improve the output from the use of data analytics tools?
A. Data classification
B. Data preparation
C. Data masking
D. Data anonymization
Answer: B
NO.180 Which of the following implementation strategies for new applications presents the
GREATEST risk during data conversion and migration from an old system to a new system?
A. Pilot implementation
B. Phased implementation
C. Direct cutover
D. Parallel simulation
Answer: C
NO.181 Which of the following attacks would MOST likely result in the interception and modification
of traffic for mobile phones connecting to potentially insecure public Wi-Fi networks?
35
A. Man-in-the-middle
B. Phishing
C. Vishing
D. Brute force
Answer: A
NO.182 When measuring the effectiveness of a security awareness program, the MOST helpful key
performance indicator (KPI) is the number of:
A. employees who have signed the information security policy.
B. employees passing a phishing exercise.
C. employees attending security awareness training.
D. security incidents detected by tools.
Answer: B
NO.183 Which of the following is a corrective control that reduces the impact of a threat event?
A. Business process analysis
B. Security policy
C. Business continuity plan (BCP)
D. Segregation of duties (SoD)
Answer: C
NO.184 An organization has established hiring policies and procedures designed specifically to
ensure network administrators are well qualified. Which type of control is in place?
A. Detective
B. Directive
C. Corrective
D. Preventive
Answer: A
NO.185 Which of the following is the MOST important consideration for an organization when
strategizing to comply with privacy regulations?
A. Ensuring regular access recertification to information systems
B. Ensuring up-to-date knowledge of where customer personal data is saved
C. Ensuring contracts with third parties that process customer data are regularly updated
D. Ensuring there are staff members with in-depth knowledge of the regulations.
Answer: A
NO.186 When developing metrics to measure the contribution of IT to the achievement of business
goals, the MOST important consideration is that the metrics:
A. are used by similar industries to measure the effect of IT on business strategy.
B. measure the effectiveness of IT controls in the achievement of IT strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.
36
Answer: D
NO.187 Which of the following demonstrates the use of data analytics for a loan origination
process?
A. Evaluating whether loan records are included in the batch file and are validated by the servicing
system
B. Validating whether reconciliations between the two systems are performed and discrepancies are
investigated
C. Reviewing error handling controls to notify appropriate personnel in the event of a transmission
failure
D. Comparing a population of loans input in the origination system to loans booked on the servicing
system
Answer: B
NO.188 Which of the following is MOST important to consider when scheduling follow-up audits?
A. The efforts required for independent verification with new auditors
B. The amount of time the auditee has agreed to spend with auditors
C. The impact if corrective actions are not taken
D. Controls and detection risks related to the observations
Answer: A
NO.189 What is the MAIN purpose of an organization's internal IS audit function?

A. Review the organization's polices and procedures against industry best practice and standards.
B. Identify and initiate necessary changes in the control environment to help ensure sustainable
improvement.
C. Provide assurance to management about the effectiveness of the organization's risk management
and internal controls.
D. Independently attest the organization's compliance with applicable legal and regulatory
requirements.
Answer: D
NO.190 During a database security audit, an IS auditor is reviewing the process used to upload
source data Which of the following is the MOST significant risk area for the auditor to focus on?
A. Data resilience
B. Data normalization
C. Data integrity
D. Data sensitivity
Answer: C
NO.191 Which control type would provide the MOST useful input to a root cause analysis?
A. Compensating
B. Detective
C. Directive
37
D. Corrective
Answer: B
NO.192 A recent audit identified duplicate software licenses and technologies. Which of the
following would be MOST helpful to prevent this type of duplication in the future?
A. Centralizing IT procurement and approval practices
B. Updating IT procurement policies and procedures
C. Conducting periodic inventory reviews
D. Establishing a project management office
Answer: A
NO.193 Which of the following techniques would provide the BEST assurance to an IS auditor that
all necessary data has been successfully migrated from a legacy system to a modern platform?
A. Review of logs from the migration process
B. Data analytics
C. Interviews with migration staff
D. Statistical sampling
Answer: A

reviewing a hosted virtualized environment where each guest operating system (OS) is r
A. There are file shares between the host OS and the guest OS
B. Access to virtualization utilities and tools in the host is not restricted
C. The test environment of the applications is in a separate guest OS
D. All virtual machines are launching an application backup job at the same time
Answer: B
NO.195 An organization recently implemented a cloud document storage solution and removed the
ability for end users to save data to their local workstation hard drives Which of the following
findings should be the IS auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users have not been trained on the new system.
C. Users are not required to sign updated acceptable
D. The business continuity plan (BCP) was not updated.
Answer: D
NO.196 An information systems security officer's PRIMARY responsibility for business process
applications is to:
A. ensure access rules agree with policies
B. create role-based rules for each business process
C. authorize secured emergency access,
D. approve the organization's security policy.
Answer: B
38
NO.197 An IS auditor has been asked to assess the security of a recently migrated database system
that contains personal and financial data for a bank's customers. Which of the following controls is
MOST important for the auditor to confirm is in place?
A. The default configurations have been changed.
B. The default administration account is used after changing the account password.
C. The service port used by the database server has been changed.
D. All tables in the database are normalized.
Answer: A
NO.198 An IS auditor wants to understand the collective effect of the preventive, detective, and
corrective controls for a specific business process. Which of the following should the auditor focus on
FIRST?
A. The formal documentation of the process and how adherence is measured
B. Whether the existence of preventive controls causes corrective controls to become unnecessary
C. Whether segregation of duties is in place when two controls are applied simultaneously
D. The various points in the process where controls are exercised
Answer: D
NO.199 An IS auditor is reviewing security controls related to collaboration to unit responsible for
intellectual property and patents. Which of the following observations should be of MOST concern to
the auditor?
A. Logging and monitoring for content filtering is not enabled.
B. Employees can share files with users outside the company through collaboration tools
C. The collaboration tool is hosted and can only be accessed via an Internet browser.
D. Training was not provided to the department that handles intellectual property and patents
Answer: D
NO.200 Which of the following situations would impair the independence of an IS auditor involved
in a software development project?
A. Determining the nature of implemented controls
B. Programming embedded audit modules
C. Being an expert advisor to the project sponsor
D. Defining end-user requirements
Answer: D
NO.201 A company converted its payroll system from an external service to an internal package
Payroll processing in April was run in parallel. To validate the completeness of data after the
conversion, which of the following comparisons from the old to the new system would be MOST
effective?
A. Turnaround time for payroll processing
B. Employee counts and year-to-date payroll totals
C. Cut-off dates and overwrites for a sample of employees
39
D. Master file employee data to payroll journals

Answer: B
NO.202 Which of the following should be the FIRST step when drafting an incident response plan for
a new cyber-attack scenario?
A. Create a new incident response team.
B. Identify relevant stakeholders.
C. Schedule response testing.
D. Create a reporting template.
Answer: B
NO.203 Which of the following would BEST facilitate the detection of internal fraud perpetrated by
an individual?
A. Mandatory leave
B. Flexible time
C. Corporate fraud hotline
D. Segregation of duties
Answer: A
NO.204 When reviewing the functionality of an intrusion detection system (IDS), the IS auditor
should be MOST concerned if:
A. actual attacks have not been identified.
B. legitimate packets blocked by the system have increased.
C. false positives have been reported.
D. detected events have increased.
Answer: A
NO.205 Which of the following is the BEST way to achieve high availability and fault tolerance for an
e-business system?
A. Secure offsite backup storage
B. Storage area network
C. Robust systems architecture
D. Network diversity
Answer: C
NO.206 Which of the following is the GREATEST advantage of application penetration testing over
vulnerability scanning?
A. Penetration testing can be conducted in a relatively short time period.
B. Penetration testing creates relatively smaller risks to application availability and integrity
C. Penetration testing provides a more accurate picture of gaps in application controls
D. Penetration testing does not require a special skill set to be executed.
Answer: C
40
NO.207 Which of the following is the GREATEST concern associated with migrating computing
resources to a cloud virtualized environment?
A. An increase in inherent vulnerability
B. An increase in residual risk
C. An increase in the potential for data leakage
D. An increase in the number of e-discovery requests
Answer: C
NO.208 To develop meaningful recommendations for findings, which of the following is MOST
important for an IS auditor to determine and understand?
A. Root cause
B. Criteria
C. Responsible party
D. Impact
Answer: A
NO.209 Which of the following clauses is MOST important to include in a contract to help maintain
data privacy in the event a Platform as a Service (PaaS) provider becomes financially insolvent?
A. Intellectual property protection
B. Software escrow
C. Data classification
D. Secure data destruction
Answer: D
NO.210 An IS auditor is assigned to review the IS departments quality procedures Upon contacting
the IS manager, the auditor finds that there is an informal unwritten set of standards Which of the
following should be the auditor's NEXT action?
A. Finalize the audit and report the finding
B. Postpone the audit until IS management implements written standards
C. Make recommendations to IS management as to appropriate quality standards
D. Document and test compliance with the informal standards
Answer: C
NO.211 An organization needs to comply with data privacy regulations forbidding the display of
personally identifiable information (Pll) on customer bills or receipts However it is a business
requirement to display at least one attribute so that customers can verify the bills or receipts are
intended for them What is the BEST recommendation?
A. Data encryption
B. Data tokenization
C. Data masking
D. Data sanitization
Answer: C
41
NO.212 Which of the following is the MOST important consideration for building resilient systems?
A. Eliminating single points of failure
B. Performing periodic backups
C. Creating disaster recovery plans (DRPs)
D. Defining recovery point objectives (RPOs)
Answer: C
NO.213 Which of the following is the BEST recommendation to prevent fraudulent electronic funds
transfers by accounts payable employees?
A. Independent reconciliation
B. Periodic vendor reviews
C. Dual control
D. Re-keying of monetary amounts
Answer: C
NO.214 An IS auditor is reviewing a sample of production incidents and notes that a root cause
analysis is not being performed. Which of the following is the GREATEST risk associated with this
finding?
A. Future incidents may not be resolved in a timely manner.
B. Service level agreements (SLAs) may not be met.
C. Future incidents may be prioritized inappropriately.
D. The same incident may occur in the future.
Answer: D
NO.215 When reviewing a project to replace multiple manual data entry systems with an artificial
intelligence (Al) system, the IS auditor should be MOST concerned with the impact At will have on:
A. task capacity output
B. employee retention
C. future task updates
D. enterprise architecture (EA).
Answer: D
NO.216 Which of the following would be an appropriate role of internal audit in helping to establish
an organization's privacy program?
A. Analyzing risks posed by new regulations
B. Developing procedures to monitor the use of personal data
C. Defining roles within the organization related to privacy
D. Designing controls to protect personal data
Answer: D
NO.217 Which of the following is MOST important for an IS auditor to review when assessing the
integrity of encryption controls for data at rest?
A. Frequency of encryption key changes
42
B. Length of encryption keys

C. Protection of encryption keys
D. Encryption of test data
Answer: D
NO.218 During an audit of an organization's financial statements, an IS auditor finds that the IT
general controls are deficient. What should the IS auditor recommend?
A. Increase the substantive testing of the financial balances.
B. Place greater reliance on the framework of control.
C. Place greater reliance on the application controls.
D. Increase the compliance testing of the application controls.
Answer: D
NO.219 Due to a recent business divestiture, an organization has limited IT resources to deliver
critical projects.
Reviewing the IT staffing plan against which of the following would BEST guide IT management when
estimating resource requirements for future projects?
A. Peer organization staffing benchmarks
B. Records of actual time spent on projects
C. Budgeted forecast for the next financial year
D. Human resources (HR) sourcing strategy
Answer: C
NO.220 Which of the following would be the MOST significant factor when choosing among several
backup system alternatives with different restoration speeds?
A. Recovery point objective (RPO)
B. Mean time between failures (MTBFs)
C. Maximum tolerable outages (MTOs)
D. Recovery time objective (RTO)
Answer: D
NO.221 During which phase of the incident management life cycle should metrics such as
"mean time to incident discovery" and "cost of recovery" be reported?
A. Containment, analysis, tracking, and recovery
B. Post-incident assessment
C. Planning and preparation
D. Detection, triage, and investigation
Answer: B
NO.222 A company is using a software developer for a project. At which of the following points
should the software quality assurance (QA) plan be developed?
A. Prior to acceptance testing
B. During the feasibility phase
43
C. As part of software definition

D. As part of the design phase
Answer: D
NO.223 Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts
payable system. Which of the following is the IS auditor s BEST recommendation for a compensating
control?
A. Restrict payment authorization to senior staff members
B. Review payment transaction history.
C. Require written authorization for all payment transactions.
D. Reconcile payment transactions with invoices.
Answer: C
NO.224 Which of the following provides the BEST evidence of the effectiveness of an organization s
audit quality management procedures?
A. Quality of independent review scores
B. Number of resources dedicated to quality control procedures
C. Quality of auditor performance reviews
D. Number of audits completed within the annual audit plan
Answer: A
NO.225 Which of the following should be an IS auditor's PRIMARY focus when developing a risk-
based IS audit program?
A. Business processes
B. IT strategic plans
C. Portfolio management
D. Business plans
Answer: A
NO.226 When performing a post-implementation review, the adequacy of the data conversion
effort would BEST be evaluated by performing a thorough review of the:
A. functional conversion rules
B. go-live conversion results.
C. conversion user acceptance testing (UAT) results.
D. detailed conversion approach templates
Answer: B
NO.227 An organization has outsourced the development of a core application. However, the
organization plans to bring the support and future maintenance of the application back in-house.
Which of the following findings should be the IS auditor's GREATEST concern?
A. A training plan for business users has not been developed.
B. The cost of outsourcing is lower than in-house development.
C. The vendor development team is located overseas.
44
D. The data model is not clearly documented.

Answer: D
NO.228 MOST effective way to determine if IT is meeting business requirements is to establish:

A. a capability model.
B. industry benchmarks
C. key performance indicators (KPls).
D. organizational goals.
Answer: C
NO.229 The PRIMARY purpose of running a new system In parallel is to:

A. Determine which of the two system is more efficient and effective
B. Validate the operation of the new system against its predecessor.
C. Resolve any errors in the program and file interfaces.
D. Provide the basis for comprehensive unit and system testing.
Answer: B
NO.230 Which of the following is an IS auditor's BEST course of action upon learning that preventive
controls have been replaced with detective and corrective controls'
A. Report the issue to management as the risk level has increased.
B. Evaluate whether new controls manage the risk at an acceptable level.
C. Verify the revised controls enhance the efficiency of related business processes.
D. Recommend the implementation of preventive controls in addition to the other controls.
Answer: B
NO.231 Which of the following would be the MOST appropriate reason for an organization to
purchase fault-tolerant hardware?
A. Improving system performance
B. Reducing hardware maintenance costs
C. Minimizing business loss
D. Compensating for the lack of contingency planning
Answer: C
NO.232 Which of the following is the BEST source for describing the objectives of an organization s
information systems?
A. IT management
B. Business process owners
C. Information security management
D. End users
Answer: B
NO.233 In a typical network architecture used for e-commerce a load balancer is normally
found between the
45
A. users and the external gateways

B. mail servers and the mail repositories
C. routers and me web servers,
D. databases and internal firewalls
Answer: C
NO.234 Which of the following is the BEST way to mitigate the risk associated with a document
storage application that has a syncing feature that could allow malware to spread to other machines
in the network?
A. User behavior modeling and analysis should be performed to discover anomalies in user behavior.
B. Content inspection technologies should be used to scan files for sensitive data.
C. All files should be scanned when they are uploaded to and downloaded from the application.
D. An audit should be conducted to detect shadow data and shadow IT in the network.
Answer: C
NO.235 Which of the following IT service management activities is MOST likely to help with
identifying the root cause of repeated instances of Network latency?
A. Problem management
B. Configuration management
C. Incident management
D. Change management
Answer: A
NO.236 The GREATEST risk of database denormalization is:

A. loss of database integrity.
B. decreased performance.
C. loss of data confidentiality.
D. incorrect metadata.
Answer: A
NO.237 Which of the following is MOST important for an IS auditor to review when evaluating the
effectiveness of an organization's incident response process?
A. Past incident response actions
B. Results from management testing of incident response procedures
C. Incident response staff experience and qualifications
D. Incident response roles and responsibilities
Answer: B
NO.238 Which of the following is the MAIN risk associated with adding a new system functionality
during the development phase without following a project change management process?
A. The new functionality may not meet requirements
B. The added functionality has not been documented
C. The project may go over budget.
46
D. The project may fail to meet the established deadline

Answer: B
NO.239 Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Availability of the site in the event of multiple disaster declarations
B. Coordination with the site staff in the event of multiple disaster declarations
C. Reciprocal agreements with other organizations
D. Complete testing of the recovery plan
Answer: A
NO.240 Which of the following is MOST important when planning a network audit?
A. Isolation of rogue access points
B. Analysis of traffic content
C. Identification of existing nodes
D. Determination of IP range in use
Answer: C
NO.241 When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical
systems do not exceed which of the following?
A. Service level objective (SLO)
B. Recovery time objective (RTO)
C. Maximum acceptable outage (MAO)
D. Recovery point objective (RPO)
Answer: D
NO.242 To help determine whether a controls-reliant approach to auditing financial systems r a

company should be used which sequence of IS audit work is MOST appropriate'
A. Review of application controls followed by a test of key business process controls
B. Review of major financial applications followed by a review of IT governance processes
C. Review of the general IS controls followed by a review of the application controls
D. Detailed examination of financial transactions followed by review of the general ledger
Answer: A
NO.243 Which of the following is the MAIN advantage of using one-time passwords?
A. Passwords are hardware/software generated.
B. An intercepted password would be of no use
C. The user does not need to remember passwords
D. They are suitable for e-commerce authentication
Answer: C
NO.244 Which of the following is the PRIMARY reason to adopt a capability model?
A. To increase the organization's level of security
B. To guide improvement of organizational processes
47
C. To decrease the organization's level of risk

D. To ensure compliance with laws and regulation
Answer: B
NO.245 Which of the following is the PRIMARY advantage of using virtualization technology for
corporate applications?
A. Increased application performance
B. Improved disaster recovery
C. Stronger data security
D. Better utilization of resources
Answer: D
NO.246 An IS auditor s role in privacy and security is to:

A. implement risk management methodologies.
B. verify compliance with applicable laws.
C. assist in developing an IS security strategy.
D. assist the governance steering committee with implementing a security policy.
Answer: B
NO.247 An organization is in the process of deciding whether to allow a bring your own device
(BYOD) program. If approved, which of the following should be the FIRST control required before
implementation''
A. Device registration
B. An acceptable use policy
C. Device baseline configurations
D. An awareness program
Answer: B
NO.248 Which of the following is the MOST effective control to ensure electronic records beyond
their retention periods are deleted from IT systems?
A. Build in system logic to trigger data deletion at predefined times.
B. Perform a sample check of current data against the retention schedule.
C. Review the record retention register regularly to initiate data deletion.
D. Execute all data deletions at a predefined month during the year.
Answer: A
NO.249 Which of the following is the FIRST step in initiating a data classification program?
A. Risk appetite assessment
B. Inventory of data assets
C. Assignment of data ownership
D. Assignment of sensitivity levels
Answer: B
48
NO.250 What information within change records would provide an IS auditor with the MOST
assurance that configuration management is operating effectively?
A. Affected configuration items and associated impacts
B. Implementation checklist for release management
C. Post-implementation review documentation
D. Configuration management plan and operating procedures
Answer: A
NO.251 The IS quality assurance (OA) group is responsible for

A. ensuring that program changes adhere to established standards.
B. monitoring the execution of computer processing tasks
C. designing procedures to protect data against accidental disclosure.
D. ensuring that the output received from system processing is complete.
Answer: A
NO.252 Which of the following is the GREATEST risk associated with vulnerability scanning
tools used to identify security weaknesses?
A. False positives
B. Outdated signatures for detection
C. Use of open source tools
D. False negatives
Answer: D
NO.253 Which of the following is the MOST effective way to minimize the risk of a SQL injection
attack?
A. Reconfiguring content filtering settings
B. Performing activity monitoring
C. Using secure coding practices
D. Implementing an intrusion detection tool
Answer: C
NO.254 An IS auditor has found that an organization is unable to add new servers on demand in a
cost-efficient manner Which of the following is the auditor s BEST recommendation?
A. Upgrade hardware to newer technology.
B. Increase the capacity of existing systems.
C. Build a virtual environment
D. Hire temporary contract workers for the IT function.
Answer: C
NO.255 An IS auditor evaluating a three-tier client/server architecture observes an issue with

graphical user interface (GUI) tasks. Which layer should the auditor recommend the client address?
A. Presentation layer
B. Application layer
49
C. Storage layer
D. Transport layer
Answer: A
NO.256 Which of the following is MOST important to review when evaluating the performance of a
critical web application?
A. Business-defined application response times
B. Strategy for application performance monitoring in the cloud
C. Feedback from customer satisfaction surveys
D. Roles and responsibilities for reporting
Answer: C
NO.257 Using swipe cards to limit employee access to restricted areas requires implementing which
additional control?
A. Periodic review of access profiles by management
B. Physical sign-in of all employees for access to restricted areas
C. Initial escort of all new hires by a current employee
D. Employee-access criteria determined on the basis of IS experience
Answer: A
NO.258 Which of the following should occur EARLIEST in a business continuity management
lifecycle?
A. Defining business continuity procedures
B. Carrying out a threat and risk assessment
C. Developing a training and awareness program
D. Identifying critical business processes
Answer: D
NO.259 An organization seeks to control costs related to storage media throughout the information
life cycle while still meeting business and regulatory requirements. Which of the following is the BEST
way to achieve this objective?
A. Perform periodic tape backups.
B. Stream backups to the cloud.
C. Implement a data retention policy.
D. Utilize solid state memory.
Answer: C
NO.260 Which of the following projects would be MOST important to review in an audit of an
organizations financial statements?
A. Automation of operational risk management processes
B. Resource optimization of the enterprise resource planning (ERP) system
C. Security enhancements to the customer relationship database
D. Outsourcing of the payroll system to an external service provider
50
Answer: D
NO.261 An internal audit department recently established a quality assurance (QA) program as
part of its overall audit program. Which of the following activities is MOST important to include as
part of the QA program requirements?
A. Analyzing user satisfaction reports from business lines
B. Benchmarking the QA framework to international standards
C. Reporting OA program results to the audit committee
D. Conducting long-term planning for internal audit staffing
Answer: A
NO.262 Which of the following is MOST important to review when planning for an IS audit of an
organization's cross-border data transfers?
A. Long-term IS strategy
B. Offshore supplier risk assessments
C. Previous external audit reports
D. Applicable regulatory requirements
Answer: D
NO.263 Which of the following approaches provides the BEST assurance and user confidence when
an organization migrates data to a more complex enterprise resource planning (ERP) system?
A. Pilot testing
B. User acceptance testing
C. Phased changeover
D. Parallel processing
Answer: D
NO.264 Which of the following is the MOST likely reason an organization would use Platform as a
Service (PaaS)?
A. To develop and integrate its applications
B. To install and manage operating systems
C. To establish a network and security architecture
D. To operate third-party hosted applications
Answer: A
NO.265 Which of the following key performance indicators (KPIs) provide stakeholders with the
MOST useful information about whether information security risk is being managed?
A. Time from security log capture to log analysis
B. The number of security controls implemented
C. Time from identifying security threats to implementing solutions
D. The number of entries in the security risk register
Answer: C
51
NO.266 During which phase of a system development project should key performance
indicators (KPIs) be established'?
A. Planning phase
B. Closure phase
C. Execution phase
D. Initiation phase
Answer: A
NO.267 Data anonymizabon helps to prevent which types of attacks in a big data environment?
A. Denial of service (DoS)
B. Man-in-the-middle
C. Correlation
D. Spoofing
Answer: C
NO.268 Which of the following Is a challenge in developing a service level agreement (SLA) for
network services?
A. Ensuring that network components are not modified by the client
B. Reducing the number of entry points into the network
C. Finding performance metrics that can be measured property
D. Establishing a well-designed framework for network services
Answer: C
NO.269 Which of the following security risks can be reduced by a properly configured network
firewall?
A. Phishing attacks
B. Insider attacks
C. Denial of service (DoS) attacks
D. SQL injection attacks
Answer: C
NO.270 Which of the following validation techniques would BEST prevent duplicate electronic
vouchers?
A. Sequence check
B. Edit check
C. Cyclic redundancy check
D. Reasonless check
Answer: A
NO.271 Which of the following is an IS auditor s GREATEST concern when an organization does not
regularly update software on individual workstations in the internal environment?
A. The organization may be more susceptible to cyber-attacks.
B. The organization may not be in compliance with licensing agreement.
52
C. System functionality may not meet business requirements.

D. The system may have version control issues.
Answer: A
NO.272 Which of the following is the BEST way to address ongoing concerns with the quality and
accuracy of internal audits?
A. Require internal peer reviews of audit workspapers.
B. Improve training for IS audit personnel.
C. Engage an independent review of the audit function.
D. Implement performance management for IS auditor.
Answer: C
NO.273 An IS auditor is evaluating the risk associated with moving from one database management
system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of
the system throughout the change?
A. Preserving the same data inputs
B. Preserving the same data interfaces
C. Preserving the same data classifications
D. Preserving the same data structure
Answer: A
NO.274 An organization that has suffered a cyber attack is performing a forensic analysis of the
affected users' computers Which of the following should be of GREATEST concern for the IS editor
reviewing this process?
A. Audit was only involved during extraction of the information.
B. The legal department has not been engaged.
C. The chain of custody has not been documented
D. An imaging process was used to obtain a copy of the data from each computer.
Answer: C
NO.275 A new application will require multiple interfaces. Which of the following testing methods
can be used to detect interface errors early in the development life cycle1?
A. Bottom up
B. Acceptance
C. Top down
D. Sociability
Answer: D
NO.276 An existing system is being replaced with a new application package User acceptance testing
(UAT) should ensure that
A. there is a business need for the new system
B. the new system functions as expected.
C. the new system is better than the old system.
53
D. data from the old system has been converted correctly

Answer: A
NO.277 An organization's software developers need access to personally identifiable information

(Pll) stored in a particular data format. Which of the following is the BEST way to protect this
sensitive information while allowing the developers to use it in development and test environments?
A. Data encryption
B. Data tokenization
C. Data abstraction
D. Data masking
Answer: D
NO.278 When evaluating database management practices, which of the following controls would
MOST effectively support data integrity?
A. User access controls
B. System edit checks
C. System-generated duplicate transaction reports
D. System processing output balanced to control totals
Answer: B
NO.279 While conducting a review of project plans related to a new software development, an IS
auditor finds the project initiation document (PID) is incomplete. What is the BEST way for the
auditor to proceed?
A. Meet with the project sponsor to discuss the incomplete document.
B. Prepare a finding for the audit report.
C. Inform audit management of possible risks associated with the deficiency.
D. Escalate to the project steering committee.
Answer: A
NO.280 Which of the following is the MOST appropriate role for an IS auditor assigned as a team
member for a software development project?
A. Developing user acceptance testing (UAT) scripts
B. Implementing controls within the software
C. Monitoring assessed risk for the project
D. Performing a mid-term evaluation of the project management process
Answer: C
NO.281 An IS auditor is reviewing a data conversion project Which of the following is the auditor's
BEST recommendation prior to go-live?
A. Establish a conliguiation baseline.
B. Conduct a mock conversion test.
C. Automate the test scripts
D. Review test procedures and scenarios
54
Answer: B
NO.282 Which of the following would be an IS auditor's GREATEST concern when reviewing the early
stages of a software development project?
A. The lack of a detailed unit and system test plan
B. The lack of acceptance criteria behind user requirements
C. The lack of completion of all requirements at the end of each sprint
D. The lack of technical documentation to support the program code
Answer: B
NO.283 Which of the following areas of responsibility would cause the GREATEST segregation of
duties conflict if the individual who performs the related tasks also has approval authority?
A. Purchase requisitions and purchase orders
B. Vendor selection and statements of work
C. Invoices and reconciliations
D. Goods receipts and payments
Answer: D
NO.284 An IS auditor is reviewing database log settings and notices that only INSERT and DELETE
operations are being monitored in the database. What is the MOST significant risk?
A. Metadata may not be logged.
B. Purged records may not be logged.
C. Newly added records may not be logged.
D. Changes to existing records may not be logged.
Answer: D
NO.285 Which of the following is MOST important to ensure when planning a black box penetration
test?
A. The test results will be documented and communicated to management.
B. Diagrams of the organization s network architecture are available.
C. The environment and penetration test scope have been determined.
D. The management of the client organization is aware of the testing.
Answer: C
NO.286 During a privileged access review, an IS auditor observes many help desk employees
have privileges within systems not required for their job functions. Implementing which of the
following would have prevented this situation?
A. Multi-factor authentication
B. Separation of duties
C. Least privilege access
D. Privileged access reviews
Answer: C
55
NO.287 Which of the following is MOST important for an IS auditor to examine when reviewing an
organization's privacy policy?
A. The encryption mechanism selected by the organization for protecting personal data
B. Whether there is explicit permission from regulators to collect personal data
C. The organization's legitimate purpose for collecting personal data
D. Whether sharing of personal information with third-party service providers is prohibited
Answer: C
NO.288 During a routine check, a system administrator identifies unusual activity indicating an
intruder within a firewall. Which of the following controls has MOST likely been compromised?
A. Data integrity
B. Identification
C. Authentication
D. Data validation
Answer: C
NO.289 Which of the following is the MAIN risk associated with adding a new system functionality
during the development phase without following a project change management process?
A. The project may go over budget
B. The project may fail to meet the established deadline
C. The added functionality has been documented
D. The new functionality may not meet requirements
Answer: C
NO.290 Which of the following should be of GREATEST concern to an IS auditor reviewing actions
taken during a forensic investigation?
A. The investigation report does not indicate a conclusion.
B. An image copy of the attacked system was not taken.
C. The proper authorities were not notified.
D. The handling procedures of the attacked system are not documented.
Answer: C
NO.291 Which of the following would BEST prevent the potential leakage of sensitive corporate data
from personal mobile devices accessing corporate applications?
A. Creating a separate secure partition on the devices
B. Monitoring employee connections to the corporate network
C. Requiring employees to sign acknowledgment of an acceptable use policy
D. Limiting access and capabilities when connecting to the Internet
Answer: C
NO.292 Which of the following application input controls would MOST likely detect data input errors
in the customer account number field during the processing of an accounts receivable transaction?
A. Reasonableness check
56
B. Validity check
C. Parity check
D. Limit check
Answer: A
NO.293 Which of the following is the BEST guidance from an IS auditor to an organization planning
an initiative to improve the effectiveness of its IT processes?
A. IT management should include process improvement requirements in staff performance
objectives
B. IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
C. The organization should refer to poor audit reports to identify the specific IT processes to be
improved
D. The organization should use a capability maturity model to identify current maturity levels for
each IT process.
Answer: D
NO.294 Which of the following security risks can be reduced by a property configured network
firewall?
A. SQL injection attacks
B. Insider attacks
C. Phishing attacks
D. Denial of service (DoS) attacks
Answer: D
NO.295 Which of the following is the GREATEST concern when an organization allows personal
devices to connect to its network?
A. It is difficult To enforce the security policy on personal devices
B. It is difficult to maintain employee privacy.
C. IT infrastructure costs will increase.
D. Help desk employees will require additional training to support devices.
Answer: A
NO.296 A manufacturing company is implementing application software for its sales and distribution
system. Which of the following is the MOST important reason for the company to choose a
centralized online database?
A. Elimination of multiple points of failure
B. Elimination of the need for data normalization
C. Enhanced data redundancy
D. Enhanced integrity controls
Answer: D
NO.297 In a situation where the recovery point objective (RPO) is 0 for an online transaction
processing system, which of the following is MOST important for an IS auditor to verify?
57
A. The application has a clustered architecture to ensure high availability

B. Synchronous data mirroring is implemented between the data centers
C. IT is able to recover system functionality in the shortest possible time frame
D. Daily backups are created and backup media are verified
Answer: B
NO.298 The PRIMARY advantage of object-oriented technology is enhanced:

A. management of sequential program execution for data access
B. management of a restricted variety of data types for a data object
C. grouping of objects into methods for data access
D. efficiency due to the re-use of elements of logic
Answer: C
NO.299 Which of the following should an IS auditor review FIRST when evaluating a business
process for auditing?
A. Competence of the personnel performing the process
B. Design and implementation of controls
C. Evidence that IS-related controls are operating effectively
D. Assignment of responsibility for process management
Answer: B
NO.300 Which of the following is the MOST effective means of helping management and the IT
strategy committee to monitor IT performance?
A. Gap analysis
B. Measurement of service levels against metrics
C. End-user satisfaction surveys
D. Infrastructure monitoring reports
Answer: B
NO.301 An organization's audit charter PRIMARILY:

A. formally records the annual and quarterly audit plans
B. documents the audit process and reporting standards
C. describes the auditors' authority to conduct audits
D. defines the auditors' code of conduct
Answer: C
NO.302 Which of the following is MOST helpful for an IS auditor to review to gain an understanding
of IT's contribution to the business?
A. IT balanced scorecard
B. IT governance risk assessment
C. IT project risk assessment
D. IT process capability assessment.
Answer: D
58
NO.303 When reviewing past results of a recurring annual audit, an IS auditor notes that findings
may not have been reported and independence may not have been maintained Which of the
following is the auditor's BEST course of action?
A. Inform audit management
B. Re-perform past audits to ensure independence
C. Inform senior management
D. Reevaluate internal controls
Answer: A
NO.304 A review of IT interface controls finds an organization does not have a process to identify
and correct records that do not get transferred to the receiving system. Which of the following
is.........
A. Implement software to perform automatic reconciliations of data between systems
B. Automate the transfer of data between systems as much as feasible.
C. Enable automatic encryption, decryption and electronic signing of data files
D. Have coders perform manual reconciliation of data between systems
Answer: B
NO.305 An organization is considering allowing users to conned personal devices to the corporate
network. Which of the following should be done FIRST?
A. Configure users on the mobile device management (MOM) solution.
B. Conduct security awareness training.
C. Implement an acceptable use policy.
D. Create inventory records of personal devices.
Answer: C
NO.306 An internal audit department recently established a quality assurance (QA) program.
Which of the following activities is MOST important to include as part of the QA program
requirements?
A. Feedback from internal audit staff
B. Long-term internal audit resource planning
C. Ongoing monitoring of the audit activities
D. Analysis of user satisfaction reports from business lines
Answer: D
NO.307 Which of the following would be the BEST indicator of the effectiveness of an organization's
portfolio management program?
A. Percentage of investments achieving their forecasted value
B. Maturity levels of the value management processes
C. Experience of the portfolio management personnel
D. Stakeholders' perception of IT's value
Answer: A
59
NO.308 The BEST way to prevent fraudulent payments is to implement segregation of duties
between payment processing and:
A. payment approval.
B. requisition creation.
C. vendor setup.
D. check creation.
Answer: A
NO.309 A database audit reveals an issue with the way data ownership for client data is defined.
Which of the following roles should be accountable for this finding?
A. Business management
B. Database administrator
C. Information security management
D. Privacy manager
Answer: A
NO.310 Which of the following would MOST likely impair the independence of the IS auditor when
performing a post-implementation review of an application system?
A. The IS auditor implemented a specific control during the development of the application system.
B. The IS auditor designed an embedded audit module exclusively for auditing the application
system.
C. The IS auditor participated as a member of the application system pro)ecl team.
but did not have operational responsibilities.
D. The IS auditor provided consulting advice concerning application system best practices.
Answer: B
NO.311 Which of the following provides an IS auditor with the BEST evidence that a system has
been assessed for known exploits?
A. Patch cycle report
B. Vulnerability scanning report
C. Black box testing report
D. White box testing report
Answer: B
NO.312 Which of the following is MOST important for an IS auditor to consider during a review of
the IT governance of an organization?
A. Funding allocation
B. Defined service levels
C. Risk management methodology
D. Decision making responsibilities
Answer: D
NO.313 An IS auditor observes that exceptions have been approved (or an organization's
60
information security policy. Which of the following is MOST important for the auditor to confirm?
A. Exceptions are approved by the board of directors.
B. Exceptions are approved for predefined periods.
C. Exceptions require changes to the policy.
D. Exceptions do not change residual risk.
Answer: D
NO.314 Due to budget restraints, an organization is postponing the replacement of an in-house

developed mission critical application. Which of the following represents the GREATEST risk?
A. Inability to virtualize the server
B. Eventual replacement may be more expensive
C. Inability to align to changing business needs
D. Maintenance costs may rise
Answer: C
NO.315 Which of the following is the MOST important factor when an organization is developing
information security policies and procedures?
A. Compliance with relevant regulations
B. Consultation with security staff
C. Alignment with an information security framework
D. Inclusion of mission and objectives
Answer: A
NO.316 internal IS auditor recommends that incoming accounts payable payment files be encrypted.
Which type of control is the auditor recommending?
A. Directive
B. Detective
C. Preventive
D. Corrective
Answer: C
NO.317 chain management processes Customer orders are not being fulfilled in a timely manner,
and the inventory in the warehouse does not match the quantity of goods in the sales orders. Which
of the following is the auditor's BEST recommendation?
A. Require the sales representative to verify inventory levels prior to finalizing sales orders.
B. Require the warehouse manager to send updated inventory levels on a periodic basis.
C. Revise the order fulfillment procedures in collaboration with the e-commerce team.
D. Implement an automated control to verify inventory levels prior to finalizing sales orders.
Answer: D
NO.318 Which of the following can help ensure that IT deliverables are linked to business goals and
that appropriate performance criteria are in place?
A. Business process reengineering (BPR)
61
B. Service level management

C. Quality assurance (QA) practices
D. Benchmarking
Answer: B
NO.319 Which of the following would be of GREATEST concern to an IS auditor reviewing an

organization's security incident handling procedures?
A. Annual tabletop exercises are performed instead of functional incident response exercises.
B. Roles for computer emergency response learn (CERT) members have not been formally
documented.
C. Workstation antivirus software alerts are not regularly reviewed.
D. Guidelines for prioritizing incidents have not been identified.
Answer: D
NO.320 An IS auditor will be testing accounts payable controls by performing data analytics on the
entire population of transactions. Which of the following is MOST important for the auditor to
confirm when sourcing the population data?
A. There is no privacy information in the data.
B. The data is taken directly from the system.
C. The data can be obtained in a timely manner.
D. The data analysis tools have been recently updated.
Answer: B
NO.321 Which of the following should be of GREATEST concern to an IS auditor testing interface
controls for an associated bank wire transfer process?
A. Data is not independently verified by a third party.
B. Data in the bank's wire transfer system does not reconcile with transferred data.
C. Customer-provided information does not appear to be accurate.
D. The wire transfer was not completed with the most recent secure protocol.
Answer: B
NO.322 Regression testing should be used during a system development project to ensure that:
A. system testing will address high-probability errors.
B. the test plan is based on an analysis of the impact of past testing
C. the results of testing are statistically vsalid
D. errors have not been introduced to the system during modification
Answer: D
NO.323 What is the BEST population to select from when testing that programs are migrated to
production with proper approval?
A. List of changes provided by application programming managers
B. Change advisory board meeting minutes
C. Completed change request forms
62
D. List of production programs

Answer: D
NO.324 Which of the following should an IS auditor do FIRST when assessing the level of compliance
for an organization in the banking industry?
A. Review internal documentation to evaluate adherence to external requirements.
B. Determine whether the organization has established benchmarks against industry peers for
compliance.
C. Confirm there are procedures in place to ensure organizational agreements address legal
requirements.
D. Identify industry-specific requirements that apply to the organization.
Answer: D
NO.325 An organization wants to replace its suite of legacy applications with a new, in-house
developed solution. Which of the following is the BEST way to address concerns associated with
migration of all mission-critical business functionality?
A. Strengthen governance by hiring certified and qualified project managers for the migration.
B. Expedite go-live by migrating in a single release to allow more time for testing in production.
C. Plan multiple releases to gradually migrate subsets of functionality to reduce production risk.
D. Increase testing efforts so that all possible combinations of data have been tested prior to go-live.
Answer: C
NO.326 Which of the following is MOST important to ensure when reviewing a global organization's
controls to protect data held on its IT infrastructure across all of its locations?
A. Relevant data protection legislation and regulations for each location are adhered to.
B. Technical capabilities exist in each location to manage the data and recovery operations
C. The capacity of underlying communications infrastructure in the host locations is sufficient.
D. The threat of natural disasters in each location hosting infrastructure has been accounted for.
Answer: A
NO.327 Which of the following documents would be MOST useful in detecting a weakness in
segregation of duties?
A. Data flow diagram
B. Entity-relationship diagram
C. Process flowchart
D. Systems flowchart
Answer: C
NO.328 An IS auditor begins an assignment and identifies audit components for which the auditor is
not qualified to assess. Which of the following is the BEST course of anion?
A. Exclude the related tests from the audit plan and continue the assignment.
B. Notify audit management for a decision on how to proceed
C. Complete the audit and give full disclosure in the final audit report
63
D. Complete the work assignment to the best of the auditor's Ability

Answer: B
NO.329 An organization is migrating its human resources (HR) application to an Infrastructure as a

Service (laaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations
of the deployed application's operating system?
A. The organization
B. The operating system vendor
C. The cloud provider
D. The cloud provider's external auditor
Answer: C
NO.330 To ensure efficient and economic use of limited resources in supporting a local area network
(LAN) infrastructure, it is advisable to:
A. periodically rotate vendors to obtain the best price-to-performance ratio
B. standardize on a limited number of device models and software applications.
C. quickly upgrade to the latest hardware and software versions to take advantage of new features
D. recommend a variety of products so that user effectiveness and flexibility can be maximized.
Answer: B
NO.331 Which of the following is the BEST way to mitigate the risk associated with technology
obsolescence?
A. Invest in current technology
B. Create a technology watch team that evaluates emerging trends.
C. Make provisions In the budgets for potential upgrades.
D. Create tactical and strategic IS plans
Answer: D
NO.332 An accounts receivable data entry routine prevents the entry of the same customer with
different account numbers. Which of the following is the BEST way to test if this programmed control
is effective?
A. Implement a computer-assisted audit technique (CAAT).
B. Compare source code against authorized software.
C. Review a sorted customer list for duplicates.
D. Attempt to create a duplicate customer.
Answer: D
NO.333 Which of the following approaches would utilize data analytics to facilitate the testing of a
new account creation process?
A. Review new account applications submitted in the past month for invalid dates of birth
B. Evaluate configuration settings for the date of birth field requirements.
C. Review the business requirements document for date of birth field requirements.
D. Attempt to submit new account applications with invalid dates of birth
64
Answer: D
NO.334 Which of the following would a digital signature MOST likely prevent?
A. Corruption
B. Unauthorized change
C. Repudiation
D. Disclosure
Answer: C
Digital signature enforces non-repudiation. Thereby it prevents repudiation.
NO.335 Which of the following encryption methods offers the BEST wireless security?
A. Secure Sockets Layer (SSL)
B. Wi-Fi Protected Access 2 (WPA2)
C. Wired equivalent privacy (WEP)
D. Data encryption standard (DES)
Answer: D
NO.336 Which of the following audit procedures would be MOST conclusive in evaluating the
effectiveness of an e-commerce application system's edit routine?
A. Review of program documentation
B. Use of test transactions
C. Interviews with knowledgeable users
D. Review of source code
Answer: B
NO.337 Which of the following physical controls will MOST effectively prevent breaches of
computer room security?
A. Photo IDs
B. CCTV monitoring
C. Retina scanner
D. RFID badge
Answer: C
NO.338 An IT governance body wants to determine whether IT service delivery is based on

consistently effective processes. Which of the following is the BEST approach?
A. Implement a control self-assessment (CSA).
B. Develop a maturity model.
C. Conduct a gap analysis.
D. Evaluate key performance indicators (KPIs).
Answer: D
NO.339 Which of the following should be the PRIMARY role of an internal audit function in the
management of identified business risks?
65
A. Operating the risk management framework

B. Validating enterprise risk management (ERM)
C. Establishing a risk appetite
D. Establishing a risk management framework
Answer: D
NO.340 An organization has outsourced its data processing function to a service provider. Which of
the following would BEST determine whether the service provider continues to meet the
organization's objectives?
A. Adequacy of the service provider's insurance
B. Periodic audits of controls by an independent auditor
C. Assessment of the personnel training processes of the provider
D. Review of performance against service level agreements (SLAs)
Answer: D
NO.341 Which of the following is the MOST important consideration for an IS auditor when
assessing the adequacy of an organizations information security policy?
A. Business objectives
B. Alignment with the IT tactical plan
C. Compliance with industry best practice
D. IT steering committee minutes
Answer: A
NO.342 An organization's enterprise architecture (EA) department decides to change a legacy

system's components while maintaining its original functionality Which of the following is MOST
important for an IS auditor to understand when reviewing this decision?
A. The current business capabilities delivered by the legacy system.
B. The proposed network topology to be used by the redesigned system
C. The data flows between the components to be used by the redesigned system
D. The database entity relationships within the legacy system
Answer: D
NO.343 Which of the following development practices would BEST mitigate the risk associated with
theft of user credentials transmitted between mobile devices and the corporate network?
A. Release mobile applications in debugging mode to allow for easy troubleshooting.
B. Enforce the validation of digital certificates used in the communication sessions.
C. Embed cryptographic keys within the mobile application source code.
D. Allow persistent sessions between mobile applications and the corporate network.
Answer: D
NO.344 An IS audit manager finds that data manipulation logic developed by the audit analytics
team leads to incorrect conclusions This inaccurate logic is MOST likely an indication of lich of the
following?
66
A. Poor change controls over data sets collected from the business
B. The team's poor understanding of the business process being analyzed
C. Poor security controls that grant inappropriate access to analysis produced
D. Incompatibility between data volume and analytics processing capacity
Answer: B
NO.345 AN IS auditor has been asked to perform an assurance review of an organization's mobile
computing security. To ensure the organization is able to centrally manage mobile devices to protect
against data disclosure. It is MOST important for the auditor to determine whether:
A. lost devices can be located remotely
B. a mobile security awareness training program exists.
C. procedures for lost devices include remote wiping of data
D. a security exist for mobile devices.
Answer: A
NO.346 Which of the following security testing techniques is MOST effective in discovering unknown
malicious attacks?
A. Vulnerability testing
B. Reverse engineering
C. Penetration testing
D. Sandboxing
Answer: D
NO.347 Which of the following is the MOST effective control to mitigate unintentional misuse of
authorized access?
A. Security awareness training
B. Regular monitoring of user access logs
C. Formalized disciplinary action
D. Annual sign-off of acceptable use policy
Answer: A
NO.348 Which of the following is MOST important to ensure during computer forensics
investigations?
A. The contents of digital evidence are preserved in their original form.
B. The analysis is performed against the original digital evidence.
C. Personnel undertaking the investigation process are certified to collect digital evidence.
D. Effective backup schemes are in place to preserve digital evidence.
Answer: A
NO.349 Which of the following types of testing would BEST mitigate the risk of a newly
implemented system adversely impacting existing systems?
A. Unit testing
B. User acceptance testing (UAT)
67
C. Sociability testing
D. Functionality testing
Answer: C
NO.350 Which of the following is the GREATEST security risk associated with data migration from a
legacy human resources (HR) system to a cloud-based system''
A. Data from the source and target system may be intercepted
B. Records past their retention period may not be migrated to the new system
C. System performance may be impacted by the migration
D. Data from the source and target system may have different data formats
Answer: A
NO.351 As part of business continuity planning, which of the following is MOST important to assess
when conducting a business impact analysis (BIA)?
A. Recovery scenarios
B. Completeness of critical asset inventory
C. Risk appetite
D. Critical applications in the cloud
Answer: B
NO.352 The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. determine if all incidents and problems are reported
B. assess help desk performance
C. assign responsibility for problems.
D. identify the causes of recurring incidents and problems.
Answer: D
NO.353 A financial institution suspects that a manager has been crediting customer accounts
without authorization. Which of the following is the MOST effective method to validate this concern?
A. Variable sampling
B. Attribute sampling
C. Stop or go sampling
D. Discovery sampling
Answer: B
NO.354 Which of the following is MOST important to include in a contract to outsource data
processing that involves customer personally identifiable information (Pit)?
A. The vendor must comply with the organization is legal and regulatory requirement.
B. The vendor must provide an independent report of its data processing facilities.
C. The vendor must compensate the organization if nonperformance occurs.
D. The vendor must sign a nondisclosure agreement with the organization.
Answer: A
68
NO.355 Which of the following is the BEST methodology to use for estimating the complexity of
developing a large business application?
A. Work breakdown structure
B. Critical path analysis
C. Software cost estimation
D. Function point analysis
Answer: D
NO.356 Which of the following BEST measures project progress?

A. Earned-value analysis (EVA)
B. Project plan
C. SWOT analysis
D. Gantt chart
Answer: A
NO.357 Which of the following should be done FIRST when planning a penetration test?
A. Execute nondisclosure agreements (NDAs).
B. Define the testing scope.
C. Determine reporting requirements for vulnerabilities
D. Obtain management consent for the testing
Answer: D
NO.358 An IS auditor performing an audit of backup procedures observes that backup tapes are
picked up weekly and stored offsite at a third-party hosting facility. Which of the following
recommendations would be the BEST way to protect the integrity of the data on the backup tapes?
A. Ensure that the transport company obtains signatures for all shipments
B. Ensure that data is encrypted before leaving the facility.
C. Confirm that data transfers are logged and recorded.
D. Confirm that data is transported in locked tamper-evident containers.
Answer: B
NO.359 An IS auditor performing an audit of backup procedures observes that backup tapes are
picked up weekly and stored offsite at a deed party hosting faculty. Which of the following
recommendations would be the BEST way to maintain data integrity during transport?
A. Ensure the date is validated poor to transport
B. Ensure that logging and recording of data transport takes place
C. Ensure the transport company is licensed and assured.
D. Ensure the data is transported in locked tamper evident containers
Answer: D
NO.360 An IS auditor finds the timeliness and depth of information regarding the organization's IT
projects varies based on which project manager is assigned. Which of the following
recommendations would be A MOST helpful in achieving predictable and repeatable project
69
management processes?
A. Alignment of project performance to pay incentives
B. Adoption of business case and earned value templates
C. Use of Gantt charts and work breakdown structures
D. Measurement against defined and documented procedures
Answer: B
NO.361 Which of the following measures BEST mitigates the risk of exfiltration during a cyber
attack?
A. Perimeter firewall
B. Data loss prevention (DLP) system
C. Network access controls (NAC)
D. Hashing of sensitive data
Answer: C
NO.362 An IS auditor reviewing a purchase accounting system notices several duplicate payments
made for the services rendered. Which of the following is the auditor's BEST recommendation for
preventing duplicate payments?
A. Implement a configuration control to enable sequential numbering of invoices.
B. Request vendors to attach service acknowledgment notices to purchase orders.
C. Implement a system control that determines if there are corresponding invoices for purchase
orders.
D. Perform additional supervisory reviews prior to the invoice payments.
Answer: C
NO.363 Which of the following should be done FIRST to develop an effective business continuity
plan (BCP)?
A. Secure an alternate processing site
B. Perform a business impact analysis (BIA).
C. Create a disaster recovery plan (DRP).
D. Create a business unit communications plan.
Answer: D
NO.364 A USB device containing sensitive production data was lost by an employee and its contents
were subsequently found published online Which of the following controls is the BEST
recommendation to prevent a similar recurrence?
A. Training users on USB device security
B. Monitoring data being downloaded on USB devices
C. Electronically tracking portable devices
D. Using a strong encryption algorithm
Answer: A
NO.365 Which of the following is the MOST significant risk associated with peer-to-peer networking
70
technology?
A. Reduction in staff productivity
B. Loss of information during transmission
C. Lack of reliable internet network connections
D. Lack of central monitoring
Answer: D
NO.366 What is the PRIMARY reason to adopt a risk-based IS audit strategy?

A. To achieve synergy between audit and other risk management functions
B. To identity key threats, risks, and controls for the organization
C. To reduce the time and effort needed to perform a full audit cycle
D. To prioritize available resources and focus on areas with significant risk
Answer: D
NO.367 During an audit of a disaster recovery plan (DRP) for a critical business area, an IS auditor
finds that not all critical systems are covered. What should the auditor do NEXT?
A. Verify whether the systems are part of the business impact analysis (BIA).
B. Evaluate the impact of not covering the systems.
C. Evaluate the prior year's audit results regarding critical system coverage.
D. Escalate the finding to senior management.
Answer: A
NO.368 A large insurance company is about to replace a major financial application. Which of the
following is the IS auditor's PRIMARY focus when conducting the pre-implementation review?
A. Procedure updates
B. Migration of data
C. System manuals
D. Unit testing
Answer: B
NO.369 What would be an IS auditor's BEST recommendation upon finding that a third-party IT
service provider hosts the organization's human resources (HR) system in a foreign country?
A. Perform background verification checks.
B. Implement change management review.
C. Conduct a privacy impact analysis.
D. Review third-party audit reports.
Answer: C
NO.370 During an IT operations audit multiple unencrypted backup tapes containing sensitive credit
card information cannot be found Which of the following presents the GREATEST risk to the
organization?
A. Reputational damage due to potential identity theft
B. Business disruption if a data restore cannot be completed
71
C. The cost of recreating the missing backup tapes

D. Human resource cost of responding to the incident
Answer: A
NO.371 Which of the following should be of GREATEST concern to an IS auditor performing a review
of information security controls?
A. The information security policy does not include mobile device provisions.
B. The information security policy has not been approved by the chief audit executive (CAE).
C. The information security policy has not been approved by the policy owner.
D. The information security policy is not frequently reviewed.
Answer: C
NO.372 Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Complexity of management's action plans
B. Recommendation from executive management
C. Audit cycle defined in the audit plan
D. Residual risk from the findings of previous audits
Answer: D
NO.373 The activation of a pandemic response plan has resulted in a remote workforce situation.
Which of the following technologies poses the GREATEST risk to data confidentiality?
A. Remotely managed network switches
B. Rapid increase in the number of virtual private network (VPN) users
C. On-premise employee workstations left unattended
D. BYOD devices without adequate endpoint protection
Answer: D
NO.374 Which of the following is MOST important for the successful establishment of a security
vunerability management program?
A. A comprehensive asset inventory
B. A tested incident response plan
C. An approved patching policy
D. A robust tabletop exercise plan
Answer: C
NO.375 Which of the following practices BEST ensures that archived electronic information of
permanent importance is accessible over time?
A. Acquire applications that emulate old software.
B. Periodically test the integrity of the information.
C. Regularly migrate data to current technology.
D. Periodically backup the archived data.
Answer: C
72
NO.376 Code changes are compiled and placed in a change folder by the developer. An
implementation learn migrates changes to production from the change folder. Which of the following
BEST indicates separation of duties is in place during the migration process?
A. A second individual performs code review before the change is released to production.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. The developer approves changes prior to moving them to the change folder.
Answer: B
NO.377 The use of cookies constitutes the MOST significant security threat when they are used for:
A. obtaining a public key from a certification authority (CA)
B. authenticating using username and password
C. downloading files from the host server
D. forwarding email and Internet protocol (IP) addresses
Answer: B
NO.378 An airlines online booking system uses an automated script that checks whether fares are
within the defined threshold of what is reasonable before the fares are displayed on the website.
Which type of control is in place?
A. Preventer control
B. Corrective control
C. Detective control
D. Compensating control
Answer: A
NO.379 Which of the following is the PRIMARY reason for an IS auditor to select a statistical
sampling method?
A. Statistical sampling methods enable the auditor to objectively quantify the probability of error.
B. Statistical sampling methods are the most effective way to avoid sampling risk.
C. Statistical sampling methods must be used to mitigate audit risk.
D. Statistical sampling methods help the auditor to determine the tolerable error rate.
Answer: B
NO.380 Which of the following is a PRIMARY role of an IT steering committee?

A. Acting an liaison between the organization's assurance and senior management teams
B. Determining the acceptability of residual risk arising from the IT risk strategy
C. Providing insight and advice on the progress of major IT projects
D. Communicating organizational business objectives to the IT department
Answer: A
NO.381 Which of the following human resources management practices BEST leads to the detection
of fraudulent activity?
A. Background checks
73
B. Time reporting
C. Employee code of ethics
D. Mandatory time off
Answer: D
NO.382 The use of control totals reduces the risk of

A. posting to the wrong record
B. improper authorization
C. incomplete processing
D. improper backup.
Answer: C
NO.383 Which of the following findings should hr of GREATEST concern for an IS auditor when
auditing the effectiveness of a phishing simulation test administered for staff members?
A. Test results were not communicated to staff members
B. Staff members who failed the test did not receive follow-up education
C. Security awareness training was not provided poor to the test
D. Staff members were not notified about the test beforehand
Answer: B
NO.384 Which of the following IS functions can be performed by the same group or individual while
still providing the proper segregation of duties?
A. Application programming and systems analysis
B. Computer operations and application Multiple versions of the same operating system
programming
C. Security administration and application programming
D. Database administration and computer operations
Answer: A
NO.385 Which of the following yields the HIGHEST level of system availability?
A. Cloud storage
B. Hot swaps
C. Backups
D. Real-time replication
Answer: D
NO.386 Which of the following should be an IS auditor's GREATEST concern when a security audit
reveals the organization's vulnerability assessment approach is limited to running a vulnerability
scanner on its network?
A. A scanner does not exploit the vulnerability in the systems.
B. External risks in the organization's environment may go undetected.
C. Some of the vulnerabilities discovered may be false positives.
D. System performance may be degraded by the scanner.
74
Answer: B
NO.387 Which of the following BEST facilitates the management of assets dunng the
implementation of an information system?
A. Configuration management database (CMDB)
B. Quality management controls
C. Decision support system
D. Asset procurement system
Answer: A
NO.388 Which of the following is a preventive control related to change management?

A. Implementation of managed change approval processes
B. Log review of managed changes
C. Debugging of implemented changes
D. Audit of implemented changes for the period under review
Answer: A
NO.389 Which of the following MOST efficiently protects computer equipment against short-term
reductions in electrical power?
A. Surge protection devices
B. Alternative power supplies
C. Power line conditioners
D. Generators
Answer: C
NO.390 Which of the following should be of concern to an IS auditor performing a software audit on
virtual machines?
A. Software licensing does not support virtual machines
B. Applications have not been approved by the chief financial officer (CFO) .
C. Multiple users can access critical applications
D. Software has been installed on virtual machines by privileged users.
Answer: A
NO.391 An IS auditor is reviewing a recent security incident and is seeking information about the
approval of a recent modification to a database system's security settings Where would the auditor
MOST likely find this information?
A. System event correlation report
B. Change log
C. Database log
D. Security incident and event management (SIEM) report
Answer: B
NO.392 Which of the following is the BEST source of information for an IS auditor to use when
75
determining whether an organization's information security policy is adequate?

A. Penetration test results
B. Risk assessment results
C. Information security program plans
D. Industry benchmarks
Answer: B
NO.393 Which of the following weaknesses would have the GREATEST impact on the effective
operation of a perimeter firewall?
A. Potential back doors to the firewall software
B. Use of stateful firewalls with default configuration
C. Ad hoc monitoring of firewall activity
D. Misconfiguration of the firewall rules
Answer: D
NO.394 An organization is disposing of a system containing sensitive data and has deleted all files
from the hard disk. An IS auditor should be concerned because:
A. backup copies of files were not deleted as well.
B. deleting all files separately is not as efferent as formatting the hard disk,
C. deleting the files logically does not overwrite the files' physical data,
D. deleted data cannot easily be retrieved.
Answer: C
NO.395 An IS auditor is planning to audit an organization's infrastructure for access, patching, and
change management. Which of the following is the BEST way to prioritize the systems?
A. Complexity of the environment
B. Criticality of the system
C. System hierarchy within the infrastructure
D. System retirement plan
Answer: B
NO.396 Which of the following findings should be of GREATEST concern to an IS auditor conducting
a forensic analysis following incidents of suspicious activities on a server?
A. Audit logs are not enabled on the server.
B. The server is outside the domain.
C. The server's operating system is outdated.
D. Most suspicious activities were created by system IDs.
Answer: A
NO.397 An IS auditor is reviewing an enterprise database platform. The review involves statistical
methods. Benford analysis, and duplicate checks. Which of the following computer-assisted audit
technique (CAAT) tools would be MOST useful for this review''
A. Continuous and intermittent simulation (CIS)
76
B. Generalized audit software (GAS)

C. Audit hooks
D. Integrated test facility (ITF)
Answer: B
NO.398 The BEST method an organization can employ to align its business continuity plan (BCP) and
disaster recovery plan (DRP) with core business needs is to:
A. include BCP and disaster recovery plan responsibilities as a part of new employee training,
B. execute periodic walk-throughs of the plans.
C. update the business impact analysis (BIA) for significant business changes.
D. outsource the maintenance of the BCP and disaster recovery plan to a third party.
Answer: C
NO.399 During an incident management audit, an IS auditor finds that several similar incidents were
logged during the audit period Which of the following is the auditor's MOST important course of
action?
A. Determine if a root cause analysis was conducted
B. Document the finding and present it to management.
C. Confirm the resolution time of the incidents.
D. Validate whether all incidents have been actioned.
Answer: A
NO.400 Which of the following should be an IS auditor's PRIMARY consideration when evaluating
the development and design of a privacy program?
A. Information security and incident management practices
B. Industry practice and regulatory compliance guidance
C. Data governance and data classification procedures
D. Policies and procedures consistent with privacy guidelines
Answer: D
NO.401 During a review of an application system, an IS auditor identifies automated controls

designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the
controls work as designed?
A. Implement periodic reconciliations.
B. Review quality assurance (QA) test results.
C. Use generalized audit software for seeking data corresponding to duplicate transactions.
D. Enter duplicate transactions in a copy of the live system.
Answer: D
NO.402 Which of the following is the BEST way to reduce sampling risk?
A. Plan the audit in accordance with generally accepted auditing principles
B. Ensure each item has an equal chance to be selected
C. Assign experienced auditors to the sampling process.
77
D. Align the sampling approach with the one used by external auditors
Answer: B
NO.403 An application used at a financial services organization transmits confidential customer data
to downstream applications using a batch process. Which of the following controls would protect this
information?
A. Header record with timestamp
B. Record count
C. Control file
D. Secure File Transfer Protocol (SFTP)
Answer: D
NO.404 Which of the following is the BEST solution to minimize risk from security flaws introduced
by developers using open source libraries?
A. Dynamic application security testing tools
B. Security business impact analysis (BIA)
C. Checks of dependencies between code libraries
D. Technical documentation review policies
Answer: A
NO.405 When aligning IT projects with organizational objectives, it is MOST important to ensure
that the:
A. percentage of growth in project intake is reviewed.
B. overall success rate of projects is high.
C. business cases have been clearly defined for all projects.
D. project portfolio database is updated when new systems are acquired.
Answer: C
NO.406 An organization's business function wants to capture customer data and must comply with
global data protection regulations. Which of the following should be considered FIRST?
A. The location of data storage
B. The encryption method for the data
C. The attributes of collected data
D. The legal basis for collecting the data
Answer: D
NO.407 Which of the following metrics is MOST useful to an IS auditor when evaluating whether IT
investments are meeting business objectives?
A. Realized return on investment (ROI) versus projected ROI
B. Actual return on investment (ROI) versus industry average ROI.
C. Actual versus projected customer satisfaction
D. Budgeted spend versus actual spend
Answer: A
78
NO.408 Segregation of duties would be compromised if:

A. application programmers moved programs into production.
B. application programmers accessed test data.
C. database administrators (DBAs) modified the structure of user tables.
D. operations staff modified batch schedules.
Answer: B
NO.409 An organization's information security department has recently created a centralized

governance model to ensure that network-related findings are remediated within the service level
agreement (SLA). What should the IS auditor use to assess the maturity and capability of this
governance model?
A. Key performance indicators (KPIs)
B. Key data elements
C. Key risk indicators (KRIs)
D. Key process controls
Answer: A
NO.410 Which of the following is the GREATEST concern associated with a high number of IT policy
exceptions approved by management?
A. The exceptions may result in noncompliance.
B. The exceptions are likely to continue indefinitely.
C. The exceptions may elevate the level of operational risk.
D. The exceptions may negatively impact process efficiency
Answer: A
NO.411 What is the PRIMARY benefit of prototyping as a method of system development?

A. Reduces the need for testing.
B. Minimizes the time the IS auditor has to review the system.
C. Increases the likelihood of user satisfaction.
D. Eliminates the need for documentation.
Answer: C
NO.412 In a high-volume, real-time system, the MOST effective technique by which to continuously
monitor and analyze transaction processing is:
A. transaction tagging
B. parallel simulation.
C. integrated test facility (ITF)
D. embedded audit modules.
Answer: C
NO.413 Malicious program code was found in an application and corrected prior to release into
production. After the release, the same issue was reported. Which of the following is the IS auditor's
79
BEST recommendation?
A. Ensure change management reports are independently reviewed.
B. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
C. Ensure programmers cannot access code after the completion of program edits.
D. Ensure corrected program code is compiled in a dedicated server.
Answer: C
NO.414 Upon completion of audit work, an IS auditor should:

A. provide a report to senior management prior to discussion with the auditee.
B. distribute a summary of general findings to the members of the auditing team.
C. provide a report to the auditee stating the initial findings.
D. review the working papers with the auditee.
Answer: B
NO.415 An organization plans to eliminate pilot releases and instead deliver all functionality in a
single release. Which of the following is the GREATEST risk with this approach?
A. Likelihood of scope creep over time
B. Increased oversight required to track projects
C. Inability to track project costs
D. Releasing critical deficiencies into production
Answer: D
NO.416 Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA)
workshop?
A. Assisting participants in evaluating risks and relevant controls
B. Gathering background information prior to the CSA workshop
C. Reporting results of the workshop and recommendations to management
D. Analyzing gaps between control design and control framework
Answer: A
NO.417 Which of the following is the PRIMARY risk when business units procure IT assets without IT
involvement?
A. Data security requirements are not considered.
B. The business units want IT to be responsible for maintenance costs
C. Corporate procurement standards are not followed
D. System inventory becomes inaccurate.
Answer: D
NO.418 An IS auditor is informed that several spreadsheets are being used to generate key financial
information. What should the auditor verify NEXT?
A. Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)
B. Whether adequate documentation and training is available for spreadsheet users.
C. Whether the spreadsheets meet the minimum IT general controls requirements.
80
D. Whether there is a complete inventory of end-user computing (EUC) spreadsheets.

Answer: C
NO.419 In planning a major system development project, function point analysis would assist in:
A. determining the business functions undertaken by a system or program.
B. estimating the size of a system development task
C. estimating the elapsed time of the project
D. analyzing the functions undertaken by system users as an aid to job redesign
Answer: D
NO.420 An organization performs both full and incremental database backups Which of the
following will BEST enable full restoration in the event of the destruction of the data center?
A. Transmit incremental backups to an offsite location daily.
B. Rotate all backups to an offsite location daily
C. Maintain full and incremental backups in a secure server room
D. Move full backups to an offsite location weekly
Answer: B
NO.421 An IS auditor plans to review all access attempts to a video-monitored and proximity card-
controlled communications room. Which of the following would be MOST useful to the auditor?
A. Alarm system with CCTV
B. Security incident log
C. Manual sign-in and sign-out log
D. System electronic log
Answer: B
NO.422 Secure code reviews as part of a conbnuous deployment program are which type of control
?
A. Logical
B. Detective
C. Preventive
D. Corrective
Answer: C
NO.423 An organization shares some of its customers' personally Identifiable Information (PH) with
third-party suppliers for business purposes. What is MOST important for the IS auditor to evaluate to
ensure that risk associated with leakage of privacy-related data during transmission is effectively
managed?
A. Nondisclosure and indemnity agreements
B. Encrypting and masking of customer data
C. Service and operational level agreements
D. The third party's privacy and data security policies
Answer: D
81
NO.424 Which of the following is MOST likely to enable a hacker to successfully penetrate a system?
A. Unpatched software
B. Decentralized dialup access
C. Lack of DoS protection
D. Lack of virus protection
Answer: A
NO.425 When deploying an application that was created using the programming language and tools
supported by the cloud provider, the MOST appropriate cloud computing model for an organization
to adopt is:
A. Platform as a Service (PaaS).
B. Software as a Service (SaaS).
C. Infrastructure as a Service (laaS).
D. Identity as a Service (IDaaS).
Answer: A
NO.426 Which of the following should be done FIRST to effectively define the IT audit universe for
an entity with multiple business lines?
A. Identify aggregate residual IT risk for each business line.
B. Obtain a complete listing of the entity's IT processes
C. Obtain a complete listing of assets fundamental to the entity's businesses.
D. Identify key control objectives for each business line's core processes
Answer: C
NO.427 An organization has recently converted its infrastructure to a virtualized environment. The
GREATEST benefit related to disaster recovery is that virtualized servers:
A. eliminate the manpower necessary to restore the server.
B. decrease the recovery time objective (RTO).
C. reduce the time it takes to successfully create backups.
D. can be recreated on similar hardware faster than restoring from backups.
Answer: A
NO.428 Which of the following is the GREATEST risk associated with the use of instant messaging
(IM)?
A. Data leakage
B. Loss of employee productivity
C. Internet Protocol (IP) address spoofing
D. Excess bandwidth consumption
Answer: A
NO.429 Which of the following provides the MOST assurance over the completeness and accuracy
of loan application processing with respect to the implementation of a new system?
82
A. Comparing code between old and new systems

B. Loading balance and transaction data to the new system
C. Running historical transactions through the new system
D. Reviewing quality assurance (QA) procedures
Answer: C
NO.430 Which of the following is the MOST important process to ensure planned IT system changes
are completed in an efficient manner?
A. Incident management
B. Demand management
C. Release management
D. Configuration management
Answer: C
NO.431 During a post-implementation review, a step in determining whether a project met user
requirements is to review the:
A. completeness of user documentation.
B. integrity of key calculations.
C. effectiveness of user training.
D. change requests initiated after go-live.
Answer: D
NO.432 Which of the following is the BEST indication of the completeness of interface control
documents used for the development of a new application?
A. All documents have been reviewed by end users.
B. All inputs and outputs for potential actions are included.
C. Both successful and failed interface data transfers are recorded.
D. Failed interface data transfers prevent subsequent processes.
Answer: C
NO.433 An organization implemented a cybersecurity policy last year. Which of the following is the
GREATEST indicator that the policy may need to be revised?
A. A significant increase in external attack attempts.
B. A significant increase in authorized connections to third parties.
C. A significant increase in cybersecurity audit findings.
D. A significant increase in approved exceptions.
Answer: A
NO.434 What is the BEST way to control updates to the vendor master file in an accounts payable
system?
A. Using prenumbered and authorized request forms
B. Having only one person updating the master file
C. Periodically reviewing the entire vendor master file
83
D. Comparing updates against authorization

Answer: D
NO.435 An audit has identified that business units have purchased cloud-based applications without
ITs support. What is the GREATEST risk associated with this situation?
A. The applications could be modified without advanced notice.
B. The application purchases did not follow procurement policy.
C. The applications are not included in business continuity plans (BCPs).
D. The applications may not reasonably protect data.
Answer: C
NO.436 An IS auditor finds the log management system is overwhelmed with false positive alerts.
The auditor's BEST recommendation would be to:
A. reduce the firewall rules.
B. establish criteria for reviewing alerts.
C. line tune the intrusion detection system (IDS).
D. recruit more monitoring personnel.
Answer: C
NO.437 An IS auditor is performing a follow-up audit for findings identified In an organization's user
provisioning process Which of the Mowing is the MOST appropriate population to sample from when
testing for remediation?
A. All users provisioned after the final audit report was issued
B. All users provisioned after management resolved the audit issue
C. All users who have followed user provisioning processes provided by management
D. All users provisioned after the finding was originally identified
Answer: B
NO.438 A maturity model can be used to aid the implementation of IT governance by identifying:
A. improvement opportunities.
B. accountabilities.
C. performance drivers.
D. critical success factors.
Answer: A
NO.439 Which of the following is a detective control that can be used to uncover unauthorized
access to information systems?
A. Requiring long and complex passwords for system access
B. Implementing a security information and event management (SIEM) system
C. Requiring internal audit to perform periodic reviews of system access logs
D. Protecting access to the data center with multif actor authentication
Answer: B
84
NO.440 When evaluating information security governance within an organization which of the
following findings should be of MOST concern to an IS auditor?
A. Information security policies are updated annually
B. The data center manager has final sign-off on security projects.
C. The information security department has difficulty filling vacancies
D. An information security governance audit was not conducted within the past year
Answer: B
NO.441 During an audit, which of the following would be MOST helpful in establishing a baseline for
measuring data quality?
A. Built-in data error prevention application controls
B. Industry standard business definitions
C. Input from customers
D. Validation of rules by the business
Answer: D
NO.442 Which of the following is the MOST effective way to verify an organization's ability to
continue its essential business operations after a disruption event?
A. Analysis of recovery point objectives (RPOs)
B. Analysis of call trees
C. Analysis of end-to-end recovery flow
D. Analysis of business impact
Answer: A
NO.443 An organization's security policy mandates that all new employees must receive appropriate
security awareness training. Which of the following metrics would BEST assure compliance with this
policy?
A. Percentage of new hires who report incidents
B. Number of reported incidents by new hires
C. Percentage of new hires that have completed the training .
D. Number of new hires who have violated enterprise security policies
Answer: D
NO.444 An organization recently decided to send the backup of its customer relationship
management (CRM) system to its cloud provider for recovery. Which of the following should be of
GREATEST concern to an IS auditor reviewing this process?
A. Validation of backup data has not been performed.
B. The cloud provider is located in a different country.
C. Testing of restore data has not been performed.
D. Backups are sent and stored in unencrypted format.
Answer: B
NO.445 An IS auditor is a member of an application development team that is selecting software.
85
Which of the following would impair the auditor's independence?

A. Approving the vendor selection methodology
B. verifying the weighting of each selection criteria
C. Reviewing the request for proposal (RFP)
D. Witnessing the vendor selection process
Answer: A
NO.446 Which of the following development practices would BEST mitigate the risk associated with
theft erf user credentials transmitted between mobile devices and the corporate network?
A. Enforce the validation of digital certificates used in the communication sessions
B. Allow persistent sessions between mobile applications and the corporate network.
C. Release mobile applications in debugging mode to allow for easy troubleshooting.
D. Embed cryptographic keys within the mobile application source code.
Answer: B
NO.447 In an IT organization where many responsibilities are shared, which of the following would
be the BEST control for detecting unauthorized data changes?
A. Data changes are independently reviewed by another group.
B. Users are required to periodically rotate responsibilities.
C. Segregation of duties conflicts are periodically reviewed.
D. Data changes are logged in an outside application.
Answer: A
NO.448 Which of the following controls would BEST ensure that payroll system rate changes are
valid?
A. Rate changes are reported to and independently verified by a manager.
B. Rate changes require visual verification before acceptance.
C. Rate changes must be entered twice to ensure that they are entered correctly.
D. Only a payroll department manager can input the new rate.
Answer: A
NO.449 A sales representative is reviewing the organization's feedback blog and gets redirected to a
site that sells illegal prescription drugs. The blog site is MOST likely susceptible to which of the
following types of attacks?
A. Directory harvesting
B. Phishing attack
C. Cross-site scripting
D. SQL injection
Answer: C
NO.450 Which of the following would BEST enable an organization to address the security risks
associated with a recently implemented bring your own device (BYOD) strategy?
A. Mobile device testing program
86
B. Mobile device tracking program

C. Mobile device awareness program
D. Mobile device upgrade program
Answer: C
NO.451 Which of the following is MOST important for an IS auditor to consider when reviewing
documentation for an organization's forensics policy?
A. Assigned roles and responsibilities
B. Notification processes
C. Access controls
D. Evidence preservation
Answer: D
NO.452 An IS auditor has completed an audit of an organization's accounts payable system. Which
of the following should be rated as the HIGHEST risk in the audit report and requires immediate
remediation?
A. Lack of segregation of duty controls for removal of vendor records
B. Lack of segregation of duty controls for reconciliation of payment transactions
C. Lack of segregation of duty controls for reversing payment transactions
D. Lack of segregation of duty controls for updating the vendor master file
Answer: D
NO.453 The PRIMARY benefit of using secure shell (SSH) to access a server on a network is that it:
A. provides confidentiality of transmitted data
B. prevents man-in-the-middle attacks
C. provides better session reliability
D. facilitates communication across platforms.
Answer: A
NO.454 An IS auditor identifies key controls that have been overridden by management. The next
step the IS auditor should take is to
A. Perform procedures to quantify the irregularities
B. Withdraw from the engagement
C. Recommend compensating controls
D. Report the absence of key controls to regulators
Answer: A
NO.455 An organization has adopted a backup and recovery strategy that involves copying on-
premise virtual machine (VM) images to a cloud service provider Which of the following provides the
BEST assurance that VMs can be recovered in the event of a disaster?
A. Periodic on-site restoration of VM images obtained from the cloud provider
B. Inclusion of the right to audit in the cloud service provider contract
C. Procurement of adequate storage for the VM images from the cloud service provider
87
D. Existence of a disaster recovery plan (DRP) with specified roles for emergencies
Answer: A
NO.456 Which of the following should be defined in an audit chatter?

A. Audit schedule
B. Audit methodology
C. Audit results
D. Audit authority
Answer: D
NO.457 When assessing whether an organization's IT performance measures are comparable to

other organizations in the same industry which of the following would be MOST helpful to review?
A. IT governance frameworks
B. Benchmarking surveys
C. Utilization reports
D. Balanced scorecard
Answer: B
NO.458 Which of the following would be the GREATEST risk associated with a new chat feature on a
retailer's website?
A. Productivity loss
B. Reputational damage
C. System downtime
D. Data loss
Answer: D
NO.459 The PRIMARY purpose for an IS auditor to review previous audit reports during the planning
phase of a current audit is to:
A. identify applicable regulatory requirements for the current audit.
B. become informed about the auditees business processes.
C. ensure that previously identified risks are addressed in the audit program.
D. adjust audit scope to reduce testing in areas related to previous findings.
Answer: C
NO.460 After the release of an application system, an IS auditor wants to verify that the system is
providing value to the organization. The auditor's BEST course of action would be to:
A. Quantify improvements in client satisfaction
B. Perform a gap analysis against the benefits defined in the business case
C. Review the results of compliance testing
D. Confirm that risk has declined since the application system release
Answer: B
NO.461 An organization sends daily backup media by courier to an offsite location. Which of the
88
following provides the BEST evidence that the media is transported reliably?
A. Documented backup media transport procedures
B. Signed acknowledgments by offsite manager
C. Certification of the courier company
D. Delivery schedule of the backup media.
Answer: B
NO.462 Which of the following is the GREATEST risk associated with conducting penetration testing
on a business-critical application production environment?
A. System owners may not be informed in advance
B. Results may differ from those obtained in the test environment
C. Data integrity may become compromised
D. This type of testing may not adhere to audit standards
Answer: C
NO.463 During an audit of identity and access management, an IS auditory finds that the
engagement audit plan does not include the testing of controls that regulate access by third parties.
Which of the following would be the auditor's BEST course of action?
A. Plan to test these controls in another audit
B. Escalate the deficiency to audit management.
C. Add testing of third-party access controls to the scope of the audit.
D. Determine whether the risk has been identified in the planning documents
Answer: C
NO.464 An organization issues digital certificates to employees to enable connectivity to a web-

based application. Which of the following public key infrastructure (PKI) components MUST be
included in the application architecture for determining the on-going validity of connections?
A. Secure hash algorithm (SHA)
B. Registration authority (RA)
C. Certificate authority (CA)
D. Certificate revocation list (CRL)
Answer: A
NO.465 Which of the following would an IS auditor consider to be the MOST significant risk
associated with a project to reengineer a business process?
A. The project manager is inexperienced in information system.
B. Existing baseline processes may not be reported to management.
C. The negative of change may not be documented.
D. Existing controls mat be weakened or removed.
Answer: C
NO.466 Which of the following is the BEST source of information for an IS auditor to use as a
baseline to assess the adequacy of an organization's privacy policy?
89
A. Local privacy standards and regulations

B. Benchmark studies of similar organizations
C. Historical privacy breaches and related root causes
D. Globally accepted privacy best practices
Answer: A
NO.467 Which of the following would an IS auditor consider the GREATEST risk associated with a
mobile workforce environment?
A. Lack of compliance with organizational policies
B. Decrease in employee productivity and accountability
C. Loss or damage to the organization's assets
D. Inability to access data remotely
Answer: D
NO.468 Which of the following is the BEST reason to utilize blockchain technology to record
accounting transactions?
A. Integrity of records
B. Confidentiality of records
C. Availability of records
D. Distribution of records
Answer: A
NO.469 Which of the following is a characteristic of a single mirrored data center used for disaster
recovery?
A. The mirrored data center does not require staffing.
B. Real-time data replication occurs from the production site
C. Data replication to the mirrored site should continue after failover
D. The mirrored site may create brief interruptions noticeable to users
Answer: D
NO.470 Following the discovery of inaccuracies in a data warehouse, an organization has

implemented data profiling, cleansing, and handling filters to enhance the quality of data obtained
from c
A. Detective control
B. Compensating control
C. Directive control
D. Corrective control
Answer: D
NO.471 Which of the following is the MOST effective control for protecting the confidentiality and
integrity of data stored unencrypted on virtual machines?
A. Restrict access to images and snapshots of virtual machines
B. Limit creation of virtual machine images and snapshots
90
C. Monitor access To stored images and snapshots of virtual machines

D. Review logical access controls on virtual machines regularly
Answer: C
NO.472 A legacy application is running on an operating system that is no longer supported by

vendor, if the organization continues to use the current application, which of the application should
be the IS auditor's GREATEST concern?
A. Inability to use the operating system due to potential licence issues
B. Increased cost of maintaining the system
C. Inability to update the legacy application database
D. Potential exploitation of zero-day vulnerabilities in the system
Answer: D
NO.473 A company laptop has been stolen and all photos on the laptop have been published on
social medi a. Which of the following is the IS auditor's BEST course of action?
A. Determine if the laptop had the appropriate level of encryption
B. Verify the organization's incident reporting policy was followed
C. Ensure that the appropriate authorities have been notified
D. Review the photos to determine whether they were for business or personal purposes
Answer: B
NO.474 An IS auditor is reviewing an organization's information asset management process. Which

of the following would be of GREATEST concern to the auditor?
A. Process ownership has not been established.
B. identification of asset value is not included in the process
C. The process does not include asset review
D. The process does not require specifying the physical location of assets
Answer: A
NO.475 Which of the following control techniques BEST ensures the integrity of system interface
transmissions?
A. Validity check
B. Completeness check
C. Parity check
D. Reasonableness check
Answer: B
NO.476 Which of the following is the GREATEST risk associated with the lack of an effective data
privacy program?
A. Inability to obtain customer confidence
B. Inability to manage access to private or sensitive data
C. Failure to comply with data-related regulations
D. Failure to prevent fraudulent transactions
91
Answer: C
NO.477 During a review of operations, it is noted that during a batch update, an error was detected
and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the
update. What should the operator have done PRIOR to re-initiating the update?
A. Determined the cause of the error
B. Obtained approval before re-initiating the update
C. Allowed the roll-back to complete
D. Scheduled the roll-back for a later time
Answer: C
NO.478 In an organization that has a staff-rotation policy, the MOST appropriate access control
model is:
A. discretionary.
B. lattice-based.
C. mandatory.
D. role-based.
Answer: D
NO.479 Which of the following falls within the scope of an information security governance
committee?
A. Selecting the organization's external security auditors
B. Approving access to critical financial systems
C. Reviewing content for information security awareness programs
D. Prioritizing information security technology initiatives
Answer: C
NO.480 Which of the following are BEST suited for continuous auditing?
A. Manual transactions
B. Irregular transactions
C. Low-value transactions
D. Real-time transactions
Answer: D
NO.481 What would be of GREATEST concern to an IS auditor observing shared key cards being
utilized to access an organization's data center?
A. The lack of a multi-factor authentication system
B. The lack of enforcement of organizational policy and procedures
C. The inability to identify who has entered the data center
D. The inability to track the number of misplaced cards
Answer: C
NO.482 Which of the following should be of MOST concern lo an IS auditor reviewing the public key
92
infrastructure (PKI) for enterprise email?

A. The certificate revocation list has not been updated.
B. The private key certificate has not been updated.
C. The PKI policy has not been updated within the last year.
D. The certificate practice statement has not been published.
Answer: A
NO.483 Which of the following is MOST important when implementing a data classification
program?
A. Understanding the data classification levels
B. Formalizing data ownership
C. Developing a privacy policy
D. Planning for secure storage capacity
Answer: B
NO.484 An IS auditor finds that an organization's data toss prevention (DLP) system is configured to
use vendor default settings to identify violations. The auditor's MAIN concern should be that:
A. violations may not be categorized according to the organization's risk profile.
B. a significant number of false positive violations may be reported.
C. violation reports may not be retained according to the organization's risk profile.
D. violation reports may not be reviewed in a timely manner.
Answer: A
NO.485 Which of the following is the BEST indicator of the effectiveness of signature-based
intrusion detection systems (IDSs)?
A. An increase in the number of internally reported critical incidents
B. An increase in the number of detected incidents not previously identified
C. An increase in the number of identified false positives
D. An increase in the number of unfamiliar sources of intruders
Answer: A
NO.486 Which of the following should be of GREATEST concern to an IS auditor reviewing the
controls for a continuous software release process?
A. Release documentation is not updated to reflect successful deployment
B. Testing documentation is not attached to production releases.
C. Developers are able to approve their own releases
D. Test libraries have not been reviewed in over six months
Answer: C
NO.487 An organization is developing a web portal using some external components. Which of the
following should be of MOST concern to an IS auditor?
A. Some of the developers are located in another country.
B. The organization has not reviewed the components for known exploits.
93
C. Open-source components were integrated during development.

D. Staff require additional training in order to perform cede review.
Answer: B
NO.488 An employee transfers from an organization's risk management department to become the
lead IS auditor. While in the risk management department, the employee helped developed the key
performance indicators (KPIs) now used by the organization. Which of the following would pose the
GREATEST threat to the independence of this auditor?
A. Evaluating the effectiveness of IT risk management process
B. Developing KPIs to measure the internal audit team
C. Recommending controls to address the IT risks identified by KPIs
D. Training the IT audit team on IT risk management process
Answer: A
NO.489 A project team evaluated vendor responses to a request for proposal (RFP). An IS auditor
reviewing the evaluation process would expect the team to have considered each vendor's:
A. security policy.
B. acceptance test plan
C. financial stability
D. development methodology.
Answer: A
NO.490 Which of the following is an IS auditor's BEST recommendation to help an organization

increase the efficiency of computing resources?
A. Overclocking the central processing unit (CPU)
B. Virtualization
C. Real-time backups
D. Hardware upgrades
Answer: B
NO.491 Which of the following would provide the BEST evidence of the effectiveness of mandated
annual security awareness training?
A. Number of security incidents
B. Trending of social engineering test results
C. Surveys completed by randomly selected employees
D. Results of a third-party penetration test
Answer: D
NO.492 The BEST way to preserve data integrity through all phases of application containerization is
to ensure which of the following?
A. Developers are educated about how their roles relate to application security best practices.
B. The development team performs regular patching of application containers.
C. Segregation of duties is developed and maintained in the application container environment.
94
D. Information security roles are defined and communicated in the information security policy.
Answer: C
NO.493 Which of the following provides the BEST method for maintaining the security of corporate
applications pushed to employee-owned mobile devices?
A. Disabling unnecessary network connectivity options
B. Implementing mobile device management (MDM)
C. Enabling remote data destruction capabilities
D. Requiring security awareness training for mobile users
Answer: C
NO.494 Which of the following BEST facilitates detection of zero-day exploits?

A. Intrusion detection systems (IDS)
B. User behavior analytics
C. Intrusion prevention systems (IPS)
D. Anti-malware software
Answer: B
Explanation:
Zero-day exploits tend to be very difficult to detect. Antimalware software and some intrusion
detection systems (IDSes) and intrusion prevention systems (IPSes) are often ineffective because no
attack signature yet exists. This is why the best way to detect a zero-day attack is user behavior
analytics.
NO.495 An IS auditor is testing employee access to a large financial system and must select a sample
from the current employee list provided by the auditee. Which of the following is the MOST reliable
sample source to support this testing1?
A. Previous audit reports generated by a third party
B. A system-generated list of accounts with access levels
C. Human resources (HR) documents signed by employees' managers
D. A system access spreadsheet provided by the system administration.
Answer: B
NO.496 Which of the following would BEST detect unauthorized modification of data by a database
administrator (DBA)?
A. Compare data to input records.
B. Audit database change requests.
C. Review changes to edit checks.
D. Audit database activity log
Answer: D
NO.497 Which of the following is an IS auditor's BEST guidance regarding the use of IT frameworks?
A. To ensure consistency throughout the organization, management should adopt a single
comprehensive framework.
B. Frameworks provide standards that enable management to benchmark against peer organizations
95
.
C. Frameworks encourage efficiency, provide a way to measure effectiveness, and allow for
improvements
D. Industry-specific frameworks, when available, are preferred over the more generic comprehensive
frameworks.
Answer: C
NO.498 An auditor is creating an audit program in which the objective is to establish the adequacy
of personal data privacy controls in a payroll process. Which of the following would be MOST
important to include?
A. Approval of data changes
B. User access provisioning
C. Segregation of duties controls
D. Audit logging of administrative user activity
Answer: D
NO.499 Which of the following should be of GREATEST concern for an IS auditor reviewing an
organization's bring your own device (BYOD) policy?
A. A mobile device management (MDM) solution is not implemented.
B. The policy is not updated annually.
C. Not all devices are approved for BYOD.
D. The policy does not include the right to audit BYOD devices.
Answer: A
NO.500 Which of the following is the GREATEST concern when using a cold backup site?
A. Compatibility problems with existing equipment might exist.
B. Peripheral equipment might not be sufficient to handle critical applications.
C. It is difficult to test critical applications at the backup site
D. Physical security requirements at the backup site might not be met.
Answer: C
NO.501 The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-pipe
system is that a dry-pipe system
A. is more effective at suppressing flames.
B. allows more time to abort release of the suppressant
C. has a decreased risk of leakage.
D. disperses dry chemical suppressants exclusively.
Answer: C
NO.502 Which of the following should be the PRIMARY objective of a migration audit?
A. Data integrity
B. Business continuity
C. System performance
96
D. Control adequacy
Answer: A
NO.503 Stress testing should ideally be carried out under a:

A. production environment with test data.
B. test environment with test data.
C. production environment with production workloads.
D. test environment with production workloads.
Answer: C
NO.504 When auditing the closing stages of a system development project, which of the following
should be the MOST important consideration?
A. Rollback procedures
B. Control requirements
C. Functional requirements documentation
D. User acceptance test (UAT) results
Answer: D
NO.505 An organization is acquiring a new customer relationship management (CRM) system In

which of the following would the IS auditor find the MOST relevant information on projected cost
savings?
A. Request for proposal (RFP)
B. Business case
C. Feasibility study document
D. Results of prototype testing
Answer: B
NO.506 Which of the following is the MOST important step in the development of an effective IT
governance action plan?
A. Setting up an IT governance framework for the process
B. Conducting a business impact analysis (BIA)
C. Measuring IT governance key performance indicators (KPIs)
D. Preparing a statement of sensitivity
Answer: A
NO.507 During an audit, the client learns that the IS auditor has recently completed a similar
security review at a competitor. The client inquires about the competitor's audit results. What is the
BEST way for the auditor to address this inquiry?
A. Explain that it would be inappropriate to discuss the results of another audit client
B. Escalate the question to the audit manager for further action.
C. Discuss the results of the audit, omitting specifics related to names and products.
D. Obtain permission from the competitor to use the audit results as examples for future clients.
Answer: A
97
NO.508 An IS auditor is asked to provide feedback on the systems options analysis for a new project
The BEST course of action for the IS auditor would be to:
A. retain comments as findings for the audit report.
B. comment on the criteria used to assess the alternatives.
C. identify the best alternative.
D. request at least one other alternative.
Answer: B
NO.509 Which of the following should be the PRIMARY consideration for IT management when
selecting a new information security tool that monitors suspicious file access patterns?
A. Integration with existing architecture
B. Ease of support and troubleshooting
C. Data correlation and visualization capabilities
D. Ability to contribute to key performance indicator data
Answer: A
NO.510 An organization has recently implemented a Voice-over IP (VoIP) communication system.

Which of the following should be the IS auditor's PRIMARY concern?
A. Lack of integration of voice and data communications
B. A single point of failure for both voice and data communications
C. Voice quality degradation due to packet loss
D. Inability to use virtual private networks (VPNs) for internal traffic
Answer: A
NO.511 Invoking a business continuity plan (BCP) is demonstrating which type of control?
A. Preventive
B. Detective
C. Corrective
D. Directive
Answer: C
NO.512 An IS audit found that malware entered the organization through a spreadsheet macro, and
the auditor recommended that spreadsheet macros be disabled. All macros were disabled except
those needed by the finance team for reporting purposes. Which of the following is the auditor's
BEST course of action?
A. Close the recommendation, as most of the risk has been mitigated.
B. Recommend alternate reporting methods that do not use spreadsheet macros.
C. Advise management to disable the spreadsheet macros for the finance users.
D. Escalate the issue to the audit committee.
Answer: C
NO.513 An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY
98
objective is to ensure that

A. security parameters are set in accordance with the organizations policies
B. security parameters are set in accordance with the manufacturer's standards
C. a detailed business case was formally approved prior to the purchase.
D. the procurement project invited tenders from at least three different suppliers.
Answer: A
NO.514 An IS auditor concludes that an organization has a quality security policy. Which of the
following is MOST important to determine next? The policy must be:
A. based on industry standards.
B. well understood by all employees.
C. developed by process owners.
D. updated frequently.
Answer: B
NO.515 Which type of control is being implemented when a biometric access device is installed at
the entrance to a facility?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Answer: C
NO.516 Which of the following is the BEST sampling method when performing an audit test to
determine the number of access requests without approval signatures?
A. Attribute sampling
B. Judgment sampling
C. Stratified sampling
D. Stop-or-go sampling
Answer: A
NO.517 What should be the PRIMARY basis for scheduling a follow-up audit?
A. The significance of reported findings
B. The completion of all corrective actions
C. The availability of audit resources
D. The time elapsed after audit report submission
Answer: A
NO.518 Which of the following is the BEST approach to identify whether a vulnerability is actively
being exploited?
A. Conduct a penetration test
B. Perform log analysis.
C. Review service desk reports.
99
D. Implement key performance indicators (KPIs).

Answer: B
NO.519 Which of the following would BEST determine whether a post implementation review (PIR)
performed by the project management office (PMO) was effective?
A. The review was performed by an external provider.
B. Management approved the PIR report.
C. Lessons learned were implemented.
D. Project outcomes have been realized.
Answer: B
NO.520 Which of the following is MOST important for an IS auditor to test when reviewing market
data received from external providers?
A. Data encryption configurations
B. Data transformation configurations
C. Data quality controls
D. Data loading controls
Answer: C
NO.521 Following a breach, what is the BEST source 10 determine the maximum amount of time
before customers must be notified that their personal information may have been compromised?
A. Industry regulations
B. Incident response plan
C. Information security policy
D. Industry standards
Answer: B
NO.522 Which of the following processes BEST addresses the risk associated with the deployment of
a new production system?
A. Release management
B. Configuration management
C. Change management
D. Incident management
Answer: C
NO.523 Which of the following indicates that an internal audit organization is structured to support
the independence and clarity of the reporting process?
A. Auditors are responsible for assessing and operating a system of internal controls.
B. The internal audit manager reports functionally to a senior management official
C. The internal audit manager has a reporting line to the audit committee.
D. Auditors are responsible for performing operational duties or activities.
Answer: B
100
NO.524 An IS auditor discovers an option in a database that allows the administrator to directly
modify any table This option is necessary to overcome Dugs in the software, but is rarefy used
Changes to tables are automatically logged The IS auditors FIRST action should be to:
A. recommend that the option to directly modify the database be removed immediately
B. determine whether the audit trail is secured and reviewed
C. determine whether the log of changes lo the tables is backed up
D. recommend that the system require two persons to be involved in modifying the database
Answer: B
NO.525 Which of the following should be an IS auditor's GREATEST concern when reviewing an
organization's security controls for policy compliance?
A. Security policies are not applicable across all business units.
B. End users are not required to acknowledge security policy training.
C. The security policy has not been reviewed within the past year.
D. Security policy documents are available on a public domain website.
Answer: A
NO.526 Secure code reviews as part of a continuous deployment program are which type of
control?
A. Logical
B. Detective
C. Preventive
D. Corrective
Answer: C
NO.527 An IS department is evaluated monthly on its cost-revenue ratio user satisfaction rate, and
computer downtime This is BEST zed as an application of.
A. risk framework
B. balanced scorecard
C. value chain analysis
D. control self-assessment (CSA)
Answer: B
NO.528 An organization has installed blade server technology in its data center. To determine
whether higher cooling demands are maintained, which of the following should the IS auditor
review?
A. Ventilation systems
B. Air conditioning capacity
C. Uninterruptible power supply (UPS) systems
D. Duct maintenance
Answer: B
NO.529 Which of the following is the GREATEST benefit of utilizing data analytics?
101
A. Improved communication with management due to more confidence with data results
B. Better risk assessments due to the identification of anomalies and trends
C. Higher-quality audit evidence due to more representative audit sampling
D. Expedient audit planning due to early identification of problem areas and incomplete data
Answer: B
NO.530 Which of the following BEST enables an organization to quantify acceptable data loss in the
event of a disaster?
A. Availability of backup software
B. Recovery point objective (RPO)
C. Recovery time objective (RTO)
D. Mean time to recover (MTTR)
Answer: B
NO.531 Which of the following should an IS auditor be MOST concerned with when reviewing the IT
asset disposal process?
A. Data migration to the new asset
B. Data stored on the asset
C. Monetary value of the asset
D. Certificate of destruction
Answer: B
NO.532 When developing customer-tearing IT applications, in which stage of the system

development the cycle (SDLC) is it MOST beneficial to consider data privacy principles?
A. Requirements definition
B. User acceptance testing (UAT)
C. Systems design and architecture
D. Software selection and acquisition
Answer: D
NO.533 Reviewing project plans and status reports throughout the development life cycle will:
A. postpone documenting the project's progress until the final phase.
B. eliminate the need to perform a risk assessment
C. guarantee that the project will meet its intended deliverables
D. facilitate the optimal use of resources over the life of the project.
Answer: C
NO.534 A warehouse employee of a retail company has been able to conceal the theft of inventory
items by entering adjustments of either damaged or lost stock items to the inventory system Which
control would have BEST prevented this type of fraud in a retail environment?
A. Statistical sampling of adjustment transactions
B. Unscheduled audits of lost stock lines
C. An edit check for the validity of the inventory transaction
102
D. Separate authorization for input of transactions

Answer: D
NO.535 Which of the following is MOST important for an IS auditor to assess during a post-
implementation review of a newly modified IT application developed in-house?
A. Resource management plan
B. Updates required for end user manuals
C. Sufficiency of implemented controls
D. Rollback plans for changes
Answer: D
NO.536 An IS auditor finds that a document related to a client has been leaked. Which of the
following should be the auditor's NEXT step?
A. Report data leakage finding to regulatory authorities
B. Determine the classification of data leaked
C. Report data leakage finding to senior management
D. Notify appropriate law enforcement.
Answer: B
NO.537 Which of the following is the MOST effective way to reduce risk to an organization from
widespread use of unauthorized web-based communication technologies?
A. Incorporate web-based communications into the enterprise security architecture.
B. Block access from user devices to unauthorized sites that allow web-based
C. Monitor unauthorized staff usage of web-based communication and notify the IT security
department of violations.
D. Publish an enterprise-wide policy outlining acceptable use of web-based communication
technologies
Answer: D
NO.538 An organization is experiencing a large number of phishing attacks targeting employees and
executives following a press release announcing an acquisition Which of the following would provide
the BEST defense against these attacks?
A. Require signed acknowledgment of the organization's security policy
B. Conduct organization-wide awareness training
C. Install spam filters on the acquired systems
D. Deploy intrusion detection and prevention systems
Answer: A
NO.539 An organization allows employees to use personally owned mobile devices to access
customers' personal information Which of the following is MOST important for an IS auditor to
verify?
A. Employees have signed off on an acceptable use policy.
B. Mobile device security policies have been implemented
103
C. Devices have adequate storage and backup capabilities

D. Mobile devices are compatible with company infrastructure
Answer: A
NO.540 An IS auditor reviewing the system development life cycle (SDLC) finds there is no
requirement for business cases. Which of the following should be of GREATEST concern to the
organization?
A. Vendor selection criteria are not sufficiently evaluated
B. Project costs exceed established budgets
C. Business resources have not been optimally assigned o
D. Business impacts of projects are not adequately analyzed
Answer: A
NO.541 An IS auditor is analysing a sample of assesses recorded on the system log of an application.
The auditor intends to launch an intensive investigation if one exception is found. Which sampling
method would be appropriate?
A. Stratified sampling
B. Variable sampling
C. Judgemental sampling
D. Discovery sampling
Answer: D
NO.542 During the design phase of a software development project, the PRIMARY responsibility of
an IS auditor is to evaluate the:
A. future compatibility of the design.
B. controls incorporated into the system specifications.
C. proposed functionality of the application.
D. development methodology employed.
Answer: B
NO.543 An IS auditor reviewing a project to acquire an IT-based solution learns the risk associated
with project failure has been assessed as high. What is the auditor's BEST course of action?
A. Reassess project costs to ensure they are within the organization's risk tolerance.
B. Review the risk monitoring process during project execution.
C. Review benefits realization against the business case.
D. Inform management about potential losses due to project failure.
Answer: C
NO.544 What is the PRIMARY reason for conducting a risk assessment when developing an annual IS
audit plan?
A. Decide which audit procedures and techniques to use
B. Determine the existence of controls in audit areas
C. Identify and prioritize audit areas
104
D. Provide assurance material items will be covered

Answer: C
NO.545 To address issues related to privileged users identified in an IS audit, management

implemented a security information and event management (SIEM) system. Which type of control is
in place?
A. Directive
B. Corrective
C. Preventive
D. Detective
Answer: D
NO.546 When implementing a new IT maturity model which of the following should occur FIRST?
A. Define the target IT maturity level
B. Develop performance metrics
C. Determine the model elements to be evaluated
D. Benchmark with industry peers
Answer: A
NO.547 During an operational audit of a biometric system used to control physical access, which of
the following should be of GREATEST concern to an IS auditor?
A. False positives
B. Lack of biometric training
C. False negatives
D. User acceptance of biometrics
Answer: A
NO.548 Which of the following control checks would utilize data analytics?
A. Evaluating configuration settings for the credit card application system
B. Reviewing credit card applications submitted in the past month for blank data fields
C. Attempting to submit credit card applications with blank data fields
D. Reviewing the business requirements document for the credit card application system
Answer: B
NO.549 During a security audit, an IS auditor is tasked with reviewing log entries obtained from
an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the
potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS
configuration?
A. Sampling risk
B. Inherent risk
C. Detection risk
D. Control risk
Answer: C
105
NO.550 The use of which of the following would BEST enhance a process improvement program?
A. Capability maturity models
B. Model-based design notations
C. Project management methodologies
D. Balanced scorecard
Answer: A
NO.551 A financial institution is launching a mobile banking service utilizing multi-factor

authentication. This access control is an example of which of the following?
A. Corrective control
B. Directive control
D. Preventive control
Answer: D
NO.552 Which of the following will BEST help to ensure that an in-house application in the
production environment is current?
A. Version control procedures
B. Change management
C. Production access control
D. Quality assurance
Answer: A
NO.553 Which of the following is MOST important for an IS auditor to verify during a disaster
recovery audit?
A. Regular backups are made and stored offsite
B. Tabletop disaster recovery tests are conducted
C. The disaster recovery plan (DRP) is updated on a regular basis.
D. Roles and responsibilities are documented.
Answer: C
NO.554 Which of the following should be an IS auditor's BEST recommendation to prevent

installation of unlicensed software on employees' company-provided devices?
A. Enforce audit logging of software installation activities.
B. Remove unlicensed software from end-user devices.
C. Implement software blacklisting.
D. Restrict software installation authority to administrative users only.
Answer: D
NO.555 The maturity level of an organization s problem management support function is optimized
when the function
A. has formally documented the escalation process.
106
B. proactively provides solutions

C. resolves requests in a timely manner
D. analyzes critical incidents to identify root cause.
Answer: B
NO.556 Which of the following BEST enables alignment of IT with business objectives?
A. Completing an IT risk assessment
B. Leveraging an IT governance framework
C. Developing key performance indicators (KPIs)
D. Benchmarking against peer organizations
Answer: B
NO.557 An IS auditor is reviewing a banking mobile application that allows end users to perform
financial transactions. Which of the following poses a security risk to the organization?
A. Outdated mobile network settings
B. Application programming interface (API) logic faults
C. Lack of strong device passwords
D. Unpatched security vulnerabilities in the mobile operating system
Answer: D
NO.558 Which of the following control testing approaches is BEST used to evaluate a control's
ongoing effectiveness by comparing processing results to independently calculated data?
A. Embedded audit modules
B. Sample-based re-performance
C. Integrated test facility (ITF)
D. Statistical sampling
Answer: D
NO.559 Which of the following would be an IS auditor's GREATEST concern when reviewing an
organization's security controls for policy compliance?
A. End users are not required to acknowledge security policy training.
B. Security policy documents are available on a public domain website.
C. The security policy has not been reviewed within the past year
D. Security policies are not uniformly applicable across the organization
Answer: C
NO.560 An IS auditor reviewing the database controls for a new e-commerce system discovers a
security weakness in the database configuration. Which of the following should be the IS auditor's
NEXT course of action?
A. Assist in drafting corrective actions
B. Attempt to exploit the weakness
C. Identify existing mitigating controls
D. Disclose the findings to senior management
107
Answer: B
NO.561 Which of the following Is the MOST effective way for an IS auditor to evaluate whether an
organization is well positioned to defend against an advanced persistent threat (APT)?
A. Verify that the organization has adequate levels of cyber insurance
B. Verify that the organization is using correlated data for security monitoring
C. Review the validity of external Internet Protocol (IP) addresses accessing the network
D. Assess the skill set within the security function
Answer: B
NO.562 Which of the following is the MOST effective sampling method for an IS auditor to use for
identifying fraud and circumvention of regulations?
A. Discovery sampling
B. Stop-or-go sampling
C. Statistical sampling
D. Variable sampling
Answer: A
NO.563 Which of the following is the MOST effective way to maintain network integrity when using
mobile devices?
A. Perform network reviews
B. Review access control lists.
C. Implement network access control.
D. Implement outbound firewall rules
Answer: C
NO.564 Which of the following is a benefit of increasing the use of data analytics in audits?
A. Less time spent on verifying completeness and accuracy of the total population
B. More time spent on analyzing the outers identified and the root cause
C. Less time spent on selecting adequate audit programs and scope
D. More time spent on select and reviewing samples for testing
Answer: A
NO.565 Disciplinary policies are BEST classified as.

A. compensating controls
B. preventive controls.
C. directive controls
D. corrective controls
Answer: C
NO.566 Which of the following issues identified during a postmortem analysis of the IT security
incident response process should be of GREATEST concern?
A. The incident response team did not initiate actions to limit the impact of the incident
108
B. Incident response team members' contact details were not up to date.

C. The root cause of the incident was not properly identified and documented
D. The incident was caused by an attacker that exploited a zero-day vulnerability.
Answer: A
NO.567 An IS auditor discovers a box of hard drives in a secured location that are overdue for
physical destruction. The vendor responsible for this task was never made aware of these hard
drives. Which of the following is the BEST course of action to address this issue?
A. Examine the workflow to identify gaps in asset handling responsibilities.
B. Recommend the drives be sent to the vendor for destruction.
C. Evaluate the corporate asset handling policy for potential gaps.
D. Escalate the finding to the asset owner for remediation
Answer: A
NO.568 To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. First use a symmetric algorithm for the authentication sequence.
B. encrypt the authentication sequence using a public key.
C. transmit the actual digital signature in unencrypted clear text.
D. encrypt the authentication sequence using a private key.
Answer: D
NO.569 Which type of control is in place when an organization requires new employees to complete
training on applicable privacy and data protection regulations?
A. Preventive control
B. Directive control
D. Corrective control
Answer: B
NO.570 Which of the following BEST demonstrates the degree of alignment between IT and business
strategy?
A. Number of IT projects driven by business requirements
B. Percentage of users aware of information security policies
C. Number of IT policies that refer directly to business goals
D. Percentage of IT value drivers mapped to business value drivers
Answer: D
NO.571 Which of the following should be of GREATEST concern to an IS auditor conducting an audit
of an organization that recently experienced a ransomware attack?
A. Backups were only performed within the local network.
B. Employees were not trained on cybersecurity policies and procedures.
C. The most recent security patches were not tested prior to implementation.
D. Antivirus software was unable to prevent the attack even though it was properly updated.
109
Answer: A
NO.572 Which of the following controls will MOST effectively detect inconsistent records resulting
from the lack of referential integrity in a database management system?
A. Concurrent access controls
B. Incremental data backups
C. Performance monitoring tools
D. Periodic table link checks
Answer: D
NO.573 Which of the following is found in an audit charter?

A. Audit objectives and scope
B. Required training for audit staff
C. The process of developing the annual audit plan
D. The authority given to the audit function
Answer: A
NO.574 Which of the following approaches would BEST ensure that data protection controls are
embedded into software being developed?
A. Deriving data protection requirements from key stakeholders
B. Utilizing a data protection template for user acceptance testing (UAT)
C. Implementing a quality assurance (QA) process during the development phase
D. Tracking data protection requirements throughout the SDLC
Answer: D
NO.575 An IS auditor reviewed the business case for a proposed investment to virtualize an
organization's server infrastructure. Which of the following is MOST likely to be included among the
benefits in the project proposal?
A. Fewer operating system licenses
B. Better efficiency of logical resources
C. Less memory and storage space
D. Reduced hardware footprint
Answer: D
NO.576 A computer forensic audit is MOST relevant in which of the following situations?
A. Missing server patches
B. Data loss due to hacking of servers
C. Inadequate controls in the IT environment
D. Mismatches in transaction data
Answer: B
NO.577 Which of the following BEST ensures the confidentiality of sensitive data during
transmission?
110
A. Sending data through proxy servers

B. Restricting the recipient through destination IP addresses
C. Password protecting data over virtual local area networks (VLAN)
D. Sending data over public networks using Transport Layer Security (TLS)
Answer: D
NO.578 Prior to the of acquired software into production, it is MOST important that the IS auditor
review the:
A. system documentation.
B. vendor testing report.
C. user acceptance lest report.
D. source code escrow agreement.
Answer: A
NO.579 Which of the following would BEST protect the confidentiality of sensitive data in transit
between multiple offices?
A. Public key infrastructure (PKI)
B. Hash algorithms
C. Kerberos
D. Digital signatures
Answer: B
NO.580 After delivering an audit report, the audit manager discovers that evidence was overlooked
during the audit This evidence indicates that a procedural control may have failed and could
contradict a conclusion of the audit. Which of the following risks is MOST affected by the oversight?
A. Operational
B. Audit
C. Inherent
D. Financial
Answer: C
NO.581 Which of the following would be of GREATEST concern to an IS auditor reviewing backup
and recovery controls?
A. Backups are stored in an external hard drive
B. Restores from backups are not periodically tested
C. Backup procedures are not documented
D. Weekly and monthly backups are stored onsite
Answer: A
NO.582 Which of the following is the BEST control to prevent the transfer of files to external parties
through instant messaging (IM) applications'?
A. File Transfer Protocol (FTP)
B. File level encryption
111
C. Instant messaging policy

D. Application level firewalls
Answer: D
NO.583 A month after a company purchased and implemented system and performance monitoring
software reports were too large and therefore were not reviewed or acted upon The MOST effective
plan of action would be to
A. evaluate replacement systems and performance monitoring software
B. re-install the system and performance monitoring software
C. restrict functionality of system monitoring software to security-related events
D. use analytical tools to produce exception reports from the system and performance monitoring
software
Answer: D
NO.584 An organization wants to change its project methodology to address increasing costs and
process changes Which of the following is the BEST methodology to use?
A. Joint application development
B. Object-oriented application development
C. Waterfall application development
D. Agile application development
Answer: A
NO.585 Which of the following is an IS auditor's BEST recommendation to mitigate the risk of
eavesdropping associated with an application programming interface (API) integration
implementation?
A. Implement Transport Layer Security (TLS)
B. Implement Simple Object Access Protocol (SOAP)
C. Encrypt the extensible markup language (XML) file
D. Mask the API endpoints
Answer: A
NO.586 The risk of communication failure in an e-commerce environment is BEST minimized

through the use of
A. a packet filtering firewall to reroute messages.
B. alternative or diverse routing
C. functional or message acknowledgments
D. compression software to minimize transmission duration.
Answer: B
NO.587 Which of the following provides for the GREATEST cost reduction in a large data center?
A. Power conditioning
B. Job-scheduling software
C. Server consolidation
112
D. Staff rotation
Answer: C
NO.588 An IS auditor is planning on utilizing attribute sampling to determine the error rate for
health care claims processed. Which of the following factors will cause the sample size to decrease?
A. Tolerable error rate increase
B. Acceptable risk level decrease
C. Expected error rate increase
D. Population size increase
Answer: C
NO.589 Which of the following is the client organization's responsibility in a Software as a Service
(SaaS) environment?
A. Ensuring the data is available when needed
B. Ensuring that users are properly authorized
C. Detecting unauthorized access
D. Preventing insertion of malicious code
Answer: B
NO.590 Which of the following should be the PRIMARY audience for a third-party technical
security assessment report?
A. Operational IT management
B. Board of directors
C. Legal counsel
D. External regulators
Answer: B
NO.591 The CIO of an organization is concerned that the information security policies may not be
comprehensive. Which of the following should an IS auditor recommend be performed FIRST?
A. Determine if there is j process to handle exceptions to the policies
B. Establish a governance board to track compliance with the policies
C. Obtain a copy of their competitor's policies
D. Compare the policies against an industry framework.
Answer: D
NO.592 Several unattended laptops containing sensitive customer data were stolen from personnel
offices Which of the following would be an IS auditor's BEST recommendation to protect data in case
of recurrence?
A. Enhance physical security
B. Encrypt the disk drive
C. Require two-factor authentication
D. Require the use of cable locks
Answer: B
113
NO.593 When reviewing a contract for a disaster recovery hot site, which of the following would be
the MOST significant omission?
A. Equipment provided
B. Testing procedures
C. Audit rights
D. Exposure coverage
Answer: C
NO.594 Which of the following BEST indicates that an organization has effective governance in
place?
A. The organization regularly updates governance-related policies and procedures
B. The organizations board of directors executes on the management strategy
C. The organization is compliant with local government regulations
D. The organization's board of directors reviews metrics for strategic initiatives
Answer: C
NO.595 Which of the following is the MOST important difference between end-user computing
(EUC) applications and traditional applications?
A. Traditional application documentation is typically less comprehensive than EUC application
documentation.
B. Traditional applications require roll-back procedures whereas EUC applications do not.
C. Traditional applications require periodic patching whereas EUC applications do not.
D. Traditional application input controls are typically more robust than EUC application input
controls.
Answer: D
NO.596 What would be an IS auditors GREATEST concern when using a test environment for an
application audit?
A. Test and production environments do not mirror each other
B. Developers have access to the best environment
C. Test and production environments lack data encryptions
D. Retention period of test data has been exceeded
Answer: A
NO.597 Which of the following types of environmental equipment will MOST likely be deployed
below the floor tiles of a data center?
A. Temperature sensors
B. Humidity sensors
C. Water sensors
D. Air pressure sensors
Answer: C
114
NO.598 Capacity management enables organizations to:

A. establish the capacity of network communication links.
B. forecast technology trends.
C. determine business transaction volumes.
D. identify the extent to which components need to be upgraded.
Answer: C
NO.599 Which of the following poses the GREATEST risk to a company that allows employees to use
personally owned devices to access customer files on the company's network?
A. The help desk might not be able to support all different types of personal devices.
B. The company's network might slow down, affecting response time.
C. Customer data may be compromised if the device is lost or stolen.
D. Employee productivity may suffer due to personal distractions
Answer: C
NO.600 While reviewing an organization s business continuity plan (BCP) an IS auditor observes that
a recently developed application is not included. The IS auditor should:
A. ignore the observation as the application is not mission critical.
B. recommend that the application b# incorporated in the BCP.
C. ensure that the criticality of the application is determined
D. include m the audit findings that the BCP is incomplete
Answer: C
NO.601 Which of the following is a preventive control that can be used to mitigate insider threats?
A. Penetration testing
B. Backup procedures
C. Role-based access
D. User activity monitoring
Answer: C
NO.602 Which of the following should be of GREATEST concern to an IS auditor conducting a

security review of a point-of-sale (POS) system?
A. POS systems are not integrated with accounting applications for data transfer
B. Management of POS systems is outsourced to a vendor based in another country.
C. An optical scanner is not used to read bar codes for generating sales invoices
D. Credit card verification value (CW) information is stored on local POS systems
Answer: D
NO.603 An IS auditor is using data analytics in an audit and has obtained the data to be used for
testing. Which of the following is the MOST important task before testing begins?
A. Verify data analytics test scripts
B. Select the analytical sampling model
C. Document the method used to obtain the data
115
D. Verify the completeness and accuracy of the data

Answer: C
NO.604 During an IT governance audit, an IS auditor notes that IT policies and procedures are not
regularly reviewed and updated. The GREATEST concern to the IS auditor is that p......
A. incorporate changes to relevant laws.
B. reflect current practices
C. include new systems and corresponding process changes
D. be subject to adequate quality assurance (QA).
Answer: A
NO.605 What is the PRIMARY benefit of an audit approach which requires reported findings to be
issued together with related action plans, owners, and target dates?
A. it facilitates easier audit follow-up
B. it enforces action plan consensus between auditors and auditees
C. it establishes accountability for the action plans
D. it helps to ensure factual accuracy of findings
Answer: C
NO.606 Which of the following would be of GREATEST concern to an IS auditor evaluating

governance over open source development components?
A. The software is not analyzed for compliance with organizational requirements
B. The open source development components do not meet industry best practices
C. Existing open source policies have not been approved in over a year
D. The development project has gone over budget and time
Answer: A
NO.607 As part of an audit response, an auditee has concerns with the recommendations and is
hesitant to implement them. Which of the following would be the BEST course of action for the IS
auditor?
A. Conduct further discussions with the auditee to develop a mitigation plan.
B. Accept the auditee's response and perform additional testing.
C. Suggest hiring a third-party consultant to perform a current state assessment.
D. Issue a final report without including the opinion of the auditee.
Answer: A
NO.608 Which of the following is the PRIMARY objective of implementing privacy-related controls
within an organization"?
A. To comply with legal and regulatory requirements
B. To provide options to individuals regarding use of their data
C. To prevent confidential data loss
D. To identify data at rest and data in transit for encryption
Answer: B
116
NO.609 To lest the integrity of the data in the accounts receivable master file, an IS auditor is
particularly interested in reviewing customers with balances over 400,000. The selection technique
the IS auditor would use to obtain such a sample is called:
A. variable sampling
B. stop-or-go sampling
C. random selection
D. stratification.
Answer: A
NO.610 Which of the following is the BEST point in time to conduct a post-implementation review
(PIR)?
A. After a full processing cycle
B. Immediately after deployment
C. To coincide with annual PIR cycle
D. Six weeks after deployment
Answer: B
NO.611 Which of the following is the BEST incident of an effective problem management process?
A. The time to close an incident is reduced.
B. Incident are logged in a centralized system.
C. Incidents are assigned to engineers immediately.
D. The number of repeat incidents is reduced.
Answer: D
NO.612 An IS auditor finds a number of system accounts that do not have documented approvals
Which of the following should be performed FIRST by the auditor?
A. Have the accounts removed immediately
B. Obtain sign-off on the accounts from the application owner
C. Document a finding and report an ineffective account provisioning control
D. Determine the purpose and risk of the accounts
Answer: D
NO.613 Which of the following is the BEST way to minimize the impact of a ransomware attack?
A. Perform more frequent system backups.
B. Maintain a regular schedule for patch updates.
C. Provide user awareness training on ransomware attacks.
D. Grant system access based on least privilege.
Answer: A
NO.614 When evaluating a protect immediately prior to implementation, which of the following
would provide the BEST evidence that the system has the required functionality?
A. User acceptance testing (UAT) results
117
B. Quality assurance (QA) results

C. Integration testing results
D. Sign-off from senior management
Answer: B
NO.615 An IS auditor assessing the controls within a newly implemented call center would FIRST
A. test the technical infrastructure at the call center.
B. review the manual and automated controls in the call center.
C. gather information from the customers regarding response times and quality of service.
D. evaluate the operational risk associated with the call center.
Answer: D
NO.616 The PRIMARY objective of IT service level management is to.

A. satisfy customer requirements.
B. manage computer operations activities.
C. improve IT cost control
D. increase awareness of IT services
Answer: A
NO.617 An IS auditor is examining a front-end sub ledger and a main ledger Which of the following
would be the GREATEST concern if there are flaws in the mapping of accounts between the two
systems?
A. Double-posting of a single journal entry
B. Inaccuracy of financial reporting
C. Unauthorized alteration of account attributes
D. inability to support new business Transactions
Answer: B
NO.618 An IS auditor performing a review of a newly purchased software program notes that an
escrow agreement has been executed for acquiring the source code. What is MOST important for the
IS auditor to verify?
A. Product acceptance testing has been completed.
B. The source code is being held by an independent third party.
C. The vendor is financially viable.
D. The source code is being updated for each change.
Answer: D
NO.619 An IS auditor has assessed a payroll service provider's security policy and finds significant
topics are missing. Which of the following is the auditor's BEST course of action?
A. Recommend the service provider update their policy
B. Report the risk to internal management
C. Notify the service provider of the discrepancies.
D. Recommend replacement of the service provider
118
Answer: B
NO.620 An IS auditor is reviewing a network diagram. Which of the following would be the BEST
location for placement of a firewall?
A. Between virtual local area networks (VLANs)
B. At borders of network segments with different security levels
C. Between each host and the local network switch/hub
D. Inside the demilitarized zone (DMZ)
Answer: D
NO.621 An IS auditor conducting a follow-up audit learns that previously funded recommendations
have not been implemented due to recent budget restrictions. Which of the following should the
A. Report the matter to the chief financial officer (CFO) and recommend funding be reinstated
B. Report to the audit committee that the recommendations are still open
C. Close the audit recommendations in the tracking register
D. Start an audit of the project funding allocation process
Answer: B
NO.622 An incorrect version of source code was amended by a development team, This MOST likely
indicates a weakness in:
A. Incident management.
B. project management.
C. change management.
D. quality assurance (QA)
Answer: C
NO.623 Which of the following is an example of a control that is both detective and preventive at
the same lime?
A. A payment order to a sanctioned country is detected in the system before the payment is actually
made.
B. Detective fraud controls performed on past transactions prevent legal action being taken against
the organization.
C. Detection of unauthorized activity in a database prevents further manipulation by the database
administrator (DBA).
D. A misconfiguration of an operating system is detected and future recurrence can successfully be
prevented.
Answer: C
NO.624 Which of the following should be of GREATEST concern to an IS auditor planning to employ
data analytics in an upcoming audit?
A. Data fields are used for multiple purposes
B. There is no documented data model.
C. Data is from the previous reporting period
119
D. Available data is incomplete

Answer: C
NO.625 For an organization that has plans to implement web-based trading, it would be MOST
important for an IS auditor to verify the organization's information security plan includes:
A. security training prior to implementation.
B. security requirements for the new application.
C. the firewall configuration for the web server.
D. attributes for system passwords.
Answer: B
NO.626 The MOST important function of a business continuity plan (BCP) is to.
A. provide procedures for evaluating tests of the BCP
B. provide a schedule of events that has to occur if there is a disaster
C. ensure that the critical business functions can be recovered
D. ensure that all business functions are restored
Answer: C
NO.627 Which of the following should be of GREATEST concern to an IS auditor reviewing on-site
preventive maintenance for an organization's business critical server hardware?
A. Preventive maintenance costs exceed the business's allocated budget
B. The preventive maintenance schedule is based on mean time between failures (MTBF) parameters
C. Preventive maintenance has not been approved by the information system owner
D. Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure
agreements
Answer: D
(NDAs)
NO.628 Which of the following is the BEST compensating control when segregation of duties is
lacking in a small IS department?
A. Mandatory holidays
B. Background checks
C. Transaction log review
D. User awareness training
Answer: C
NO.629 Which of the following would be the MOST useful metric for management to consider when
reviewing a project portfolio?
A. Cost of projects divided by total IT cost
B. Expected return divided by total project cost
C. Net present value (NPV) of the portfolio
D. Total cost of each project
Answer: C
120
NO.630 An organization recently implemented a data loss prevention (DLP) solution to control data
in transit. Which of the following would be the GREATEST risk related to the DLP implementation?
A. Scanning end-points during peak hours
B. Inadequate data classification
C. Improperly configured DLP modules
D. DLP false positive alerts
Answer: B
NO.631 An IS auditor has completed an audit on the organization's IT strategic planning process
Which of the following findings should be given the HIGHEST priority?
A. Assumptions in the IT strategic plan have not been communicated to business stakeholders
B. The IT strategic plan was formulated based on the current IT capabilities.
C. The IT strategic plan was completed prior to the formulation of the business strategic plan
D. The IT strategic plan does not include resource requirements for implementation.
Answer: C
NO.632 When an organization introduces virtualization into its architecture, which of the following
should be an IS auditor's PRIMARY area of focus to verify adequate protection?
A. Shared storage space
B. Host operating system configuration
C. Maintenance cycles
D. Multiple versions of the same operating system
Answer: B
NO.633 Which of the following is the BEST source of information for an IS auditor when planning an
audit of a business application's controls?
A. Process flow diagrams
B. User documentation
C. Access control lists
D. Change control procedures
Answer: A
NO.634 An IS auditof notes the transaction processing times in an order processing system have
significantly increased after a major release Which of the following should the IS auditor review
FIRST?
A. Training plans
B. Stress testing results
C. Capacity management plan
D. Database conversion results
Answer: B
NO.635 The information security function in a large organization is MOST effective when:
121
A. partnered with the IS development team to determine access rights

B. decentralized as close to the user as possible
C. established at a corporate-wide level.
D. the function reports directly to the IS operations manager.
Answer: B
NO.636 An organization allows its employees to use personal mobile devices for work. Which of the
following would BEST maintain information security without compromising employee privacy?
A. Installing security software on the devices
B. Restricting the use of devices for personal purposes during working hours
C. Partitioning the work environment from personal space on devices
D. Preventing users from adding applications
Answer: C
NO.637 Which of the following access rights presents the GREATEST risk when granted to a new
member of the system development staff?
A. Write access to development data libraries
B. Execute access to development program libraries
C. Write access to production program libraries
D. Execute access to production program libraries
Answer: A
NO.638 Data analytics tools and techniques are MOST helpful to an IS auditor during which of the
following audit activities?
A. Audit follow-up
B. Walk-through testing
C. Substantive testing
D. Audit and resource planning
Answer: C
NO.639 Which of the following is the PRIMARY benefit of continuous auditing?

A. It deters fraudulent transactions.
B. It enables timely detection of anomalies.
C. It facilitates the use of robotic automation processes.
D. It allows reduced sample sizes for testing
Answer: B
NO.640 Which of the following is the PRIMARY purpose of quality assurance (QA) within an IS audit
department?
A. To ensure conclusions are reliable and no false assurance is given
B. To regularly assess and improve audit methodology
C. To enforce audit policies and identify any deviations
D. To confirm audit practice is aligned with industry standards and benchmarks
122
Answer: B
NO.641 As part of a follow-up of a previous year's audit, an IS auditor has increased the expected
error rate for a sample. The impact will be:
A. required sample size increases.
B. sampling risk decreases.
C. degree of assurance increases.
D. standard deviation decreases.
Answer: C
NO.642 A bank recently experienced fraud where unauthorized payments were inserted into
the payments transaction process. An IS auditor has reviewed the application systems and
databases along the processing chain but has not identified the entry point of the fraudulent
transactions.
Where should the auditor look NEXT?
A. Operating system patch levels
B. Interfaces between systems
C. Change management repository
D. System backup and archiving
Answer: B
NO.643 Which of the following strategies BEST optimizes data storage without compromising data
retention practices?
A. Moving emails to a virtual email vault after 30 days
B. Limiting the size of file attachments being sent via email
C. Automatically deleting emails older than one year
D. Allowing employees to store large emails on flash drives
Answer: B
NO.644 When auditing the alignment of IT to the business strategy, it is MOST important (or the IS
auditor to:
A. evaluate deliverables of new IT initiatives against planned business services.
B. ensure an IT steering committee is appointed to monitor new IT projects.
C. compare the organization's strategic plan against industry best practice.
D. interview senior managers for their opinion of the IT function.
Answer: A
NO.645 Cross-site scripting (XSS) attacks are BEST prevented through:

A. use of common industry frameworks.
B. secure coding practices.
C. application firewall policy settings.
D. a three-tier web architecture.
Answer: B
123
NO.646 Which of the following is MOST important to include in forensic data collection and
preservation procedures?
A. Assuring the physical security of devices
B. Maintaining chain of custody
C. Determining tools to be used
D. Preserving data integrity
Answer: B
NO.647 When reviewing an organization's IT governance processes, which of the following provides
the BEST indication that information security expectations are being met at all levels?
A. Utilization of an internationally recognized security standard
B. Implementation of a comprehensive security awareness program
C. Achievement of established security metrics
D. Approval of the security program by senior management
Answer: B
NO.648 Due to a global pandemic, a health organization has instructed its employees to work from
home as much as possible. The employees communicate using instant messaging Which of the
following is the GREATEST risk in this situation?
A. Home office setups may not be compliant with workplace health and safety requirements.
B. Employee productivity may decrease when working from home.
C. The capacity of servers may not allow all users to connect simultaneously
D. Employees may exchange patient information through less secure methods.
Answer: D
NO.649 Which of the following communication modes should be of GREATEST concern to an IS

auditor evaluating end user networking?
A. Peer-to-peer
B. Client-to-server
C. Host-to-host
D. System-to-system
Answer: A
NO.650 An organization plans to receive an automated data feed into its enterprise data warehouse
from a third-party service provider. Which of the following would be the BEST way to prevent
accepting bad data?
A. Appoint data quality champions across the organization
B. Obtain error codes indicating failed data feeds
C. Purchase data cleansing tools from a reputable vendor
D. Implement business rules to reject invalid data
Answer: D
NO.651 The BEST way to determine whether programmers have permission to alter data in the
124
production environment is by reviewing:

A. the access control system's configuration.
B. the access rights that have been granted
C. the access control system's log settings.
D. how the latest system changes were implemented
Answer: B
NO.652 An IS auditor reviewing a checkpoint/restart procedure should be MOST concerned if it is

applied after:
A. an incremental data backup is performed.
B. a temporary hardware failure.
C. power loss to the data center.
D. an incorrect version of the program is executed.
Answer: D
NO.653 An IS auditor finds that needed security patches cannot be applied to some of an
organization's network devices due to compatibility issues. The organization has not budgeted
sufficiently for security upgrades. Which of the following should the auditor recommend be done
FIRST?
A. Perform a risk analysis of the relevant security issues.
B. Prioritize funding for next year's budget.
C. Discuss adding compensating controls with the vendor.
D. Implement stronger security patch management processes.
Answer: A
NO.654 An advantage of object-oriented system development is that it:

A. partitions systems into a client/server architecture.
B. decreases the need for system documentation.
C. is suited to data with complex relationships.
D. is easier to code than procedural languages.
Answer: D
NO.655 At what point in software development should the user acceptance test plan be prepared?
A. Feasibility study
B. Transfer into production
C. Requirements definition
D. Implementation planning
Answer: C
NO.656 Which of the following is the BEST way to loster continuous improvement of IS audit
processes and practices?
A. Frequently review IS audit policies, procedures, and instruction manuals
B. Implement rigorous management review and sign-off of IS audit deliverables.
125
C. Invite external auditors and regulators to perform regular assessments of the IS audit function.
D. Establish and embed quality assurance (QA) within the IS audit function.
Answer: D
NO.657 Which of the following is the MOST useful information for an IS auditor to review when
formulating an audit plan for the organization's outsourced service provider?
A. The organization's procurement policy
B. Service level agreement (SLA) reports
C. The service provider's control self-assessment (CSA)
D. Independent audit reports
Answer: D
NO.658 Which of the following provides the MOST useful information to an IS auditor reviewing the
relationships between critical business processes and IT systems?
A. IT Portfolio Management
B. Enterprise architecture (EA)
C. Configuration management database (CMDB)
D. IT Service Management
Answer: B
NO.659 An organization experienced a domain name system (DNS) attack caused by default user
accounts not being removed from one of the servers. Which of the following would have been the
BEST way to mitigate the risk of this DNS attack?
A. Configure the servers from an approved standard configuration
B. Require all employees to attend training for secure configuration management
C. Have a third party configure the virtual servers
D. Configure the intrusion prevention system (IPS) to identify DNS attacks
Answer: A
NO.660 Which of the following would be of GREATEST concern if noted during an audit of
compliance with licensing agreements?
A. The organization does not monitor upgrades to its software.
B. Desktop software is personally expensed and not capitalized.
C. The software vendor requires monthly verification of licenses.
D. Distribution software is only maintained on a centralized server.
Answer: A
NO.661 Which of the following is the MOST important issue for an IS auditor to consider with regard
to Voice-over IP (VoIP) communications?
A. Nonrepudiation
B. Continuity of service
C. Homogeneity of the network
D. Identity management
126
Answer: C
NO.662 When using a wireless device, which of the following BEST ensures confidential access to
email via web mail?
A. Wired equivalent privacy (WEP)
B. Hypertext transfer protocol secure (HTTPS)
C. Simple object access protocol (SOAP)
D. Extensible markup language (XML)
Answer: A
NO.663 Which of the following is the GREATEST concern with conducting penetration testing on an
internally developed application in the production environment?
A. The testing could create application availability issues.
B. The testing may identify only known operating system vulnerabilities.
C. The issues identified during the testing may require significant remediation efforts.
D. Internal security staff may not be qualified to conduct application penetration testing.
Answer: A
NO.664 A multinational organization is integrating its existing payroll system with a human resource
information system. Which of the following should be of GREATEST concern to the IS auditor?
A. Application interfaces
B. Scope creep
C. System documentation
D. Currency conversion
Answer: C
NO.665 An IS auditor should ensure that an application's audit trail:

A. does not impact operational efficiency
B. is accessible online.
C. has adequate security,
D. logs all database records.
Answer: C
NO.666 The PRIMARY role of a control self-assessment (CSA) facilitator Is to:

A. provide solutions for control weaknesses.
B. report on the internal control weaknesses.
C. focus the team on internal controls.
D. conduct interviews to gam background information
Answer: C
NO.667 Which of the following BEST helps to identify errors during data transfer?
A. Decrease the size of data transfer packets.
B. Test the integrity of the data transfer.
127
C. Review and verify the data transfer sequence numbers.

D. Enable a logging process for data transfer.
Answer: C
NO.668 An organization allows employees to retain confidential data on personal mobile devices
Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or
stolen devices?
A. Password protect critical data files.
B. Require employees to attend security awareness training.
C. Enable device auto-lock function.
D. Configure to auto-wipe after multiple failed access attempts.
Answer: A
NO.669 A system development project is experiencing delays due to ongoing staff shortages Which
of the following strategies would provide the GREATEST assurance of system quality at
implementation?
A. Recruit IS staff to expedite system development
B. Deliver only the core functionality on the initial target date
C. Implement overtime pay and bonuses for all development staff
D. Utilize new system development tools to improve productivity
Answer: A
NO.670 Which of the following would an IS auditor recommend as the MOST effective preventive
control to reduce the risk of data leakage?
A. Ensure that paper documents arc disposed security.
B. Implement an intrusion detection system (IDS).
C. Verify that application logs capture any changes made.
D. Validate that all data files contain digital watermarks
Answer: D
NO.671 An organization decides to establish a formal incident response capability with clear roles
and responsibilities facilitating centralized reporting of security incidents. Which type of control is
being implemented?
A. Corrective control
B. Compensating control
C. Preventive control
D. Detective control
Answer: A
NO.672 During the planning stage of a compliance audit an IS auditor discovers that a bank's
Inventory of compliance requirements does not include recent regulatory changes related to
managing data risk. What should the auditor do FIRST?
A. Exclude recent regulatory changes from the audit scope
128
B. Discuss potential regulatory issues with the legal department.

C. Report the missing regulatory updates to the chief information officer (CIO)
D. Ask management why the regulatory changes have not been included
Answer: B
NO.673 Which of the following is MOST important for an effective control self-assessment (CSA)
program?
A. Understanding the business process
B. Performing detailed test procedures
C. Evaluating changes to the risk environment
D. Determining the scope of the assessment
Answer: A
NO.674 What is the BEST justification for allocating more funds to implement a control for an IT
asset than the actual cost of the IT asset?
A. To protect the associated intangible business value
B. To comply with information security best practices
C. To avoid future audit findings
D. To maintain the residual value of the asset
Answer: A
NO.675 An online retailer is receiving customer complaints about receiving different items from
what they ordered on the organization's website. The root cause has been traced to poor data
quality. Despite efforts to clean erroneous data from the system, multiple data quality issues
continue to occur. Which of the following recommendations would be the BEST way to reduce the
likelihood of future occurrences?
A. Implement business rules to validate employee data entry.
B. Assign responsibility for improving data quality.
C. Outsource data cleansing activities to reliable third parties.
D. Invest in additional employee training for data entry.
Answer: A
NO.676 Which of the following is the MAIN benefit of using data analytics when testing the
effectiveness of controls?
A. Analytics can be applied to any type of control
B. Analytics remove the need to focus on areas of higher risk
C. The demand for IS auditors is reduced over time
D. The full population can be tested.
Answer: D
NO.677 Which of the following is the BEST way to mitigate risk to an organization's network
associated with devices permitted under a bring your own device (BYOD) policy?
A. Enable port security on all network switches
129
B. Ensure the policy requires antivirus software on devices

C. Require personal devices to be reviewed by IT staff
D. Implement a network access control system
Answer: B
NO.678 Which of the following should be the FIRST step in a data migration project?
A. Creating data conversion scripts.
B. Reviewing decisions on how processes should be conducted in the new system
C. Completing data cleanup in the current database to eliminate inconsistencies
D. Understanding the new system's data structure
Answer: D
NO.679 An IS auditor is verifying the adequacy of an organization's internal and is concerned about
potential circumvention of regulations. Which of the following is the BEST sampling method to use?
B. Variable Sampling
C. Random Sampling
D. Cluster sampling
Answer: A
NO.680 Which of the following is the MOST reliable way for an IS auditor to evaluate the operational
effectiveness of an organization's data loss prevention (DLP) controls?
A. Review data classification levels based on industry best practice.
B. Verify that confidential files cannot be transmitted to a personal USB device.
C. Conduct interviews to identify possible data protection vulnerabilities.
D. Verify that current DLP software is installed on all computer systems.
Answer: D
NO.681 An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited
Which of the following should be of GREATEST concern to the auditor?
A. The risk assessment methodology relies on subjective audit judgments at certain points of the
process
B. The risk assessment methodology does not permit the collection of financial audit data
C. The risk assessment database does not include a complete audit universe
D. The risk assessment approach has not been approved by the risk manager
Answer: A
NO.682 An organization has suffered a number of incidents in which USB flash drives with sensitive
data have been lost. Which of the following would be MOST effective in preventing loss of sensitive
data?
A. Issuing encrypted USB flash drives to staff
B. Implementing a check-in/check-out process for USB flash drives
C. Increasing the frequency of security awareness training
130
D. Modifying the disciplinary policy to be more stringent

Answer: A
NO.683 Which of the following is MOST appropriate for measuring a batch processing application's
system performance over time?
A. System utilization
B. Idle time
C. Throughput
D. Uptime
Answer: C
NO.684 An IS auditors independence with respect to the audit of an application system is MOST
likely to be impaired if the auditor
A. designed an embedded audit module for the application
B. knows that the application contains the auditors personal transactions
C. reports to an individual responsible ta the application
D. performed a development review of the application.
Answer: C
NO.685 Which of the following poses the GREATEST security risk when implementing acquired
application systems?
A. Default logon IDs
B. Social engineering
C. Lack of audit logs
D. Password length
Answer: A
NO.686 Which of the following group is MOST likely responsible for the implementation of IT
projects?
A. IT steering committee
B. IT strategy committee
C. IT compliance committee
D. IT governance committee
Answer: A
NO.687 Which of the following is the PRIMARY reason an IS auditor should use an IT-related
framework as a basis for scoping and structuring an audit?
A. It provides a foundation to recommend certification of the organization's compliance with the
framework.
B. It simplifies audit planning and reduces resource requirements to complete an audit.
C. It demonstrates to management whether legal and regulatory requirements have been met.
D. It helps ensure comprehensiveness of the review and provides guidance on best practices.
Answer: D
131
NO.688 Which of the following reports would provide the GREATEST assurance to an IS auditor
about the controls of a third party that processes critical data for the organization?
A. Independent control assessment
B. Black box penetration test report
C. Vulnerability scan report
D. The third party's control self-assessment (CSA)
Answer: A
NO.689 Which of the following is the role of audit leadership in ensuring the quality of audit and
engagement performance?
A. Ensuring audit customers remain highly satisfied with the quality of audit performance
B. Reviewing identified risks to ensure associated processes are included in the audit program
C. Reviewing key performance results to ensure process improvements are implemented
D. Ensuring the scope of peer quality assurance (QA) reviews is sufficient to address board concerns
Answer: C
NO.690 An IS auditor has discovered that unauthorized customer management software was
installed on a workstation. The auditor determines the software has been uploading customer data
to an external party Which of the following is the IS auditor's BEST course of action?
A. Present the issue at the next audit progress meeting.
B. Review other workstations to determine the extent of the incident
C. Determine the number of customer records that were uploaded
D. Notify the incident response team
Answer: D
NO.691 Which cloud deployment model is MOST likely to be limited in scalability?

A. Hybrid
B. Private
C. Public
D. Community
Answer: B
NO.692 Within the context of an IT-related governance framework, which type of organization
would be considered MOST mature?
A. An organization in which processes are repeatable and results periodically reviewed
B. An organization m a state of dynamic growth with continuously updated policies and procedures
C. An organization with established sets of documented standard processes
D. An organization with processes systematically managed by continuous improvement
Answer: D
NO.693 When reviewing an organization's information security policies, an IS auditor should verify
that the policies have been defined PRIMARILY on the basis of
132
A. an information security framework

B. industry best practices
C. past information security incidents
D. a risk management process
Answer: A
NO.694 Which of the following is the PRIMARY reason that asset classification is vital to an
information security program?
A. To ensure risk mitigation efforts are adetuee
B. To ensure sufficient resources are allocated for information security
C. To ensure asset protection efforts are in line with industry standards
D. To ensure the appropriate level of protection to assets
Answer: D
NO.695 When removing a financial application system from production, which of the following is
MOST important?2E1457D5D1DDCBD40AB3BF70D5D
A. Media used by the retired system has been sanitized.
B. Data retained for regulatory purposes can be retrieved.
C. End-user requests for changes are recorded and tracked.
D. Software license agreements are retained.
Answer: B
NO.696 What privilege on a server containing data with different security classifications?
A. Applying access controls determined by the data owner
B. Limiting access to the data files based on frequency of use
C. Using scripted access control lists to prevent unauthorized access to the server
D. Obtaining formal agreement by users to comply with the data classification policy
Answer: A
NO.697 An IS auditor is evaluating a virtual server environment and teams that the production
server, development server and management console are housed in the same physical host. What
A. The physical host is a single point of failure.
B. The management console is a single point of failure
C. The development server and management console share the same host.
D. The development and production servers share the same host.
Answer: A
NO.698 An IS auditor is reviewing the change management process in a large IT service organization.
Which of the following observations would be the GREATEST concern?
A. Emergency software releases are not fully documented after implementation
B. User acceptance testing (UAT) can be waived in case of emergency software releases
C. Code is migrated manually into production during emergency software releases
D. A senior developer has permanent access to promote code for emergency software releases
133
Answer: D
NO.699 The operations team of an organization has reported an IS security attack. Which of the
following should be the FIRST step for the security incident response team?
A. Document lessons learned.
B. Perform a damage assessment.
C. Report results to management.
D. Prioritize resources for corrective action.
Answer: B
NO.700 Which of the following should be done by an IS auditor during a post-implementation

review of a critical application that has been operational for six months''
A. Assess project management risk reports.
B. Test program system interfaces.
C. Examine project change request logs
D. Verify the accuracy of data conversions
Answer: C
NO.701 An organization plans to launch a social media presence as part of a new customer service
campaign. Which of the following is the MOST significant risk from the perspective of potential
litigation?
A. Approved employees can use personal devices to post on the company $ behalf
B. There is a lack of dear procedures for responding to customers on social media outlets
C. Access to corporate-sponsored social media accounts requires only single-factor authentication.
D. The policy stating what employees can post on the organization s behalf is unclear.
Answer: D
NO.702 Which of the following is MOST important for an IS auditor to confirm when conducting a
review of an active-active application cluster configuration?
A. The IT operations team maintains a version history of the cluster software.
B. Results from recent user satisfaction surveys meet operational targets.
C. The cluster switches between active-active and active-passive configurations.
D. The cluster configuration includes adequate network bandwidth.
Answer: D
NO.703 Which of the following is MOST important lo have in place for he continuous improvement
of process maturity within a large IT support function?
A. Performance metrics dashboard
B. Control self-assessments (CSAs)
C. Regular internal audits
D. Project management
Answer: A
134
NO.704 In a 24/7 processing environment, a database contains several privileged application

accounts with passwords set to "never expire.' Which of the following recommendations would BEST
address the risk with minimal disruption to the business?
A. Modify applications to no longer require direct access to the database.
B. Modify the access management policy to make allowances for application accounts
C. Schedule downtime to implement password changes
D. Introduce database access monitoring into the environment
Answer: B
NO.705 A small financial institution is preparing to implement a check image processing system to
support planned mobile banking product offerings Which of the following is MOST critical to the
successful implementation of the system?
A. Integration testing
B. Control design
C. End user training
D. Feasibility studies
Answer: A
NO.706 Which of the following is the MOST important operational aspect for an IS auditor to
consider when assessing an assembly line with quality control sensors accessible via wireless techno
A. Known vulnerabilities
B. Resource utilization
C. Device security
D. Device updates
Answer: C
NO.707 An organization uses multiple offsite data center facilities Which of the following is MOST
important to consider when choosing related backup devices and media?
A. Standardization
B. Backup media capacity
C. Restoration speed
D. Associated costs
Answer: A
NO.708 An IS auditor intends to accept a management position in the data processing department
within the same organization. However, the auditor is currently working on an audit of a major
application and has not yet finished the report. Which of the following would be the BEST step tor
the IS auditor to take?
A. Start in the position immediately.
B. Start in the position and inform the application owner of the job change.
C. Complete the audit without disclosure and then start in the position.
D. Disclose this issue to the appropriate parties.
Answer: D
135
NO.709 Which of the following is an example of a preventative control in an accounts payable

system?
A. The system produces daily payment summary reports that staff use to compare against invoice
totals.
B. Policies and procedures are clearly communicated to all members of the accounts payable
department.
C. The system only allows payments to vendors who are included in the system's master vendor list.
D. Backups of the system and its data are performed on a nightly basis and tested periodically.
Answer: C
NO.710 Spreadsheets are used to calculate project cost estimates Totals for each cost category are
then keyed into the job-costing system. What is the BIST control to ensure that data are accurately
entered into the system?
A. Validity checks preventing entry of character data
B. Reconciliation total amounts by project
C. Display back of project detail after entry
D. Reasonableness checks for each cost type
Answer: B
NO.711 Which of the following is the BEST way to mitigate the risk associated with malicious
changes to binary code during the software development life cycle (SDLC)?
A. Parity check
B. Digital envelope
C. Segregation of duties
D. Cryptographic hash
Answer: D
NO.712 An organization is running servers with critical business application that are in an area
subject to frequent but brief power outages. Knowledge of which of the following would allow the
organization's management to monitor the ongoing adequacy of the uninterruptable power supply
(UPS)?
A. Number of servers supported by the ups
B. Duration and interval of the power outages
C. Business impact of server downtime
D. Mean time to recover servers after failure
Answer: C
NO.713 Which of the following is MOST helpful in preventing a systems failure from occurring when
an application is replaced using the abrupt changeover technique?
A. Comprehensive testing
B. Comprehensive documentation
C. Threat and risk assessment
136
D. Change management
Answer: D
NO.714 Which of the following controls is BEST implemented through system configuration?
A. Application user access is reviewed every 180 days for appropriateness
B. Computer operations personnel initiate batch processing jobs daily
C. Financial data in key reports is traced to source systems for completeness and accuracy.
D. Network user accounts for temporary workers expire after 90 days.
Answer: D

reviewing a large organization's IT steering committee?
A. Resource and priority conflict resolution has been delegated to the project management office
B. The committee does not include any current system administrators.
C. Business executives are not represented on the committee.
D. The committee has not formally approved the enterprise's IT architecture.
Answer: C
NO.716 Which of the following BEST describes the relationship between vulnerability scanning and
penetration testing?
A. The scope of both is determined primarily by the likelihood of exploitation
B. For entities with regulatory drivers, the two tests must be the same.
C. Both utilize a risk-based analysis that considers threat scenarios
D. Both are labor-intensive in preparation, planning and execution
Answer: C
NO.717 An IT governance framework provides an organization with:

A. assurance that there are surplus IT investments
B. assurance that there will be IT cost reductions
C. a basis for directing and controlling IT.
D. organizational structures to enlarge the market share through IT
Answer: C
NO.718 Which of the following would BEST detect that a distributed denial of service (DDoS) attack
is occurring?
A. Customer service complaints
B. Automated monitoring of logs
C. Server crashes
D. Penetration testing
Answer: B
NO.719 An IS auditor has been asked to perform a post-Implementation assessment of a new

corporate human resources (HR) system. Which of the following control areas would be MOST
137
important to review for the protection of employee information?

A. Data retention practices
B. Authentication mechanisms
C. Logging capabilities
D. System architecture
Answer: C
NO.720 Management has asked internal audit to prioritize and perform a specialized cybersecurity
audit, but the IS audit team has no experience in this are a. Which of the following is the BEST course
of action?
A. Delay the audit until an experienced IS auditor has been hired.
B. Perform the audit as requested using third-party support.
C. Perform the audit with the most experienced IS auditors.
D. Delay the audit until the IS auditors are sufficiently trained
Answer: B
NO.721 Which of the following should be an IS auditor's GREATEST consideration when scheduling
follow-up activities for agreed-upon management responses to remediate audit observations?
A. Business interruption due to remediation
B. IT budgeting constraints
C. Risk rating of original findings
D. Availability of responsible IT personnel
Answer: C
NO.722 A healthcare facility offers patients health tracking devices that can be monitored remotely
by healthcare professionals. Which of the following is the BEST way to protect patient personal
information from unauthorized exfiltration?
A. Restrict the devices to using Internet Protocol (IP) version 6 only.
B. Configure the devices to reboot automatically every 7 days.
C. Provide the patients with Internet security training and education programs.
D. Add a digital certificate to the devices that limits communication to specific servers.
Answer: D
NO.723 An IS auditor finds that terminated users have access to financial applications. Which of the
following is the auditor's MOST important course of action when assessing the impact?
A. Inquire of management whether the terminated users left the organization on good terms.
B. Inspect the logs to determine whether the users accessed the applications after termination.
C. Review requests In the ticketing tool for removal of identified access.
D. Inspect the terminated employees' corporate email accounts.
Answer: B
NO.724 Which of the following is the BEST way for an IS auditor to maintain visibility of a new
system implementation project when faced with resource limitations
138
A. Review the target control environment

B. Assess user acceptance test (UAT) results.
C. Attend steering committee meetings.
D. Evaluate the project plan and milestones
Answer: D
NO.725 Which of the following is the PRIMARY reason an IS auditor should discuss observations with
management before delivering a final report?
A. Identify business risks associated with the observations
B. Validate the audit observations.
C. Assist the management with control enhancements.
D. Record the proposed course of corrective action.
Answer: A
NO.726 An IS auditor finds that periodic reviews of read-only users for a reporting system are not
being performed. Which of the following should be the IS auditor's NEXT course of action?
A. Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end users and evaluate for authorization.
C. Verify management's approval for this exemption.
D. Report this control process weakness to senior management.
Answer: B
NO.727 Which of the following backup schemes is the BEST option when storage media is limited?
A. Virtual backup
B. Real-time backup
C. Full backup
D. backup Differential
Answer: D
NO.728 Which of the following security assessment techniques attempts to exploit a system's open
ports?
A. Password cracking
B. Penetration testing
C. Vulnerability scanning
D. Network scanning
Answer: B
NO.729 Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted
audit techniques (CAATs)?
A. To efficiently test an entire population
B. To perform direct testing of production data
C. To conduct automated sampling for testing
D. To enable quicker access to information
139
Answer: A
NO.730 Which of the following is MOST critical for the effective implementation of IT governance?
A. Documented policies
B. Internal auditor commitment
C. Strong risk management practices
D. Supportive corporate culture
Answer: D
NO.731 Which of the following is a concern associated with virtualization?

A. Performance issues with the host could impact the guest operating systems.
B. One host have multiple versioning of the same operating system.
C. The physical footprint of servers could decrease within the data center.
D. Processing capacity may be shared across multiple operating systems.
Answer: A
NO.732 An organization with high availability resource requirements is selecting a provider for cloud
computing. Which of the following would cause the GREATEST concern to an IS auditor? The
provider:
A. hosts systems for the organization's competitor.
B. does not store backup media offsite.
C. is not internationally certified for high availability.
D. deploys patches automatically without testing.
Answer: D
NO.733 When deciding whether a third party can be used in resolving a suspected security
breach, which of the following should be the MOST important consideration for IT management?
A. Third-party cost
B. Incident priority rating
C. Data sensitivity
D. Audit approval
Answer: C
NO.734 An audit of the quality management system (QMS) begins with an evaluation of the:
A. organization's QMS policy
B. sequence and interaction of QMS processes
C. QMS processes and their application
D. QMS document control procedures
Answer: A
NO.735 Which of the following is MOST important for an organization to complete prior to
developing its disaster recovery plan (DRP)?
A. Risk assessment
140
B. Business impact analysis (BIA)

C. Comprehensive IT inventory
D. Support staff skills gap analysis
Answer: B
NO.736 Which of the following should an IS auditor expect to find when reviewing IT security policy?
A. Virus protection Implementation strategies
B. An inventory of information assets
C. A risk-based classification of systems
D. Assigned responsibility for safeguarding company assets
Answer: C
NO.737 An IS auditor Is reviewing an organization's business continuity plan (BCP) following a

change in organizational structure with significant impact to business processes Which of the
following findings should be me auditor's GREATEST concern?
A. Copies of the BCP have not been distributed to new business unit end users since the
reorganization
B. A test plan for the BCP has not been completed during the last two years.
C. Key business process end users did not participate in the business impact analysis (BIA)
D. The most recent business impact analysts (BIA) was performed two years before the
reorganization
Answer: A
NO.738 Due to a high volume of customer orders, an organization plans to implement a new
application for customers to use for online ordering Which type of testing is MOST important to
ensure the security of the application prior to go-live?
A. Stress testing
B. Vulnerability testing
C. Regression testing
D. User acceptance testing (UAT)
Answer: B
NO.739 During the implementation of a new system, an IS auditor must assess whether certain
automated calculations comply with the regulatory requirements. Which of the following is the BEST
way to obtain this assurance?
A. Review sign-off documentation.
B. Inspect user acceptance test (UAT) results.
C. Re-perform the calculation with audit software.
D. Review the source code related to the calculation.
Answer: C
NO.740 Which of the following an IS auditor assurance that the interface between a point of sale
(POS) system and the general ledger is transferring sales data completely and accurately?
141
A. Monthly bank statements are reconciled without exception.

B. The data transferred over the POS interface is encrypted.
C. Nightly batch processing has been replaced with real-time processing
D. Electronic copies of customer sales receipts are maintained.
Answer: A
NO.741 Which of the following features can be provided only by asymmetric encryption?
A. Data confidentiality
B. Information privacy
C. Nonrepudiation
D. 128-bit key length
Answer: A
NO.742 When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor

should FIRST review:
A. the IT governance framework.
B. the IT processes and procedures.
C. Information security procedures.
D. the most recent audit results.
Answer: A
NO.743 Which of the following would BEST enable an IS auditor to perform an audit that requires
testing the full population of data?
A. Expertise in statistical sampling of data
B. Proficiency in the use of data analytics tools
C. Experience in database administration
D. Proficiency in programming and coding
Answer: B
NO.744 Which of the following conditions would be of MOST concern to an IS auditor assessing the
risk of a successful brute force attack against encrypted data at rest?
A. Use of asymmetric encryption
B. Random key generation
C. Use of symmetric encryption
D. Short key length
Answer: D
NO.745 Which of the following is the BEST way to detect system security breaches?
A. Conducting frequent vulnerability scans
B. Conducting continuous monitoring with an automated system security tool
C. Ensuring maximum interoperability among systems throughout the organization
D. Performing intrusion tests on a regular basis
Answer: B
142
NO.746 Which of the following is the BEST detective control for a job scheduling process involving
data transmission?
A. Jobs are scheduled to be completed daily end data is transmitted using a secure Fife Transfer
Protocol (SFTP)
B. Job failure alerts are automatically generated and routed to support personnel
C. Metrics denoting the volume of monthly job failures are reported and reviewed by senior
management
D. Jobs are scheduled and a log of this activity n retained for subsequent review
Answer: A
NO.747 Which of the following statements appearing in an organization's acceptable use policy BEST
demonstrates alignment with data classification standards related to the protection of information
assets?
A. All information assets must be encrypted when stored on the organization's systems.
B. Any information assets transmitted over a public network must be approved by executive
management.
C. All information assets will be assigned a clearly defined level to facilitate proper employee
handling.
D. Information assets should only be accessed by persons with a justified need.
Answer: C
NO.748 The implementation of an IT governance framework requires that the board of directors of
an organization:
A. address technical IT issues.
B. be informed of all IT initiatives.
C. approve the IT strategy.
D. have an IT strategy committee.
Answer: B
NO.749 As part of a recent business-critical initiative, an organization is re- purposing its customer
dat a. However, its customers are unaware that their data is being used for another purpose. What is
the BEST recommendation to address the associated data privacy risk to the organization?
A. Obtain customer consent for secondary use of the data.
B. Adjust the existing data retention requirements.
C. Ensure the data processing activity remains onshore.
D. Maintain an audit trail of the data analysis activity
Answer: A
NO.750 Tunneling provides additional security for connecting one host to another through the
Internet by:
A. providing end-to-end encryption.
B. facilitating the exchange of public key infrastructure (PKI) certificates
C. preventing password cracking and replay attacks
143
D. enabling the use of stronger encryption keys

Answer: C
NO.751 Which of the following BEST enables system resiliency for an e-commerce organization that
requires a low recovery time objective (RTO) ana a few recovery point objective (RPO)?
A. Remote backups
B. Redundant arrays
C. Nightly backups
D. Mirrored sites
Answer: D
NO.752 An IS auditor finds that application servers had inconsistent security settings leading to
potential vulnerabilities Which of the following is the BEST recommendation by the IS auditor?
A. Perform a penetration test
B. Establish security metrics.
C. Improve the change management process
D. Perform a configuration review
Answer: B
NO.753 What is the MOST difficult aspect of access control in a multiplatform, multiple-site
client/server environment?
A. Restricting a local user to necessary resources on a local platform
B. Maintaining consistency throughout all platforms
C. Restricting a local user to necessary resources on the host server
D. Creating new user IDs valid only on a few hosts
Answer: B
NO.754 Which of the following is the BEST way to mitigate the impact of ransomware attacks?
A. Backing up data frequently
B. Requiring password changes for administrative accounts
C. Invoking the disaster recovery plan (DRP)
D. Paying the ransom
Answer: A
NO.755 The PRIMARY focus of audit follow-up reports should be to:

A. assess if new risks have developed.
B. determine if audit recommendations have been implemented.
C. verify the completion date of the implementation.
D. determine if past findings are still relevant.
Answer: B
NO.756 Which of the following should be the FIRST step in an organization's forensics process to
preserve evidence?
144
A. Create the forensics analysis reporting template

B. Determine which forensic tools to use
C. Perform analytics on digital evidence obtained using forensic methods
D. Duplicate digital evidence and validate it using a hash function
Answer: D
NO.757 Which of the following is MOST important for an IS auditor to review when evaluating the
accuracy of a spreadsheet that contains several macros?
A. Formulas within macros
B. Reconciliation of key calculations
C. Version history
D. Encryption of the spreadsheet
Answer: B
NO.758 During recent post-implementation reviews, an IS auditor has noted that several deployed
applications are not being used by the business. The MOST likely cause would be the lack of:
A. IT portfolio management.
B. IT resource management.
C. system support documentation.
D. change management.
Answer: C
NO.759 An IS auditor finds that a recently deployed application has a number of developers with
inappropriate update access left over from the testing environment Which of the following would
have BEST prevented the update access from being migrated?
A. Including a step within the SDLC to clean-up access prior to go-live
B. Holding the application owner accountable for application security
C. Establishing a role based matrix for provisioning users
D. Re-assigning user access rights in the quality assurance (QA) environment
Answer: C
NO.760 An IS audit reveals an organization's IT department reports any deviations from its security
standards to an internal IT risk committee involving IT senior management. Which of the following
should be the IS auditor's GREATEST concern?
A. The list of IT risk committee members does not include the board member responsible for IT.
B. The IT risk committee has no reporting line to any governance committee outside IT.
C. The IT risk committee meeting minutes are not signed off by all participants.
D. The chief information officer (CIO) did not attend a number of IT risk committee meetings during
the past year.
Answer: B
NO.761 Which of the following is MOST important for an IS auditor to verify when reviewing a
critical business application that requires high availability?
145
A. Algorithms are reviewed to resolve process ineffictencies.

B. Users participate in offsite business continuity testing.
C. There is no single point of failure.
D. Service level agreements (SlAs) are monitored.
Answer: C
NO.762 Which of the following controls will BEST ensure that the board of directors receives
sufficient information about IT?
A. The CIO reports on performance and corrective actions in a timely manner.
B. Board members are knowledgeable about IT and the CIO is consulted on IT issues.
C. The CIO regularly sends IT trend reports to the board.
D. Regular meetings occur between the board the CIO and a technology committee
Answer: B
NO.763 When reviewing an organization's data protection practices, an IS auditor should be MOST
concerned with a lack of:
A. a security team.
B. data classification.
C. training manuals.
D. data encryption.
Answer: B
NO.764 After discussing findings with an auditee, an IS auditor is required to obtain approval of the
report from the CEO before issuing it to the audit committee. This requirement PRIMARILY affects
the IS auditor's:
A. judgment
B. effectiveness
C. independence
D. integrity
Answer: C
NO.765 An IS auditor previously worked in an organization s IT department and was involved with
the design of the business continuity plan (BCP). The IS auditor has now been asked to review this
same BCP. The auditor should FIRST.
A. document the conflict in the audit report.
B. decline the audit assignment.
C. communicate the conflict of interest to the audit manager prior to starting the assignment.
D. communicate the conflict of interest to the audit committee prior to starting the assignment
Answer: D
NO.766 Which of the following provides an IS auditor the MOST assurance that an organization is
compliant with legal and regulatory requirements?
A. Senior management has provided attestation of legal and regulatory compliance
146
B. Controls associated with legal and regulatory requirements have been identified and tested
C. There is no history of complaints or fines from regulators regarding noncompliance
D. The IT manager is responsible for the organization s compliance with legal and regulatory
requirements.
Answer: B
NO.767 Which of the following is MOST likely to be detected by an IS auditor applying data analytic
techniques?
A. Potentially fraudulent invoice payments originating within the accounts payable department
B. Completion of inappropriate cross-border transmission of personally identifiable information (Pll)
C. Unauthorized salary or benefit changes to the payroll system generated by authorized users
D. Issues resulting from an unsecured application automatically uploading transactions to the general
ledger
Answer: C
NO.768 The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:
A. service level agreement (SLA).
B. balanced Scorecard.
C. risk management review.
D. control self-assessment (CSA).
Answer: D
NO.769 A characteristic of a digital signature is that it:

A. is unique to the message.
B. is under control of the receiver.
C. is validated when data are changed.
D. has a reproducible hashing algorithm.
Answer: A
NO.770 Which of the following is the GREATEST threat to Voice-over Internet Protocol (VoIP) related
to privacy?
A. Call recording
B. Incorrect routing
C. Eavesdropping
D. Denial of service (DoS)
Answer: C
NO.771 An IS auditor reviewing a high-risk business application has identified the need to
strengthen controls for reporting malfunctions to management Which of the following would BEST
facilitate timely reporting?
A. Change prioritization
B. Security event logging
C. Performance monitoring
147
D. Incident management procedures

Answer: C
NO.772 The BEST way to validate whether a malicious act has actually occurred in an application is
to review.
A. change management logs.
B. segregation of duties
C. activity logs
D. access controls
Answer: C
NO.773 Which of the following responsibilities of an organization's quality assurance (QA) function
should raise concern for an IS auditor?
A. Ensuring the test work supports observations
B. Updating development methodology
C. Ensuring standards are adhered to within the development process
D. Implementing solutions to correct defects
Answer: D
NO.774 The decision to accept an IT control risk related to data quality should be the responsibility
of the:
A. information security team.
B. chief information officer (CIO).
C. business owner.
D. IS audit manager.
Answer: C
NO.775 Which of the following is a corrective control?

A. Reviewing user access rights for segregation of duties
B. Executing emergency response plans
C. Verifying duplicate calculations in data processing
D. Separating equipment development, testing, and production
Answer: C
NO.776 Which of the following should be the FIRST step when planning an IS audit of a third-
party service provider that monitors network activities?
A. Evaluate the organization's third-party monitoring process.
B. Determine if the organization has a secure connection to the provider.
C. Review the roles and responsibilities of the third-party provider.
D. Review the third party's monitoring logs and incident handling.
Answer: C
NO.777 Which of the following is the MOST important benefit of involving IS audit when
148
implementing governance of enterprise IT?

A. Identifying relevant roles for an enterprise IT governance framework
B. Verifying that legal, regulatory and contractual requirements are being met
C. Providing independent and objective feedback to facilitate improvement of IT processes
D. Making decisions regarding risk response and monitoring of residual risk
Answer: C
NO.778 An evaluation of an IT department finds that some IT goals do not align with the
organization's goals. Which of the following would be the GREATEST impact?
A. IT goals may not be valued across the organization
B. IT may not meet thresholds on the balanced scorecard
C. IT resources may not be effectively managed
D. IT may prioritize projects with little perceived value outside the department
Answer: A
NO.779 On a public-key cryptosystem when there is no previous knowledge between parties, which
of the following will BEST help to prevent one person from using a fictitious key to impersonate
someone else?
A. Send the public key to the recipient prior to establishing the connection
B. Encrypt the message containing the sender's public key using a private-key
C. cryptosystem 1 Encrypt the message containing the sender's public key. using the recipient's
public key
D. Send a certificate that can be verified by a certification authority with the public key
Answer: D
NO.780 During a review, an IS auditor notes that an organization's marketing department has
purchased a cloud-based software application without following the procurement process. What
should the auditor do FIRST?
A. Perform a risk analysis.
B. Escalate to senior management.
C. Review the procurement process.
D. Review the business impact analysis (BIA).
Answer: A
NO.781 In a database management system (DBMS) normalization is used to:

A. standardize data names
B. reduce data redundancy
C. eliminate processing deadlocks
D. reduce access time
Answer: B
NO.782 An organization is within a jurisdiction where new regulations have recently been
announced to restrict cross-border data transfer of personally identifiable information (PIl). Which of
149
the following IT decisions will MOST likely need to be assessed in the context of this?
A. Hiring IT consultants from overseas
B. Purchasing cyber insurance from an overseas insurance company
C. Applying encryption to databases hosting PII data
D. Hosting the payroll system at an external cloud service provider
Answer: D
NO.783 An employee has accidentally posted confidential data to the company's social media page.
Which of the following is the BEST control to prevent this from recurring?
A. Perform periodic audits of social media updates.
B. Implement a moderator approval process.
C. Require all updates to be made by the marketing director.
D. Establish two-factor access control for social media accounts.
Answer: B
NO.784 Which of the following is the PRIMARY reason for an organization's procurement processes
to include an independent party who is not directly involved with business operations and related
decision-making'?
A. To ensure continuity of processes and procedures
B. To optimize use of business team resources
C. To avoid conflicts of interest
D. To ensure favorable price negotiations
Answer: C
NO.785 Which of the following is the BEST way for an IS auditor to validate that employees have
been made aware of the organization's information security policy?
A. Interview employees to determine their level of understanding of the policy
B. Compare the employee roster against a list of those who attended security training
C. Review HR records for employee violations of the information security policy.
D. Review the training process to determine how policies are explained to employees
Answer: C
NO.786 An organization has implemented a quarterly job schedule to update database tables so
prices are adjusted in line with a price index These changes do not go through the regular change
management process Which of the following is the MOST important control to have in place?
A. An overarching approval is obtained from the change advisory board
B. Each production run is approved by an authorized individual
C. User acceptance testing (UAT) is performed after the production run
D. Exception reports are generated to identify anomalies
Answer: B
NO.787 Which of the following BEST minimizes performance degradation of servers used to
authenticate users of an e-commerce website?
150
A. Configure each authentication server and ensure that the disks of each server form part of a
duplex.
B. Configure each authentication server and ensure that each disk of its RAID is attached to the
primary controller.
C. Configure a single server as a primary authentication server and a second server as a secondary
authentication server.
D. Configure each authentication server as belonging to a cluster of authentication servers.
Answer: D
NO.788 An IS auditor is following up on prior period items and finds management did not address an
audit finding. Which of the following should be the IS auditor's NEXT course of action?
A. Interview management to determine why the finding was not addressed
B. Recommend alternative solutions to address the repeat finding
C. Conduct a risk assessment of the repeat finding
D. Note the exception in a new report as the item was not addressed by management
Answer: A
NO.789 Data analytics Tools are BEST suited for which of the following purposes?
A. Identifying business process errors
B. Quantifying business impact analysis (BIA) results
C. Examining low-frequency business transactions
D. Analyzing the effectiveness of risk assessment processes
Answer: C
NO.790 Which of the following is the PRIMARY benefit of performing a maturity model assessment'?
A. It acts as a measuring tool and progress indicator
B. It ensures organizational consistency and improvement
C. It identifies and fixes attribute weaknesses
D. It facilitates the execution of an improvement plan
Answer: D
NO.791 Which of the following fire suppression systems needs to be combined with an automatic
switch to shut down the electricity supply in the event of activation?
A. Halon
B. FM-200
C. Carbon dioxide
D. Dry pipe
Answer: D
NO.792 When evaluating the recent implementation of an intrusion detection system (IDS), an IS
auditor should be MOST concerned with inappropriate:
A. training
B. encryption
151
C. tuning
D. patching
Answer: C
NO.793 While conducting a system architecture review, an IS auditor learns of multiple complaints
from field agents about the latency of a mobile thin client designed to provide information during site
inspections Which of the following is the BEST way to address this situation?
A. Upgrade the processors in the field agents' mobile devices
B. Deploy a middleware application to improve messaging between application components.
C. Switch to a thick-client architecture that does not require a persistent fetwork connectio.
D. Upgrade the thin-client software to provide more informative error messages during application
loading
Answer: B
NO.794 Which of the following is the MOST significant operational risk associated with the use of
virtualization?
A. Inadequate backup procedures
B. Performance issues of hosts
C. Insufficient network bandwidth
D. Single point of failure
Answer: B
NO.795 Which of the following establishes the role of the internal audit function?
A. Audit objectives
B. Audit project
C. plan Audit charter
D. Audit governance
Answer: C
NO.796 Of the following, who should approve a release to a critical application that would make the
application inaccessible for 24 hours?
A. Business process owner
B. Data custodian
C. Project manager
D. Chief information security officer (CISO)
Answer: A
NO.797 A company uses a standard form to document and approve all changes in production
programs. To ensure that the forms are properly authorized, which of the following is the MOST
effective sampling method?
A. Random
B. Stratified
C. Attribute
152
D. Variable
Answer: C
NO.798 Which of the following observations noted during a review of the organization s social
media practices should be of MOST concern to the IS auditor?
A. The organization does not require approval for social media posts.
B. Not all employees using social media have attended the security awareness program.
C. The organization does not have a documented social media policy.
D. More than one employee is authorized to publish on social media on behalf of the organization
Answer: C
NO.799 Which of the following metrics would BEST measure the agility of an organization's IT
function?
A. Frequency of security assessments against the most recent standards and guidelines
B. Average time to turn strategic IT objectives into an agreed upon and approved initiative
C. Average number of learning and training hours per IT staff member
D. Percentage of staff with sufficient IT-related skills for the competency required of their roles
Answer: B
NO.800 Which of the following analytical methods would be MOST useful when trying to identify
groups with similar behavior or characteristics in a large population?
A. Random sampling
B. Classification
C. Deviation detection
D. Cluster sampling
Answer: D
NO.801 During a business process re-engineering (BPR) program, IT can assist with:
A. segregation of duties
B. streamlining of tasks
C. total cost of ownership,
D. focusing on value-added tasks.
Answer: B
NO.802 In an environment that automatically reports all program changes. which of the following is
the MOST efficient way to detect unauthorized changes to production programs?
A. Manually comparing code in production programs to controlled copies
B. Verifying user management approval of modifications
C. Reviewing the last compile dale of production programs
D. Periodically running and reviewing test data against production programs
Answer: B
NO.803 Which of the following should be defined in an audit charter?
153
A. Audit methodology
B. Audit schedule
C. Audit results
D. Audit authority
Answer: A
NO.804 A bank is relocating its servers to a vendor that provides data center hosting services to
multiple clients. Which of the following controls would restrict other clients from physical access to
the bank servers?
A. Locking server cages
B. Biometric access at all data center entrances
C. 24-hour security guards
D. Closed-circuit television camera
Answer: A
NO.805 An e-commerce enterprise's disaster recovery (DR) site has 30% less processing capability
than the primary site. Based on this information, which of the following presents the GREATEST risk?
A. Network firewalls and database firewalls at the DR site do not provide high availability.
B. No disaster recovery plan (DRP) testing has been performed during the last six months.
C. The DR site is in a shared location that hosts multiple other enterprises.
D. The DR site has not undergone testing to confirm its effectiveness.
Answer: D
NO.806 What is the BEST method for securing credit card numbers stored temporarily on a file
server prior to transmission to the downstream system for payment processing?
A. One-way hash with strong cryptography
B. Masking the full credit card number
C. Encryption with strong cryptography
D. Truncating the credit card number
Answer: C
NO.807 Which of the following is a determine security control that reduces the likelihood of an
insider threat event?
A. Removing malicious code
B. Creating contingency plans
C. Distributing disciplinary policies
D. Executing data recovery procedures
Answer: A
NO.808 Which of the following is a benefit of the DevOps development methodology?

A. It leads to a well-defined system development life cycle (SDLC)
B. It enforces segregation of duties between code developers and release migrators.
C. It enables increased frequency of software releases to production.
154
D. It restricts software releases to a fixed release schedule

Answer: A
NO.809 Which type of testing is MOST important to perform during a project audit to help ensure
business objectives are met?
A. Functional testing
B. System testing
C. Regression testing
D. Pilot testing
Answer: A
NO.810 Which of the following provides the MOST comprehensive understanding of an

organizations information security posture?
A. Risk management metrics
B. External audit findings
C. Results of vulnerability assessments
D. The organization items security incident trends
Answer: A
NO.811 Which of the following is MOST important to ensure that electronic evidence collected
during a forensic investigation will be admissible in future legal proceeding?
A. Documentation evidence handling by personnel throughout the forensic investigation
B. Engaging an independent third party to perform the forensic investigation
C. Restricting evidence access to professionally certified forensic investigation
D. Performing investigate procedures on the original hard drives rather than images of the hard
drives
Answer: C
NO.812 Which of the following is MOST important for an IS auditor to consider when planning an
assessment of the organization's end-user computing (EUC) program?
A. The integrity of data processed by end user tools
B. The inclusion of end user tools in the IT balanced scorecard
C. The training program curriculum for key end users
D. Identification of IT owners for each end user tool
Answer: A
NO.813 When conducting a requirements analysis for a project, the BEST approach would be to:
A. Consult key stakeholders
B. Conduct a control self-assessment (CSA)
C. prototype the requirements
D. test operational deliverables
Answer: A
155
NO.814 During an ongoing audit management requests a briefing on the findings to date Which of
the following is the IS auditor's BEST course of action? *
A. Present observations lor discussion only.
B. Request management wait until a final report is ready for discussion
C. Request the auditee provide management responses
D. Review working papers with the auditee
Answer: A
NO.815 What is the MOST critical finding when reviewing an organization's information security
management?
A. No periodic assessments to identify threats and vulnerabilities
B. No dedicated security officer
C. No employee awareness training and education program
D. No official charter for the information security management system
Answer: A
NO.816 An organization's strategy to source certain IT functions from a Software as a Service (SaaS)
provider should be approved by the:
A. chief financial officer (CFO).
B. IT steering committee
C. chief risk officer (CRO)
D. IT operations manager
Answer: D
NO.817 A third-party service provider is hosting a private cloud for an organization. Which of the
following findings during an audit of the provider poses the GREATEST risk to the organization?
A. 2% of backups had to be rescheduled due to backup media failures.
B. The organization's virtual machines share the same hypervisor with virtual machines of other
clients.
C. Two different hypervisor versions are used due to the compatibility restrictions of some virtual
machines.
D. 5% of detected incidents exceeded the defined service level agreement (SLA) for
Answer: B
escalation.
NO.818 A CIO has asked an IS auditor to implement several security controls for an organization s IT
processes and systems. The auditor should:
A. obtain approval from executive management for the implementation
B. communicate the conflict of interest to audit management
C. perform the assignment and future audits with due professional care.
D. refuse due to independence issues.
Answer: A
156
NO.819 When determining whether a project in the design phase will meet organizational
objectives, what is BEST to compare against the business case?
A. Requirements analysis
B. Project budget provisions
C. Implementation
D. plan Project plan
Answer: A
NO.820 The use of symmetric key encryption controls to protect sensitive data transmitted over a
communications network requires that.
A. public keys be stored in encrypted form.
B. encryption keys at one end be changed on a regular basis
C. primary keys for encrypting the data be stored in encrypted form
D. encryption keys be changed only when a compromise is detected at both ends
Answer: C
NO.821 Which of the following findings would be of GREATEST concern when auditing an
organization's end-user computing (EUC)?
A. Inability to monitor EUC audit logs and activities
B. Inconsistency of patching processes being followed
C. Reduced oversight by the IT department
D. Errors flowed through to financial statements
Answer: A
NO.822 Which of the following is the MOST important feature of access control software?
A. Authentication .
B. Identification
C. Violation reporting
D. Nonrepudiation
Answer: A
NO.823 Which of the following is the MOST effective way to identify anomalous transactions when
performing a payroll fraud audit?
A. Substantive testing of payroll files
B. Data analytics on payroll data
C. Observation of payment processing
D. Sample-based review of pay stubs
Answer: B
NO.824 An organization is planning to re-purpose workstations mat were used to handle

confidential information. Which of the following would be the IS auditor's BEST recommendation to
dispose of this information?
A. Overwrite the disks with random data
157
B. Erase the disks by degaussing.

C. Delete the disk partitions.
D. Reformat the disks.
Answer: A
NO.825 Which of the following will MOST likely compromise the control provided by a digital
signature created using RSA encryption?
A. Deciphering the receiver's public key
B. Obtaining the sender's private key
C. Altering the plaintext message
D. Reversing the hash function using the digest
Answer: B
NO.826 The IS auditor has recommended that management test a new system before using it in
production mode The BEST approach for management in developing a test plan is to use processing
parameters that are
A. randomly selected by the user
B. provided by the vendor of the application.
C. simulated by production entities and customers
D. randomly selected by a test generator
Answer: C
NO.827 Following an IS audit, which of the following types of risk would be MOST critical to
communicate to key stakeholders?
A. Residual
B. Audit
C. Inherent
D. Control
Answer: A
NO.828 A bank's web-hosting provider has just completed an internal IT security audit and provides
only a summary of the findings to the bank's auditor. Which of the following should be the bank's
GREATEST concern?
A. The bank's auditors are not independent of the service provider.
B. The audit may be duplicative of the bank's internal audit procedures.
C. The audit procedures are not provided to the bank.
D. The audit scope may not have addressed critical areas.
Answer: D
NO.829 The practice of periodic secure code reviews is which type of control?
A. Preventive
B. Compensating
C. Corrective
158
D. Detective
Answer: D
NO.830 During a follow-up audit, an IS auditor finds that some critical recommendations have not
been addressed as management has decided to accept the risk. Which of the following is the IS
auditor's BEST course of action?
A. Require the auditee to address the recommendations in full.
B. Adjust the annual risk assessment accordingly.
C. Evaluate senior management's acceptance of the risk.
D. Update the audit program based on management's acceptance of risk.
Answer: C
NO.831 Which of the following is The MOST effective accuracy control for entry of a valid numeric
part number?
A. Comparison to historical order pattern
B. Self-checking digit
C. Hash totals
D. Online review of description
Answer: C
NO.832 An IS audit team s evaluating the documentation related to the most recent application
user-access review performed by IT and business management. It is determined that the user list was
not system-generated. Which of the following: should be the GREATEST concern?
A. Source of the user list reviewed
B. Availability of the user list reviewed
C. Completeness of the user list reviewed
D. Confidentiality of the user list reviewed
Answer: A
NO.833 When of the following is to MOST important consideration when prioritizing IT system for
penetration testing?
A. Threat intelligence relevant to the systems
B. Network topology or architecture of the systems
C. Accessibility of the systems via the Internet
D. Upstream and downstream data flows of the systems
Answer: A
NO.834 An IS auditor determines that a business continuity plan has not been reviewed and
approved by management. Which of the following is the MOST significant risk associated with this
situation?
A. Continuity planning may be subject to resource constraints.
B. The plan may not be aligned with industry best practice.
C. Critical business processes may not be addressed adequate.
159
D. The plan has not been reviewed by risk management

Answer: C
NO.835 Which of the following BEST determines if a batch update job was successfully executed?
A. Obtaining process owner confirmation that the job was completed
B. Verifying the timestamp from the job log
C. Reviewing a copy of the script for the job
D. Testing a sample of transactions to confirm updates were applied
Answer: C
NO.836 Which of the following would be of MOST concern during an audit of an end-user computing
(EUC) system containing sensitive information?
A. The system's anti-virus software is outdated.
B. System data is not protected.
C. Audit logging is not available.
D. Service level agreements (SLAs) are undefined.
Answer: B
NO.837 Coding standards provide which of the following?

A. Field naming conventions
B. Access control tables
C. Data flow diagrams
D. Program documentation
Answer: A
NO.838 Which of the following are examples of detective controls?

A. Use of access control software and deploying encryption software
B. Source code review and echo checks in telecommunications
C. Check points in production jobs and rerun procedures
D. Continuity of operations planning and backup procedures
Answer: B
NO.839 An external IS auditor has been engaged to determine the organization's cybersecurity
posture. Which of the following is MOST useful for this purpose?
A. Control self-assessment (CSA)
B. Compliance reports
C. Industry benchmark
D. Capability maturity assessment.
Answer: D
NO.840 Which of the following is the BEST compensating control for a lack of proper segregation of
duties in an IT department?
A. Audit trail reviews
160
B. System activity logging

C. Authorization forms
D. Control self-assessment (CSA)
Answer: A
NO.841 End users have been demanding the ability to use their own devices for work, but want to
keep personal information out of corporate control. Which of the following would be MOST effective
at reducing the risk of security incidents while satisfying end user requirements?
A. Enable remote wipe capabilities for the devices.
B. Encrypt corporate data on the devices.
C. Implement an acceptable use policy.
D. Require complex passwords.
Answer: C
NO.842 Which of the following represents the HIGHEST level of maturity of an information security
program?
A. A framework is in place to measure risks and track effectiveness.
B. Information security policies and procedures are established
C. The program meets regulatory and compliance requirements
D. A training program is in place to promote information security awareness
Answer: A
NO.843 A client/server configuration will:

A. keep track of all the clients using the IS facilities of a service organization.
B. limit the clients and servers relationship by limiting the IS facilities to a single hardware system.
C. enhance system performance through the separation of front-end and back-end processes.
D. optimize system performance by having a server on a front-end and clients on a host.
Answer: C
NO.844 To protect information assets, which of the following should be done FIRST?
A. Encrypt data.
B. Restrict access to data.
C. Back up data.
D. Classify data.
Answer: D
NO.845 Which of the following findings should be of GREATEST concern to an IS auditor reviewing
the effectiveness of an organization's problem management practices?
A. Problem records are prioritized based on the impact of incidents
B. Some incidents are closed without problem resolution.
C. Root causes are not adequately identified
D. Problems are frequently escalated to management for resolution
Answer: C
161
NO.846 When responding to an ongoing Daniel of service (DoS) attack, an organization's FIRST
course of action should be to:
A. investigate damage
B. restore service
C. minimize impact
D. analyze the attack path.
Answer: C
NO.847 An employee approaches an IS auditor and expresses concern about a critical security issue
in a newly installed application. Which of the following would be the MOST appropriate action for the
auditor to take?
A. Discuss the concern with additional end users.
B. Immediately conduct a review of the application.
C. Discuss the concern with audit management.
D. Recommend reverting to the previous application.
Answer: A
NO.848 Which of the following presents the GREATEST concern when implementing data flow
across borders?
A. Equipment incompatibilities
B. National privacy laws
C. Political unrest
D. Software piracy laws
Answer: B
NO.849 Which of the following is the BEST method to maintain an audit trail of changes made to the
source code of a program?
A. Standardize file naming conventions.
B. Embed details within source code.
C. Document details on a change register.
D. Utilize automated version control.
Answer: D
NO.850 Which of the following should be the FIRST step to help ensure the necessary
regulatory requirements are addressed in an organization's cross-border data protection policy?
A. Perform a business impact analysis (BIA).
B. Conduct stakeholder interviews.
C. Perform a gap analysis.
D. Conduct a risk assessment.
Answer: C
NO.851 in a small IT web development company where developers must have write access to
162
production the BEST recommendation of an IS auditor would be to

A. hire another person to perform migration to production
B. remove production access from the developers
C. perform a user access review (or the development team
D. implement continuous monitoring controls
Answer: B
NO.852 Which of The following is The BEST use of a maturity model in a small organization?
A. To Identify required actions to close the gap between current and desired maturity levels
B. To assess the current maturity level and the level of compliance with key controls
C. To develop a roadmap for the organization to achieve the highest maturity level
D. To benchmark against peer organizations that have attained the highest maturity level
Answer: B
NO.853 Which of the following is MOST important to have in place to build consensus among key
stakeholders on the cost-effectiveness of IT?
A. A uniform IT chargeback process
B. Standardized enterprise architecture (EA)
C. IT project governance and management
D. IT performance monitoring and reporting
Answer: D
NO.854 Which of the following MOST effectively mitigates the risk of disclosure of sensitive data
stored on company-owned smartphones?
A. Secure containers
B. Data leakage prevention (DLP) tools
C. Mobile device management (MDM)
D. Physical device tagging
Answer: B
NO.855 When classifying information, it is MOST important to align the classification to:
A. security policy.
B. business risk.
C. industry standards.
D. data retention requirements.
Answer: B
NO.856 Which of the following is the BEST data integrity check?

A. Tracing data back to the point of origin
B. Preparing and running test data
C. Counting the transactions processed per day
D. Performing a sequence check
Answer: A
163
NO.857 During data migration, which of the following BEST prevents integrity issues when multiple
processes within the migration program are attempting to write to the same table in the databases?
A. Authentication controls
B. Concurrency controls
C. Normalization controls
D. Database limit controls
Answer: B
NO.858 Which of the following would BEST manage the risk of changes in requirements after the
analysis phase of a business application development project?
A. Ongoing participation by relevant stakeholders
B. Expected deliverables meeting project deadlines
C. Sign-off from the IT team
D. Quality assurance (QA) review
Answer: A
NO.859 Which of the following should MOST concern an IS auditor reviewing an intrusion detection
system (IDS)?
A. Number of false negatives
B. Legitimate traffic blocked by the system
C. Number of false positives
D. Reliability of IDS logs
Answer: C
NO.860 What would be of GREATEST concern to an IS auditor reviewing end-user computing (EUC)
spreadsheets used for financial reporting in which version control is not enforced?
A. Access requests are processed manually.
B. Spreadsheets are maintained in various locations.
C. Spreadsheet owners are only reviewed annually.
D. Spreadsheets are not password protected.
Answer: C
NO.861 A new regulation in one country of a global organization has recently prohibited cross-
border transfer of personal dat a. An IS auditor has been asked to determine the organization's level
of exposure in the affected country. Which of the following would be MOST helpful in making this
assessment?
A. Reviewing data classification procedures associated with the affected jurisdiction
B. Developing an inventory of all business entities that exchange personal data with the affected
jurisdiction
C. Identifying business processes associated with personal data exchange with the affected
jurisdiction
D. Identifying data security threats in the affected jurisdiction
164
Answer: C
NO.862 Which of the following is MOST likely to result from compliance testing?
A. Comparison of data with physical counts
B. Confirmation of data with outside sources
C. Identification of errors due to processing mistakes
D. Discovery of controls that have not been applied
Answer: A
NO.863 A vulnerability in which of the following virtual systems would be of GREATEST concern to
the IS auditor?
A. The virtual application server
B. The virtual machine management server
C. The virtual antivirus server
D. The virtual file server
Answer: B
NO.864 Which of the following evidence-gathering techniques will provide the GREATEST assurance
that procedures are understood and practiced?
A. Survey end users.
B. Review procedures for alignment to policies.
C. Interview process owners.
D. Observe processes.
Answer: D
NO.865 Which of the following is MOST helpful for an IS auditor to review when determining the
appropriateness of controls relevant to a specific audit area?
A. Control implementation methods
B. Control self-assessment (CSA)
C. Enterprise architecture (EA) design
D. Business impact analysis (BIA)
Answer: C
NO.866 An IS auditor's PRIMARY objective when examining problem reports should be to help
ensure:
A. problems are resolved in a cost-effective manner.
B. every problem is classified appropriately.
C. problems are only escalated to senior management when necessary.
D. every problem is assigned to an individual for resolving.
Answer: B
NO.867 Which of the following is MOST important when creating a forensic image of a hard drive?
A. Requiring an independent third-party be present while imaging
165
B. Choosing an industry-leading forensics software tool

C. Securing a backup copy of the hard drive
D. Generating a content hash of the hard drive
Answer: D
NO.868 The PRIMARY objective of value delivery in reference to IT governance is to:

A. optimize investments
B. ensure compliance,
C. promote best practices.
D. increase efficiency.
Answer: A
NO.869 An IS auditor is evaluating an organization's IT strategy and plans. Which of the following
would be of GREATEST concern?
A. The business strategy meeting minutes are not distributed.
B. There is not a defined IT security policy.
C. IT is not engaged in business strategic planning.
D. There is inadequate documentation of IT strategic planning
Answer: C
NO.870 Which of the following is the GREATEST concern associated with control self-
assessments (CSAs)?
A. Controls may not be assessed objectively.
B. The assessment may not provide sufficient assurance to stakeholders.
C. Employees may have insufficient awareness of controls.
D. Communication between operational management and senior management may not be effective.
Answer: C
NO.871 What is the BEST control to address SQL injection vulnerabilities?

A. Input validation
B. Unicode translation
C. Secure Sockets Layer (SSL) encryption
D. Digital signatures
Answer: C
NO.872 When auditing the alignment of IT to the business strategy, it is MOST important (or the IS
auditor to:
A. evaluate deliverables of new IT initiatives against planned business services.
B. ensure an IT steering committee is appointed to monitor new IT projects.
C. interview senior managers (or their opinion of the IT function.
D. compare the organization's strategic plan against industry best practice.
Answer: A
166
NO.873 During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has
not been performed The auditor should FIRST.
A. evaluate the impact on current disaster recovery capability.
B. issue an intermediate report to management
C. conduct additional compliance testing
D. perform business impact analysis
Answer: B
NO.874 An IS auditor is reviewing documentation of application systems change control and

identifies several patches that were not tested before being put into production. Which of the
following is the MOST significant risk from this situation?
A. Lack of system integrity
B. Outdated system documentation
C. Loss of application support
D. Developer access to production
Answer: A
NO.875 An IS auditor is reviewing security policies and finds no mention of the return of corporate-
owned smartphones upon termination of employment. The GREATEST risk arising from this situation
is that unreturned devices:
A. cause the asset inventory to be inaccurate.
B. have access to corporate resources
C. result in loss of customer contact details
D. generate excessive telecommunication costs.
Answer: C
NO.876 Which of the following is the PRIMARY purpose of conducting an IS audit follow-up?
A. To align IS audit activities with business objectives
B. To help management prioritize related risk mitigation activities
C. To determine the effectiveness of management's responses to risk
D. To obtain agreement with management on action plan status
Answer: C
NO.877 Which of the following must be in place before an IS auditor initiates audit follow-up
activities?
A. A heat map with the gaps and recommendations displayed in terms of risk
B. Available resources for the activities included in the action plan
C. Supporting evidence for the gaps and recommendations mentioned in the audit report
D. A management response in the final report with a committed implementation date
Answer: D
NO.878 After an external IS audit, which of the following should be IT management's MAIN
consideration when determining the prioritization of follow-up activities?
167
A. The availability of the external auditors

B. The scheduling of major changes in the control environment
C. The materiality of the reported findings
D. The amount of time since the initial audit was completed
Answer: C
NO.879 The results of an IS audit indicating the need to strengthen controls has been communicated
to the appropriate stakeholders. Which of the following is the BEST way for management to enforce
implementation of the recommendations?
A. Request auditors to design a roadmap for closure.
B. Have stakeholders develop a business case for control changes.
C. Assign ownership to each remediation activity.
D. Copy senior management on communications related to the audit
Answer: C
NO.880 During which IT project phase is it MOST appropriate to conduct a benefits realization
analysis?
A. User acceptance testing (UAT) phase
B. Design review phase
C. Post-implementation review phase
D. Final implementation phase
Answer: B
NO.881 Which of the following BEST enables and IS auditor to review system logs for unusual
activity by users?
A. Integrated test facility (ITF)
B. Data analytics
C. Audit hooks
D. Snapshots
Answer: C
NO.882 An IS auditor is assigned to review the development of a specific application. Which of the
following would be the MOST significant step following the feasibility study?
A. Attend project progress meetings to monitor timely implementation of the application.
B. Assist users in the design of proper acceptance-testing procedures.
C. Follow up with project sponsor for project's budgets and actual costs.
D. Review functional design to determine that appropriate controls are planned.
Answer: D
NO.883 A bank has implemented a new accounting system. Which of the following is the BEST lime
for an IS auditor to perform a post-implementation review?
A. After user acceptance testing (UAT) is completed
B. One full year after go-live
168
C. As close to go-live as possible

D. After the first reporting cycle
Answer: C
NO.884 Which of the following features of a library control software package would protect against
unauthorized updating of source code?
A. Access controls for source libraries
B. Required approvals at each life cycle step
C. Date and time stamping of source and object code
D. Release-to-release comparison of source code
Answer: B
NO.885 A help desk has been contacted regarding a lost business mobile device The FIRST course
of action should be to
A. attempt to locate the device remotely.
B. verify the user's identity through a challenge response system
C. consult the legal team regarding the impact of intellectual property loss
D. involve the security response team to launch an investigation
Answer: A
NO.886 The PRIMARY reason to follow up on prior-year audit reports is to determine if

A. prior-year recommendations have become irrelevant
B. significant changes to the control environment have occurred
C. identified control weaknesses have been addressed
D. inherent risks have changed
Answer: C
NO.887 Which of the following is the PRIMARY objective of baselining the IT control environment?
A. Align IT strategy with business strategy.
B. Detect control deviations.
C. Define process and control ownership.
D. Ensure IT security strategy and policies are effective.
Answer: B
NO.888 What is the purpose of a hypervisor?

A. Monitoring the performance of virtual machines
B. Cloning virtual machines
C. Deploying settings to multiple machines simultaneously
D. Running the virtual machine environment
Answer: D
NO.889 An organization plans to implement a virtualization strategy enabling multiple operating

systems on a single host. Which of the following should be the GREATEST concern with this strategy?
169
A. Licensing costs of the host

B. Adequate storage space
C. Application performance
D. Network bandwidth
Answer: A
NO.890 Which of the following is the GREATEST risk associated with data conversion and migration
during implementation of a new application?
A. Lack of data transformation rules
B. Inadequate audit trails and logging
C. Absence of segregation of duties
D. Obsolescence and data backup compatibility
Answer: D
NO.891 Which of the following is MOST important to verify when implementing an organization's
information security program?
A. The security program has been benchmarked to industry standards.
B. The security program is adequately funded in the budget.
C. The organization's security strategy is documented and approved.
D. The IT department has developed and implemented training programs.
Answer: C
NO.892 During a project meeting for the implementation of an enterprise resource planning (ERP), a
new requirement is requested by the finance department. Which of the following would BEST
indicate to an IS auditor that the resulting risk to the project has been assessed?
A. The project status as reported in the meeting minutes
B. The approval of the change by the finance department
C. The analysis of the cost and time impact of the requirement
D. The updated business requirements
Answer: C
NO.893 Which of the following is MOST important for an IS auditor to verify when evaluating an
organization's firewall?
A. Logs are being collected in a separate protected host.
B. Access to configuration files is restricted.
C. Insider attacks are being controlled.
D. Automated alerts are being sent when a risk is detected.
Answer: A
NO.894 Which of the following would BEST indicate the effectiveness of a security awareness
training program?
A. Increased number of employees completing training
B. Reduced unintentional violations
170
C. Results of third-parry social engineering tests

D. Employee satisfaction with trailing
Answer: B
NO.895 Of the following, who are the MOST appropriate staff for ensuring the alignment of user
authorization tables with approved authorization forms?
A. IT managers
B. Database administrators (DBAs)
C. System owners
D. Security administrators
Answer: D
NO.896 During a review, an IS auditor discovers that corporate users are able to access cloud-based
applications and data (rom any Internet-connected web browser. Which of the following is the
auditor's BEST recommendation to help prevent unauthorized access?
A. Update security policies and procedures.
B. Implement multi-factor authentication.
C. Utilize strong anti-malware controls on all computing devices.
D. Implement an intrusion detection system (IDS).
Answer: B
NO.897 A data center's physical access log system captures each visitor's identification document
numbers along with the visitor's photo. Which of the following sampling methods would be MOST
useful to an IS auditor conducting compliance testing for the effectiveness of the system?
A. Haphazard sampling
B. Attribute sampling
C. Variable sampling
D. Quota sampling
Answer: B
NO.898 Which of the following would BEST provide executive management with current information
on IT related costs and IT performance indicators?
A. Risk register
B. IT service management plan
C. Continuous audit reports
D. IT dashboard
Answer: D
NO.899 Which of the following types of firewalls provide the GREATEST degree of control against
hacker intrusion?
A. Screening router
B. Circuit gateway
C. Application level gateway
171
D. Packet filtering router

Answer: C
NO.900 A new privacy regulation requires a customer's privacy information to be deleted within 72
hours, if requested. Which of the following would be an IS auditor's GREATEST concern regarding
compliance to this regulation?
A. Outdated online privacy policies
B. Incomplete backup and retention policies
C. End user access to applications with customer information
D. Lack of knowledge of where customers' information is saved
Answer: D
NO.901 In a virtualized environment, which of the following techniques effectively mitigates the risk
of network attacks?
A. Encryption
B. Containerization
C. Configuration assessment
D. Segmentation
Answer: D
NO.902 An organization is deciding whether to outsource its customer relationship management

systems to a provider located in another country. Which of the following should be the PRIMARY
influence in the outsourcing decision?
A. Time zone differences
B. The service provider's disaster recovery plan
C. Cross-border privacy laws
D. Current geopolitical conditions
Answer: C
NO.903 Which of the following recommendations by an IS auditor is the BEST control to protect an
organization's corporate network from the guest wireless network?
A. Authenticate devices connecting to the guest network
B. Ensure the guest access point is running the latest software
C. Hide the service set identifier (SSID) of the guest network
D. Place the guest network in its own virtual local area network (VLAN)
Answer: D
NO.904 An organization has outsourced its data leakage monitoring to an Internet service provider
(ISP). Which of the following is the BEST way for an IS auditor to determine the effectiveness of this
service?
A. Review the data leakage clause in the SLA.
B. verify the ISP has staff to deal with data leakage.
C. Simulate a data leakage incident.
172
D. Review the ISP's external audit report

Answer: C
NO.905 Which of the following metrics would be MOST useful to an IS auditor when assessing the
resilience of an application programming interface (API)?
A. Number of patches released within a time interval for the API
B. Number of API calls expected versus actually received within a lime interval
C. Number of defects logged during development compared to other APIs
D. Number of developers adopting the API for their applications
Answer: B
NO.906 When engaging services from external auditors, which of the following should be
established FIRST?
A. Termination conditions agreements
B. Nondisclosure agreements
C. Service level agreements
D. Operational level agreements
Answer: B
NO.907 Audit management has just completed the annual audit plan for the upcoming year, which
consists entirely of high-risk processor. However it is determined that there are insufficient resources
to execute the plan. What should be done NEXT?
A. Remove audit from the annual plan to better match the number of resources available.
B. Review the audit plan and defer some audits to the subsequent year
C. Present the annual plan to the audit committee and ask for more resources
D. Reduce the scope of the audit to better match the number of resources available
Answer: C
NO.908 An IS auditor notes that application super-user activity was not recorded in system logs.
What is the auditor's BEST course of action?
A. Investigate the reason for the lack of logging
B. Recommend a least privilege access model
C. Recommend activation of super user activity logging
D. Report the issue to the audit manager
Answer: C
NO.909 An IS auditor attempts to sample for variables in a population of items with wide differences
in values but determines that an unreasonably large number of sample items must be selected to
produce the desired confidence level. In this situation, which of the following is the BEST audit
decision?
A. Allow more time and test the required sample
B. Select a judgmental sample
C. Select a stratified sample
173
D. Lower the desired confidence level

Answer: C
NO.910 An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an
email message between the parties. Which of the following audit responses is correct in this
situation?
A. No audit finding is recorded as it is normal to distribute a key of this nature in this manner
B. An audit finding is recorded as the key should be asymmetric and therefore changed
C. No audit finding is recorded as the key can only be used once
D. An audit finding is recorded as the key should be distributed in a secure manner
Answer: D
NO.911 Which of the following would be the MOST effective method to identify high risk areas in
the business to be included in the audit plan?
A. Review external audit reports of the business.
B. Review industry reports to identify common risk areas
C. Validate current risk from poor internal audit findings.
D. Engage with management to understand the business.
Answer: D
NO.912 When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT
processing capabilities, it is MOST important for the IS auditor to verify the plan is:
A. communicated to department heads,
B. regularly reviewed.
C. stored at an offsite location.
D. periodically tested.
Answer: D
NO.913 Which of the following should be the PRIMARY concern of an IS auditor during a review of
an external IT service level agreement (SLA) for computer operations?
A. Changes in services are not tracked
B. Vendor has exclusive control of IT resources
C. Lack of software escrow provisions
D. No employee succession plan
Answer: A
NO.914 Which of the following findings should be of MOST concern to an IS auditor reviewing an
organization's business continuity plan (BCP)?
A. No tabletop exercises have been conducted for the plan.
B. The plan has not been signed by executive management.
C. End users have not been trained on the latest version of the plan.
D. The plan has not been updated in several years.
Answer: B
174
NO.915 An effective implementation of security roles and responsibilities is BEST evidenced across
an enterprise when:
A. reviews and updates of policies are regularly performed
B. policies are signed off by users.
C. operational activities are aligned with policies.
D. policies are rolled out and disseminated
Answer: C
NO.916 In an environment where most IT services have been outsourced, continuity planning is
BEST controlled by:
A. IT management,
B. continuity planning specialists.
C. business management.
D. outsourced service provider management
Answer: B
NO.917 Post-implementation testing is an example of which of the following control types?

A. Directive
B. Deterrent
C. Preventive
D. Detective
Answer: D
NO.918 Which of the following is the BEST indicator for measuring performance of the IT help desk
function?
A. Number of reopened tickets
B. Percentage of problems raised from incidents
C. Number of incidents reported
D. Mean time to categorize tickets
Answer: A
NO.919 An IS auditor noted that a change to a critical calculation was placed into the production
environment without being tested. Which of the following is the BEST way to obtain assurance that
the calculation functions correctly?
A. Check regular execution of the calculation batch job.
B. Obtain post-change approval from management.
C. Perform substantive testing using computer-assisted audit techniques (CAATs).
D. Interview the lead system developer.
Answer: A
NO.920 Which of the following would be MOST important to update once a decision has been made
to outsource a critical application to a cloud service provider?
175
A. IT budget
B. Business impact analysis (BIA)
C. IT resource plan
D. Project portfolio
Answer: B
NO.921 An organization transmits large amount of data from one internal system to another. The IS
auditor is reviewing quality of the data at the originating point. Which of the following should the
auditor verify first?
A. The data has been encrypted
B. The data extraction process is completed
C. The data transformation is accurate
D. The source data is accurate
Answer: D
NO.922 Which of the following is the PRIMARY protocol for protecting outbound content from
tampering and eavesdropping?
A. Transport Layer Security (TLS)
B. Secure Shell (SSH)
C. Point-to-Point Protocol (PPP)
D. Internet Key Exchange (IKE)
Answer: A
NO.923 Which of the following is the PRIMARY role of key performance indicators (KPIs) in
supporting business process effectiveness?
A. To evaluate the cost-benefit of tools implemented to monitor control performance
B. To analyze workflows in order to optimize business processes and eliminate tasks that do not
provide value
C. To enable conclusions about the performance of the processes and target variances for follow-up
analysis
D. To assess the functionality of a software deliverable based on business processes
Answer: C
NO.924 Which of the following would be MOST helpful in ensuring security procedures are followed
by employees in a multinational organization?
A. Comprehensive end-user training
B. Security architecture review
C. Regular clean desk reviews
D. Regular policy updates by management
Answer: A
NO.925 An internal audit department recently established a quality assurance (QA) program.
Which of the following activities is MOST important to include as part of the OA program
requirements?
176
A. Periodic external assessments of the program

B. Analysis of user satisfaction reports from business lines
C. Long-term internal audit resource planning for the program
D. Feedback from internal audit staff
Answer: A
NO.926 External experts were used on a recent IT audit engagement While assessing the external
experts' work, the internal audit team found some gaps in the evidence that may have impacted their
conclusions What is the internal audit team's BEST course of action?
A. Engage another expert to conduct the same testing
B. Escalate to senior management
C. Recommend the external experts conduct additional testing
D. Report a scope limitation in their conclusions
Answer: C
NO.927 During a systems development project, participation in which of the following activities
would compromise the IS auditor's independence?
A. Participating in weekly project management team presentations
B. Making design decisions related to automated controls
C. Recommending which reports are required to be converted
D. Reviewing process for each program specification
Answer: B
NO.928 A manager identifies active privileged accounts belonging to staff who have left the
organization. Which of the following is the threat actor In this scenario?
A. Hacktivists
B. Terminated staff
C. Deleted log data
D. Unauthorized access
Answer: B
NO.929 What is the PRIMARY purpose of performing a parallel run of a new system?
A. To provide a failover plan in case of system Issues.
B. To validate the operation of the new system against its predecessor.
C. To verify the new system can process the production load
D. To verify the new system provides required business functionality
Answer: D
NO.930 An IS auditor finds that corporate mobile devices used by employees have varying levels of
password settings. Which of the following would be the BEST recommendation?
A. Update the acceptable use policy for mobile devices.
B. Encrypt data between corporate gateway and devices.
C. Notify employees to set passwords to a specified length
177
D. Apply security policy to the mobile devices.

Answer: D
NO.931 An IS auditor is observing transaction processing and notes that a high-priority update job
ran out of sequence What is the MOST significant risk from this observation?
A. Previous jobs may have failed
B. The job may not have run to completion
C. Daily schedules lack change control
D. The job completes with invalid data
Answer: C
NO.932 Which of the following should an IS auditor review FIRST when planning a customer data
privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Organizational policies and procedures
D. Data classification
Answer: C
NO.933 An IS auditor is conducting a post-implementation review of an enterprise resource planning

(ERP) system End users indicated concerns with the accuracy of critical automatic calculations made
by the system. The auditor's FIRST course of action should be to:
A. review recent changes to the system
B. verify completeness of user acceptance testing
C. verify results to determine validity of user concerns
D. review initial business requirements
Answer: D
NO.934 During the post-implementation review of an application that was implemented six months
ago which of the following would be MOST helpful in determining whether the application meets
business requirements?
A. Project closure report and lessons-learned documents from the project management office (PMO)
B. User acceptance testing (UAT) results and sign-off from users on meeting business requirements
C. Comparison between expected benefits from the business case and actual benefits after
implementation
D. Difference between approved budget and actual project expenditures determined post
implementation
Answer: C
NO.935 IT disaster recovery lime objectives (RTOs) should be based on [he:

A. maximum tolerable loss of data.
B. business-defined critically of the systems.
C. maximum tolerable downtime (MTD).
178
D. nature of the outage.

Answer: B
NO.936 Which of the following procedures for testing a disaster recovery plan (DRP) is MOST
effective7
A. Reviewing documented backup and recovery procedures
B. Performing an unannounced shutdown of the computing facility after hours
C. Testing at a secondary site using offsite data backups
D. Performing a quarterly tabletop exercise
Answer: C
NO.937 During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on
delivering new systems and technology are not aligned with the organization's strategy. Which of the
following would be the IS auditor's BEST recommendation?
A. Modify IT initiatives that do not map to business strategies.
B. Reassess IT initiatives that do not map to business strategies.
C. Utilize a balanced scorecard to align IT initiatives to business strategies.
D. Reassess the return on investment (ROI) for the IT initiatives.
Answer: C
NO.938 An IS auditor is reviewing the key payroll interface that collects wage rates from various
business applications to process payroll. Which of the following is MOST likely to cause errors in
payroll processing?
A. User acceptance testing (UAT) has not been properly documented for all changes.
B. Data conversion procedures did not include all business applications and interfaces.
C. The payroll processing application does not follow a regularly scheduled patching cycle.
D. Changes to the interface configuration settings were not adequately tested and approved.
Answer: D
NO.939 Which of the following should be of GREATEST concern to an IS auditor reviewing a system
software development project based on agile practices?
A. Lack of user acceptance testing (UAT) sign off.
B. Lack of change management documentation
C. Lack of secure coding practices
D. Lack of weekly production releases
Answer: C
NO.940 An organization offers an online information security awareness program to employees on

an annual basis. Which of the following from an audit of the program should be the auditor's
GREATEST concern?
A. New employees are given three months to complete the training
B. Employees have complained about the length of the program
C. The post-training test content is two years old.
179
D. Training completions is not mandatory for staff.

Answer: D
NO.941 Which of the following is the MOST likely cause of a successful firewall penetration?
A. Use of a Trojan to bypass the firewall
B. Loophole m firewall vendor's code
C. Virus infection
D. Firewall misconfiguration by the administrator
Answer: D
NO.942 The GREATEST benefit of using a prototyping approach in software development is that it
helps to:
A. minimize scope changes to the system
B. conceptualize and clarify requirements
C. decrease the time allocated for user testing and review
D. improve efficiency of quality assurance (QA) testing.
Answer: B
NO.943 Which of the following sampling techniques is BEST to use when verifying the operating
effectiveness of internal controls during an audit of transactions?
B. Statistical sampling
C. Judgmental sampling
D. Stop-or-go sampling
Answer: B
NO.944 A checksum is classified as which type of control?

A. Detective control
B. Administrative control
C. Corrective control
D. Preventive control
Answer: D
NO.945 planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to
A. evaluate the organization's EUC policy
B. evaluate EUC threats and vulnerabilities
C. obtains an inventory EUC applications
D. determine EUC materiality and complexity thresholds
Answer: D
NO.946 In assessing the priority given to systems covered in an organization's business continuity
plan (BCP), an IS auditor should FIRST:
A. Review the backup and restore process
180
B. Verify the criteria for disaster recovery site selection

C. Validate the recovery time objectives and recovery point objectives
D. Review results of previous business continuity plan (BCP) tests
Answer: C
NO.947 The FIRST course of action an investigator should take when a computer is being attacked is
to:
A. copy the contents of the hard drive.
B. disconnect it from the network.
C. terminate all active processes
D. disconnect the power source.
Answer: C
NO.948 An organization is disposing of a system containing sensitive data and has deleted ail files
from the hard disk. An IS auditor should be concerned because:
A. backup copies of files were not deleted as well.
B. deleting all files separately is not as efficient as formatting the hard disk.
C. deleting the files logically does not overwrite the files' physical data.
D. deleted data cannot easily be retrieved.
Answer: C
NO.949 Which of the following should be of MOST concern to an IS auditor during the review of a
quality management system?
A. The quality management system includes training records for IT personnel.
B. Indicators are not fully represented in the quality management system.
C. There are no records to document actions for minor business processes.
D. Important quality checklists are maintained outside the quality management system.
Answer: B
NO.950 Which of the following findings should be of GREATEST concern to an IS auditor reviewing
system deployment tools for a critical enterprise application system?
A. Change requests do not contain backout plans.
B. There are no documented instructions for using the tool.
C. Access to the tool is not approved by senior management.
D. Access to the tool is not restricted.
Answer: A
NO.951 Which of the following would be MOST time and cost efficient when performing a control
self-assessment (CSA) for an organization with a large number of widely dispersed employees?
A. Facilitated workshops
B. Survey questionnaire
C. Face-to-face interviews
D. Top-down and bottom-up analysis
181
Answer: B
NO.952 In a typical system development life cycle (SDLC), which group is PRIMARILY responsible
for confirming compliance with requirements?
A. Internal audit
B. Risk management
C. Quality assurance (QA)
D. Steering committee
Answer: D
182

Cisa V26.75 - 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisa V26.75 - 1

Uploaded by

Copyright:

Available Formats

IT Certification Guaranteed, The Easy Way!

Title : Certified Information Systems

A. perform an inventory of assets.

NO.10 The PRIMARY benefit of information asset classification is that it:

NO.15 Which of the following is the BEST IS audit strategy?

B. Application transaction logs

NO.20 An IT organization's incident response plan is which type of control?

NO.25 Which of the following is an example of a corrective control?

B. Decrease the sampling size

B. Adequacy of the virtual architecture

Which of the following is MOST important for the IS auditor to confirm?

D. Ensuring that audit trails exist for transactions

NO.56 An IS auditor performing an application development review attends development team

NO.58 Which of the following is an objective of data transfer controls?

NO.60 Which of the following is the MAIN purpose of data classification?

A. Defining parameter requirements for security labels

NO.65 An IS auditor is assessing the results of an organization's post-implementation review of a

A. Business stakeholders are involved in approving the IT strategy.

B. To identify and eliminate the root causes of information security incidents

NO.95 Which of the following observations should be of GREATEST concern to an IS auditor

NO.99 The application systems quality assurance (QA) function should:

NO.102 Which of the following is an example of a preventive control?

documentation for a client relationship management (CRM) system migration project?

NO.105 An IS auditor is reviewing the implementation of an international quality management

to outward remittance transactions at a financial institution?

NO.117 Many departments of an organization have not implemented audit recommendations by

A. determine the impact of compromise

NO.121 An emergency power-off switch should:

NO.125 These members of an emergency incident response team should be:

NO.134 One advantage of monetary unit sampling is the fact that:

NO.136 When conducting a post-implementation review of a new software application, an IS

C. Unexpected downtime may impact key business processes.

NO.146 An organization is shifting to a remote workforce. In preparation, the IT department is

C. Involve staff at all levels in periodic paper walk-through exercises

NO.152 An IS auditor is conducting a pre-implementation review to determine a new system's

NO.155 A PRIMARY benefit derived by an organization employing control self-assessment (CSA)

NO.157 Both statistical and nonstatistical sampling techniques:

A. Reciprocal agreements may not be formally established in a contract.

NO.167 Which of the following is a directive control?

NO.168 A post-implementation review of a development project concludes that several business

NO.173 The purpose of data migration testing is to validate data:

NO.189 What is the MAIN purpose of an organization's internal IS audit function?

NO.194 Which of the following observations should be of GREATEST concern to an IS auditor

D. Master file employee data to payroll journals

B. Length of encryption keys

C. As part of software definition

D. The data model is not clearly documented.

NO.228 MOST effective way to determine if IT is meeting business requirements is to establish:

NO.229 The PRIMARY purpose of running a new system In parallel is to:

A. users and the external gateways

NO.236 The GREATEST risk of database denormalization is:

D. The project may fail to meet the established deadline

NO.242 To help determine whether a controls-reliant approach to auditing financial systems r a

C. To decrease the organization's level of risk

NO.246 An IS auditor s role in privacy and security is to:

NO.251 The IS quality assurance (OA) group is responsible for

NO.255 An IS auditor evaluating a three-tier client/server architecture observes an issue with

C. System functionality may not meet business requirements.

D. data from the old system has been converted correctly

NO.277 An organization's software developers need access to personally identifiable information

A. The application has a clustered architecture to ensure high availability

NO.298 The PRIMARY advantage of object-oriented technology is enhanced:

NO.301 An organization's audit charter PRIMARILY: