DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Crack CISA Exams with Real Practice Tests, Certified Information Systems Auditor | SPOTO

Crack CISA Exams with Real Practice Tests from SPOTO Club! Becoming a Certified Information Systems Auditor requires rigorous preparation. SPOTO's exam materials include hundreds of realistic exam questions and answers, as well as full-length mock exams to simulate the real test experience. Practice with SPOTO's online exam questions and sample questions to identify your weak areas and focus your studies. Their detailed explanations for each exam answer will deepen your understanding. SPOTO's exam simulator recreates the actual exam environment, helping you build confidence and manage your time effectively. Don't waste time with outdated exam dumps - SPOTO's practice tests contain the latest exam questions updated regularly by subject matter experts. Start your free test today and experience why SPOTO is the go-to exam preparation resource for aspiring CISAs worldwide!
Take other online exams

Question #1
When protecting an organization's IT systems, which of the following is normally the next line of defense after the network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
View answer
Correct Answer: C
Question #2
To address an organization's disaster recovery requirements, backup intervals should not exceed the:
A. service level objective (SLO)
B. recovery time objective (RTO)
C. recovery point objective (RPO)
D. maximum acceptable outage (MAO)
View answer
Correct Answer: C
Question #3
When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?
A. Observing daily operations for the area in scope
B. Evaluating the department structure via the organizational chart
C. Reviewing departmental procedure handbooks
D. Interviewing managers and end users
View answer
Correct Answer: A
Question #4
An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties. Which of the following audit responses is correct in this situation?
A. An audit finding is recorded, as the key should be asymmetric and therefore changed
B. No audit finding is recorded, as it is normal to distribute a key of this nature in this manner
C. No audit finding is recorded, as the key can only be used once
D. An audit finding is recorded as the key should be distributed in a secure manner
View answer
Correct Answer: B
Question #5
Which of the following is the BEST approach to make strategic information security decisions?
A. Establish regular information security status reporting
B. Establish business unit security working groups
C. Establish periodic senior management meetings
D. Establish an information security steering committee
View answer
Correct Answer: A
Question #6
Talking about biometric authentication, physical characteristics typically include (Choose five.):
A. fingerprints
B. eye retinas
C. irises
D. facial patternsE
F. None of the choices
View answer
Correct Answer: ABCD
Question #7
An organization has just completed their annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization?
A. Review and evaluate the business continuity plan for adequacy
B. Perform a full simulation of the business continuity plan
C. Train and educate employees regarding the business continuity plan
D. Notify critical contacts in the business continuity plan
View answer
Correct Answer: A
Question #8
An IS auditor noted that an organization had adequate business continuity plans (BCPs) for each individual process, but no comprehensive BCP. Which would be the BEST course of action for the IS auditor?
A. Recommend that an additional comprehensive BCP be developed
B. Determine whether the BCPs are consistent
C. Accept the BCPs as written
D. Recommend the creation of a single BCP
View answer
Correct Answer: B
Question #9
Which of the following should an IS auditor verify when auditing the effectiveness of virus protection?
A. Frequency of IDS log reviews
B. Currency of software patch application
C. Schedule for migration to production
D. Frequency of external Internet access
View answer
Correct Answer: C
Question #10
An organization has established three IS processing environments: development, test, and production. The MAJOR reason for separating the development and test environments is to:
A. obtain segregation of duties between IS staff and end users
B. limit the user’s access rights to the test environment
C. perform testing in a stable environment
D. protect the programs under development from unauthorized testing
View answer
Correct Answer: C
Question #11
During audit follow-up, an IS auditor finds that a control has been implemented differently than recommended. The auditor should:
A. verify whether the control objectives are adequately addressed
B. compare the control to the action plan
C. report as a repeat finding
D. inform management about incorrect implementation
View answer
Correct Answer: B
Question #12
An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities. Which of the following is the BEST recommendation by the IS auditor? A. Improve the change management process
B. Perform a configuration review
C. Establish security metrics
D. Perform a penetration test
View answer
Correct Answer: C
Question #13
Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization’s incident response process?
A. Past incident response actions
B. Incident response staff experience and qualifications
View answer
Correct Answer: A
Question #14
An IS auditor is asked to identify risk within an organization’s software development project. The project manager tells the auditor that an agile development methodology is being used to minimize the lengthy development process. Which of the following would be of GREATEST concern to the auditor?
A. Each team does its own testing
B. The needed work has not yet been fully identified
C. Some of the developers have not attended recent training
D. Elements of the project have not been documented
View answer
Correct Answer: B
Question #15
A certificate authority (CA) can delegate the processes of:
A. revocation and suspension of a subscriber's certificate
B. generation and distribution of the CA public key
C. establishing a link between the requesting entity and its public key
D. issuing and distributing subscriber certificates
View answer
Correct Answer: C
Question #16
Which of the following is the MOST important factor when an organization is developing information security policies and procedures?
A. Cross-references between policies and procedures
B. Inclusion of mission and objectives C
D. Consultation with management
View answer
Correct Answer: A
Question #17
Which of the following groups is MOST likely responsible for the implementation of IT projects?
A. IT steering committee
B. IT compliance committee
C. IT strategy committee
D. IT governance committee
View answer
Correct Answer: C
Question #18
A legacy application is running on an operating system that is no longer supported by the vendor. If the organization continues to use the current application, which of the following should be the IS auditor’s GREATEST concern?
A. Potential exploitation of zero-day vulnerabilities in the system
B. Inability to update the legacy application database
C. Increased cost of maintaining the system
D. Inability to use the operating system due to potential license issues
View answer
Correct Answer: A
Question #19
Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end-user networking?
A. System-to-system
B. Peer-to-peer
C. Host-to-host
D. Client-to-server
View answer
Correct Answer: C
Question #20
After a full operational contingency test, an IS auditor performs a review of the recovery steps. The auditor concludes that the time it took for the technological environment and systems to return to full-functioning exceeded the required critical recovery time. Which of the following should the auditor recommend?
A. Perform an integral review of the recovery tasks
B. Broaden the processing capacity to gain recovery time
C. Make improvements in the facility's circulation structure
D. increase the amount of human resources involved in the recovery
View answer
Correct Answer: A
Question #21
To restore service at a large processing facility after a disaster, which of the following tasks should be performed FIRST?
A. Launch the emergency action team
B. Inform insurance company agents
C. Contact equipment vendors
D. Activate the reciprocal agreement
View answer
Correct Answer: A
Question #22
Sophisticated database systems provide many layers and types of security, including (Choose three.):
A. Access control
B. Auditing
C. Encryption
D. Integrity controls
E. Compression controls
View answer
Correct Answer: ABCD
Question #23
The GREATEST risk posed by an improperly implemented intrusion prevention system (IPS) is:
A. that there will be too many alerts for system administrators to verify
B. decreased network performance due to IPS traffic
C. the blocking of critical systems or services due to false triggers
D. reliance on specialized expertise within the IT organization
View answer
Correct Answer: C
Question #24
Which type of risk would MOST influence the selection of a sampling methodology?
A. Control
B. Inherent
C. Residual
D. Detection
View answer
Correct Answer: A
Question #25
In determining the acceptable time period for the resumption of critical business processes:
A. only downtime costs need to be considered
B. recovery operations should be analyzed
C. both downtime costs and recovery costs need to be evaluated
D. indirect downtime costs should be ignored
View answer
Correct Answer: C
Question #26
While reviewing the business continuity plan of an organization, an IS auditor observed that the organization's data and software files are backed up on a periodic basis. Which characteristic of an effective plan does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. Response
View answer
Correct Answer: B
Question #27
The scheduling of audit follow-ups should be based PRIMARILY on:
A. costs and audit efforts involved
B. auditee and auditor time commitments
C. the risk and exposure involved
D. control and detection processes
View answer
Correct Answer: D
Question #28
Which of the following is a reason for implementing a decentralized IT governance model?
A. Standardized controls and economies of scale
B. IT synergy among business units
C. Greater consistency among business units
D. Greater responsiveness to business needs
View answer
Correct Answer: D
Question #29
An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?
A. Discovery sampling B
C. Stratified sampling
D. Judgmental sampling
View answer
Correct Answer: D
Question #30
Which of the following is the MOST reliable way for an IS auditor to evaluate the operational effectiveness of an organization’s data loss prevention (DLP) controls?
A. Verify that confidential files cannot be transmitted to a personal USB device
B. Conduct interviews to identify possible data protection vulnerabilities
C. Review data classification levels based on industry best practice
D. Verify that current DLP software is installed on all computer systems
View answer
Correct Answer: C
Question #31
A company uses a standard form to document and approve all changes in production programs. To ensure that the forms are properly authorized, which of the following is the MOST effective sampling method?
A. Attribute
B. Variable
C. Discovery
D. Monetary
View answer
Correct Answer: C
Question #32
Which of the following would provide the MOST reliable evidence to indicate whether employee access has been deactivated in a timely manner following termination?
A. Comparing termination forms with dates in the HR system
B. Reviewing hardware return-of-asset forms
C. Interviewing supervisors to verify employee data is being updated immediately
D. Comparing termination forms with system transaction log entries
View answer
Correct Answer: B
Question #33
During an audit of a business continuity plan (BCP), an IS auditor found that, although all departments were housed in the same building, each department had a separate BCP. The IS auditor recommended that the BCPs be reconciled. Which of the following areas should be reconciled FIRST?
A. Evacuation plan
B. Recovery priorities
C. Backup storages
D. Call tree
View answer
Correct Answer: A
Question #34
An audit team has a completed schedule approved by the audit committee. After starting some of the scheduled audits, executive management asked the team to immediately audit an additional process. There are not enough resources available to add the additional audit to the schedule. Which of the following is the BEST course of action?
A. Revise the scope of scheduled audits
B. Propose a revised audit schedule
C. Approve overtime work to ensure the audit is completed
D. Consider scheduling the audit for the next period
View answer
Correct Answer: D
Question #35
As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?
A. Organizational risks, such as single point-of-failure and infrastructure risk
B. Threats to critical business processes
C. Critical business processes for ascertaining the priority for recovery
D. Resources required for resumption of business
View answer
Correct Answer: C
Question #36
Which of the following is MOST important for an IS auditor to ensure is included in a global organization’s online data privacy notification to customers?
A. Consequences to the organization for mishandling the data
B. Consent terms including the purpose of data collection
C. Contact information for reporting violations of consent
D. Industry standards for data breach notification
View answer
Correct Answer: C
Question #37
Which of the following can provide assurance that an IT project has delivered its planned benefits?
A. User acceptance testing (UAT)
B. Steering committee approval
C. Post-implementation review
D. Quality assurance evaluation
View answer
Correct Answer: C
Question #38
Cisco IOS based routers perform basic traffic filtering via which of the following mechanisms?
A. datagram scanning
B. access lists
C. stateful inspection
D. state checking
E. link progressing
F. None of the choices
View answer
Correct Answer: B
Question #39
When protecting the confidentiality of information assets, the MOST effective control practice is the:
A. awareness training of personnel on regulatory requirements
B. enforcement of a need-to-know access control philosophy
C. utilization of a dual-factor authentication mechanism
D. configuration of read-only access to all users
View answer
Correct Answer: C
Question #40
Which of the following is a PRIMARY responsibility of an information security governance committee?
A. Approving the purchase of information security technologies
B. Approving the information security awareness training strategy
C. Reviewing the information security strategy
D. Analyzing information security policy compliance reviews
View answer
Correct Answer: D
Question #41
An IS auditor is reviewing IT policies and found that most policies have not been reviewed in over 3 years. The MOST significant risk is that the policies do not reflect:
A. current legal requirements
B. the vision of the CEO
C. the mission of the organization
D. current industry best practices
View answer
Correct Answer: A
Question #42
Which of the following findings would be of GREATEST concern to an IS auditor reviewing an organization’s newly implemented online security awareness program?
A. Only new employees are required to attend the program
B. The timing for program updates has not been determined
C. Metrics have not been established to assess training results
D. Employees do not receive immediate notification of results
View answer
Correct Answer: C
Question #43
The BEST way to validate whether a malicious act has actually occurred in an application is to review:
A. segregation of duties
B. access controls
C. activity logs
D. change management logs
View answer
Correct Answer: A
Question #44
An IS auditor is evaluating the security of an organization’s data backup process, which includes the transmission of daily incremental backups to a dedicated offsite server. Which of the following findings poses the GREATEST risk to the organization?
A. Backup transmissions are not encrypted
B. Backup transmissions occasionally fail
C. Data recovery testing is conducted once per year
D. The archived data log is incomplete
View answer
Correct Answer: B
Question #45
Which of the following security control is intended to bring environment back to regular operation?
A. Deterrent
B. Preventive
C. Corrective
D. Recovery
View answer
Correct Answer: C
Question #46
When assessing a business case as part of a post-implementation review, the IS auditor must ensure that the:
A. feasibility of alternative project approaches has been assessed
B. business case has not been amended since project approval
C. quality assurance measures have been applied throughout the project
D. amendments to the business case have been approved
View answer
Correct Answer: D
Question #47
The PRIMARY purpose of a business impact analysis (BIA) is to:
A. provide a plan for resuming operations after a disaster
B. identify the events that could impact the continuity of an organization's operations
C. publicize the commitment of the organization to physical and logical security
D. provide the framework for an effective disaster recovery plan
View answer
Correct Answer: B
Question #48
An IS auditor finds the log management system is overwhelmed with false positive alerts. The auditor’s BEST recommendation would be to:
A. recruit more monitoring personnel
B. fine tune the intrusion detection system (IDS)
C. reduce the firewall rules
D. establish criteria for reviewing alerts
View answer
Correct Answer: D
Question #49
While reviewing similar issues in an organization’s help desk system, an IS auditor finds that they were analyzed independently and resolved differently. This situation MOST likely indicates a deficiency in:
A. IT service level management
B. change management
C. configuration management
D. problem management
View answer
Correct Answer: B
Question #50
Which of the following BEST enables staff acceptance of information security policies?
A. Strong senior management support
B. Adequate security funding
C. Computer-based training
D. A robust incident response program
View answer
Correct Answer: D
Question #51
The PRIMARY objective of business continuity and disaster recovery plans should be to:
A. safeguard critical IS assets
B. provide for continuity of operations
C. minimize the loss to an organization
D. protect human life
View answer
Correct Answer: D
Question #52
Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?
A. Identifying relevant roles for an enterprise IT governance framework B
C. Making decisions regarding risk response and monitoring of residual risk
D. Providing independent and objective feedback to facilitate improvement of IT processes
View answer
Correct Answer: B
Question #53
Which of the following is the FIRST consideration when developing a data retention policy?
A. Determining the backup cycle based on retention period
B. Designing an infrastructure storage strategy
C. Identifying the legal and contractual retention period for data
D. Determining the security access privileges to the data
View answer
Correct Answer: C
Question #54
Which of the following is the FIRST step when conducting a business impact analysis?
A. Identifying critical information resources
B. Identifying events impacting continuity of operations
C. Analyzing past transaction volumes
D. Creating a data classification scheme
View answer
Correct Answer: A
Question #55
When facilitating the alignment of corporate governance and information security governance, which of the following is the MOST important role of an organization’s security steering committee?
A. Obtaining support for the integration from business owners
B. Obtaining approval for the information security budget
C. Evaluating and reporting the degree of integration
D. Defining metrics to demonstrate alignment
View answer
Correct Answer: A
Question #56
Which of the following is MOST important to include in a contract with a software development service provider?
A. A list of key performance indicators (KPIs)
B. Ownership of intellectual property C
D. Explicit contract termination requirements
View answer
Correct Answer: B
Question #57
When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following?
A. Recovery point objective (RPO)
B. Recovery time objective (RTO)
C. Service level objective (SLO)
D. Maximum acceptable outage (MAO)
View answer
Correct Answer: A
Question #58
An IS auditor is reviewing the results of a business process improvement project. Which of the following should be performed FIRST?
A. Evaluate control gaps between the old and the new processes
B. Develop compensating controls
C. Document the impact of control weaknesses in the process
D. Ensure that lessons learned during the change process are documented
View answer
Correct Answer: A
Question #59
Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor’s BEST course of action would be to determine if:
A. the domain controller was classified for high availability
B. the network traffic was being monitored
C. the patches were updated
D. the logs were monitored
View answer
Correct Answer: B
Question #60
A large chain of shops with electronic funds transfer (EFT) at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor?
A. Offsite storage of daily backups
B. Alternative standby processor onsite
C. installation of duplex communication links
D. Alternative standby processor at another network node
View answer
Correct Answer: D
Question #61
The PRIMARY purpose of a precedence diagramming method in managing IT projects is to:
A. monitor project scope creep
B. identify the critical path
C. identify key milestones
D. minimize delays and overruns
View answer
Correct Answer: A
Question #62
What is the BEST way for an IS auditor to address the risk associated with over-retention of personal data after identifying a large number of customer records retained beyond the retention period defined by law?
A. Recommend automating deletion of records beyond the retention period
B. Schedule regular internal audits to identify records for deletion
C. Report the retention period noncompliance to the regulatory authority
D. Escalate the over-retention issue to the data privacy officer for follow-up
View answer
Correct Answer: A
Question #63
During a help desk review, an IS auditor determines the call abandonment rate exceeds agreed-upon service levels. What conclusions can be drawn from this finding? A. There are insufficient telephone lines available to the help desk.
B. There is insufficient staff to handle the help desk call volume
C. Help desk staff are unable to resolve a sufficient number of problems on the first call
D. Users are finding solutions from alternative sources
View answer
Correct Answer: A
Question #64
An IS auditor determines that a business continuity plan has not been reviewed and approved by management. Which of the following is the MOST significant risk associated with this situation?
A. Continuity planning may be subject to resource constraints
B. The plan may not be aligned with industry best practice
C. Critical business processes may not be addressed adequately
D. The plan has not been reviewed by risk management
View answer
Correct Answer: D
Question #65
Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s information security program?
A. The program was not formally signed off by the sponsor
B. Key performance indicators (KPIs) are not established
C. Not all IT staff are aware of the program
View answer
Correct Answer: A
Question #66
Which of the following provides the GREATEST assurance that an organization allocates appropriate resources to respond to information security events?
A. Incident classification procedures
B. Threat analysis and intelligence reports
C. An approved IT staffing plan
D. Information security policies and standards
View answer
Correct Answer: B
Question #67
An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:
A. based on the results of an organization-wide risk assessment
C. aligned with the organization’s segregation of duties requirements
D. based on the business requirements for authentication of the information
View answer
Correct Answer: A
Question #68
IS audit is asked to explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor’s BEST response is that:
A. the server’s software is the prime target and is the first to be infected
B. the server’s operating system exchanges data with each station starting at every log-on
C. the server’s file sharing function facilitates the distribution of files and applications
D. users of a given server have similar usage of applications and files
View answer
Correct Answer: A
Question #69
A maturity model can be used to aid the implementation of IT governance by identifying:
A. critical success factors (CSF)
B. performance drivers C
D. accountabilities
View answer
Correct Answer: C
Question #70
An organization transmits large amounts of data from one internal system to another. The IS auditor is reviewing the quality of the data at the originating point. Which of the following should the auditor verify FIRST?
A. The data has been encrypted
B. The data transformation is accurate
C. The data extraction process is completed
D. The source data is accurate
View answer
Correct Answer: A
Question #71
What is the FIRST line of defense against criminal insider activities?
A. Validating the integrity of personnel
B. Monitoring employee activities
C. Signing security agreements by critical personnel
D. Stringent and enforced access controls
View answer
Correct Answer: D
Question #72
Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (IoT) devices?
A. Verify access control lists to the database where collected data is stored
B. Confirm that acceptable limits of data bandwidth are defined for each device
C. Ensure that message queue telemetry transport (MQTT) is used
View answer
Correct Answer: B
Question #73
An IT steering committee assists the board of directors to fulfill IT governance duties by:
A. developing IT policies and procedures for project tracking
B. focusing on the supply of IT services and products
C. overseeing major projects and IT resource allocation
D. implementing the IT strategy
View answer
Correct Answer: D
Question #74
Which of the following is MOST important to include in a business continuity plan (BCP)?
A. Vendor contact information
B. Documentation of critical systems
C. Documentation of data center floor plans
D. Backup site location information
View answer
Correct Answer: C
Question #75
An IS auditor is planning to audit an organization’s infrastructure for access, patching, and change management. Which of the following is the BEST way to prioritize the systems?
A. Complexity of the environment
B. Criticality of the system
C. System hierarchy within the infrastructure
D. System retirement plan
View answer
Correct Answer: D
Question #76
Which of the following would be BEST prevented by a raised floor in the computer machine room?
A. Damage of wires around computers and servers
B. A power failure from static electricity
C. Shocks from earthquakes
D. Water flood damage
View answer
Correct Answer: A
Question #77
An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?
A. Cost-benefit analysis
B. Gap analysis
C. Risk assessment
D. Business case
View answer
Correct Answer: D
Question #78
Following significant organizational changes, which of the following is the MOST important consideration when updating the IT policy?
A. The policy is integrated into job descriptions
B. The policy is endorsed by senior executives
C. The policy is compliant with relevant laws and regulations
View answer
Correct Answer: C
Question #79
When reviewing an organization’s IT governance processes, which of the following provides the BEST indication that information security expectations are being met at all levels?
A. Achievement of established security metrics
B. Approval of the security program by senior management
C. Utilization of an internationally recognized security standard
D. Implementation of a comprehensive security awareness program
View answer
Correct Answer: C
Question #80
An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:
A. accept the level of access provided as appropriate
B. recommend that the privilege be removed
C. ignore the observation as not being material to the review
D. document the finding as a potential risk
View answer
Correct Answer: D
Question #81
A trojan horse simply cannot operate autonomously.
A. true
B. false
View answer
Correct Answer: A
Question #82
Which of the following would be MOST critical for an IS auditor to look for when evaluating fire precautions in a manned data center located in the upper floor of a multi-story building?
A. Existence of handheld fire extinguishers in highly visible locations
B. Documentation of regular inspections by the local fire department
C. Adequacy of the HVAC system throughout the facility
D. Documentation of tested emergency evacuation plans
View answer
Correct Answer: A
Question #83
During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor’s BEST course of action?
A. Adjust the annual risk assessment accordingly
B. Require the auditee to address the recommendations in full
C. Evaluate senior management’s acceptance of the risk
D. Update the audit program based on management’s acceptance of risk
View answer
Correct Answer: B
Question #84
Which of the following is the MOST important reason to use statistical sampling?
A. The results are more defensible
B. It ensures that all relevant cases are covered C
D. The results can reduce error rates
View answer
Correct Answer: C
Question #85
Which of the following would BEST provide executive management with current information on IT-related costs and IT performance indicators?
A. IT dashboard
B. Risk register
C. IT service-management plan
D. Continuous audit reports
View answer
Correct Answer: B
Question #86
Which of the following is the MOST important consideration for an organization when strategizing to comply with privacy regulations?
A. Ensuring there are staff members with in-depth knowledge of the privacy regulations
B. Ensuring up-to-date knowledge of where customer data is saved
C. Ensuring regularly updated contracts with third parties that process customer data
D. Ensuring appropriate access to information systems containing privacy information
View answer
Correct Answer: D
Question #87
Which of the following would contribute MOST to an effective business continuity plan (BCP)?
A. Document is circulated to all interested parties
B. Planning involves all user departments
C. Approval by senior management
D. Audit by an external IS auditor
View answer
Correct Answer: B
Question #88
Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processes. However, it is determined that there are insufficient resources to execute the plan. What should be done NEXT? A. Remove audits from the annual plan to better match the number of resources available
B. Reduce the scope of the audits to better match the number of resources available
C. Present the annual plan to the audit committee and ask for more resources
D. Review the audit plan and defer some audits to the subsequent year
View answer
Correct Answer: B
Question #89
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
A. Identifying where existing data resides and establishing a data classification matrix
B. Requiring users to save files in secured folders instead of a company-wide shared drive
C. Reviewing data transfer logs to determine historical patterns of data flow
D. Developing a DLP policy and requiring signed acknowledgement by users
View answer
Correct Answer: B
Question #90
An IS auditor has obtained a large data set containing multiple fields and non-numeric data for analysis. Which of the following activities will MOST improve the quality of conclusions derived from the use of a data analytics tool for this audit?
A. Data anonymization
B. Data classification
View answer
Correct Answer: S
Question #91
During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor’s NEXT step should be to:
A. determine why the procedures were not followed
B. include the noncompliance in the audit report
C. note the noncompliance in the audit working papers
D. issue an audit memorandum identifying the noncompliance
View answer
Correct Answer: C
Question #92
The PRIMARY purpose of reviewing the IT strategic plan is to identify risks that may:
A. limit the ability to deliver customer requirements
B. limit the organization’s ability to achieve its objectives
C. impact operational efficiency of the IT department
D. impact financial resourcing to implement the plan
View answer
Correct Answer: B
Question #93
Which of the following is a rewrite of ipfwadm?
A. ipchains
B. iptables
C. Netfilter
D. ipcook
E. None of the choices
View answer
Correct Answer: A
Question #94
The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to:
A. execute periodic walk-throughs of the plans
B. update the business impact analysis (BIA) for significant business changes
C. outsource the maintenance of the BCP and disaster recovery plan to a third party
D. include BCP and disaster recovery plan responsibilities as a part of new employee training
View answer
Correct Answer: C
Question #95
Implementing a strong password policy is part of an organization’s information security strategy for the year. A business unit believes the strategy may adversely affect a client’s adoption of a recently developed mobile application and has decided not to implement the policy. Which of the following would be the information security manager’s BEST course of action?
A. Analyze the risk and impact of not implementing the policy
B. Develop and implement a password policy for the mobile application
C. Escalate non-implementation of the policy to senior management
D. Benchmark with similar mobile applications to identify gaps
View answer
Correct Answer: C
Question #96
Which of the following audit assess accuracy of financial reporting?
A. Compliance Audit
B. Financial Audit
C. Operational Audit
D. Forensic audit
View answer
Correct Answer: C
Question #97
An information security manager has developed a strategy to address new information security risks resulting from recent changes in the business. Which of the following would be MOST important to include when presenting the strategy to senior management?
A. The impact of organizational changes on the security risk profile
B. The costs associated with business process changes
C. Results of benchmarking against industry peers
D. Security controls needed for risk mitigation
View answer
Correct Answer: C
Question #98
When conducting a penetration test of an IT system, an organization should be MOST concerned with:
A. the confidentiality of the report
B. finding all possible weaknesses on the system
C. restoring all systems to the original state
D. logging all changes made to the production system
View answer
Correct Answer: C
Question #99
An organization was severely impacted after an advanced persistent threat (APT) attack. Afterwards, it was found that the initial breach happened a month prior to the attack. Management’s GREATEST concern should be:
A. results of the past internal penetration test
B. the effectiveness of monitoring processes
C. the installation of critical security patches Explanation/Reference: D
View answer
Correct Answer: C
Question #100
To ensure message integrity, confidentiality and non-repudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:
A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key
B. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key
C. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key
D. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key
View answer
Correct Answer: A
Question #101
Which of the following is MOST important when planning a network audit?
A. Determination of IP range in use
B. Isolation of rogue access points
C. Identification of existing nodes
D. Analysis of traffic content
View answer
Correct Answer: B
Question #102
The PRIMARY focus of a training curriculum for members of an incident response team should be:
A. technology training
B. security awareness
C. external corporate communication
D. specific role training
View answer
Correct Answer: D
Question #103
Which of the following is MOST important to the successful implementation of an information security governance framework across the organization?
A. The existing organizational security culture
B. Security management processes aligned with security objectives
C. Organizational security controls deployed in line with regulations
D. Security policies that adhere to industry best practices
View answer
Correct Answer: C
Question #104
The PRIMARY objective of testing a business continuity plan is to:
A. familiarize employees with the business continuity plan
B. ensure that all residual risks are addressed
C. exercise all possible disaster scenarios
D. identify limitations of the business continuity plan
View answer
Correct Answer: D
Question #105
Which of the following is a directive control?
A. Establishing an information security operations team
B. Updating data loss prevention software
C. Implementing an information security policy
D. Configuring data encryption software
View answer
Correct Answer: C
Question #106
An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?
A. Update the acceptable use policy for mobile devices
B. Notify employees to set passwords to a specified length
C. Encrypt data between corporate gateway and devices
D. Apply a security policy to the mobile devices
View answer
Correct Answer: D
Question #107
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise e-mail?
A. The private key certificate has not been updated
B. The certificate revocation list has not been updated
C. The certificate practice statement has not been published
D. The PKI policy has not been updated within the last year
View answer
Correct Answer: C
Question #108
Which of the following should be the PRIMARY reason to establish a social media policy for all employees?
A. To publish acceptable messages to be used by employees when posting B
C. To restrict access to social media during business hours to maintain productivity
D. To prevent negative public social media postings and comments
View answer
Correct Answer: D
Question #109
An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?
A. Compliance testing
B. Threat risk assessment
C. Penetration testing
D. Vulnerability assessment
View answer
Correct Answer: C
Question #110
Which of the following audit risk is related to exposure of a process or entity to be audited without taking into account the control that management has implemented?
A. Inherent Risk
B. Control Risk
C. Detection Risk
D. Overall Audit Risk
View answer
Correct Answer: B
Question #111
Users are issued security tokens to be used in combination with a PIN to access the corporate virtual private network (VPN). Regarding the PIN, what is the MOST important rule to be included in a security policy?
A. Users should not leave tokens where they could be stolen
B. Users must never keep the token in the same bag as their laptop computer
C. Users should select a PIN that is completely random, with no repeating digits
D. Users should never write down their PIN Section: Protection of Information Assets Explanation Explanation/Reference: Explanation:
View answer
Correct Answer: D
Question #112
An IS auditor submitted audit reports and scheduled a follow-up audit engagement with a client. The client has requested to engage the services of the same auditor to develop enhanced controls. What is the GREATEST concern with this request?
A. It would require the approval of the audit manager
B. It would be beyond the original audit scope
C. It would a possible conflict of interest
D. It would require a change to the audit plan
View answer
Correct Answer: C
Question #113
An organization is currently replacing its accounting system. Which of the following strategies will BEST minimize risk associated with the loss of data integrity from the upgrade?
A. Pilot implementation
B. Functional integration testing
C. Fallback contingency
D. Parallel implementation
View answer
Correct Answer: B
Question #114
Internal audit reports should be PRIMARILY written for and communicated to:
A. audit management, as they are responsible for the quality of the audit
B. external auditors, as they provide an opinion on the financial statements
C. D
View answer
Correct Answer: C
Question #115
An IS auditor has been asked to advise on the design and implementation of IT management best practices. Which of the following actions would impair the auditor’s independence?
A. Providing consulting advice for managing applications
B. Designing an embedded audit module
C. Implementing risk response on management’s behalf
D. Evaluating the risk management process
View answer
Correct Answer: A
Question #116
Which of the following should an IS auditor expect to see in a network vulnerability assessment?
A. Misconfiguration and missing updates
B. Malicious software and spyware
C. Security design flaws
D. Zero-day vulnerabilities
View answer
Correct Answer: D
Question #117
Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?
A. Identify aggregate residual IT risk for each business line
B. Obtain a complete listing of the entity’s IT processes
C. Obtain a complete listing of assets fundamental to the entity’s businesses
D. Identify key control objectives for each business line’s core processes
View answer
Correct Answer: C
Question #118
A source code repository should be designed to:
A. provide automatic incorporation and distribution of modified code
B. prevent changes from being incorporated into existing code
C. provide secure versioning and backup capabilities for existing code
D. prevent developers from accessing secure source code
View answer
Correct Answer: B
Question #119
An organization has a number of branches across a wide geographical area. To ensure that all aspects of the disaster recovery plan are evaluated in a cost effective manner, an IS auditor should recommend the use of a:
A. data recovery test
B. full operational test
C. posttest
D. preparedness test
View answer
Correct Answer: D
Question #120
During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:
A. assessment of the situation may be delayed
B. execution of the disaster recovery plan could be impacted
C. notification of the teams might not occur
D. potential crisis recognition might be ineffective
View answer
Correct Answer: B
Question #121
A CEO requests access to corporate documents from a mobile device that does not comply with organizational policy. The information security manager should FIRST:
A. evaluate the business risk
B. evaluate a third-party solution
C. initiate an exception approval process
D. deploy additional security controls
View answer
Correct Answer: A
Question #122
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization’s data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?
A. Data impacting business objectives
B. Data supporting financial statements
C. Data reported to the regulatory body
D. Data with customer personal information
View answer
Correct Answer: A
Question #123
An IS audit team is evaluating the documentation related to the most recent application user-access review performed by IT and business management. It is determined the user list was not system-generated. Which of the following should be the GREATEST concern?
A. Source of the user list reviewed
B. Availability of the user list reviewed
C. Confidentiality of the user list reviewed
D. Completeness of the user list reviewed
View answer
Correct Answer: D
Question #124
An IS auditor is evaluating the access controls at a multinational company with a shared network infrastructure. Which of the following is MOST important?
A. Simplicity of end-to-end communication paths
B. Remote network administration
C. Common security policies
D. Logging of network information at user level
View answer
Correct Answer: A
Question #125
An IS auditor discovered abnormalities in a monthly report generated from a system upgraded six months ago. Which of the following should be the auditor’s FIRST course of action?
A. Inspect source code for proof of abnormalities
B. Perform a change management review of the system
C. Schedule an access review of the system
D. Determine the impact of abnormalities in the report
View answer
Correct Answer: A
Question #126
The MOST effective method for an IS auditor to determine which controls are functioning in an operating system is to:
A. compare the current configuration to the corporate standard
B. consult with the systems programmer
C. consult with the vendor of the system
View answer
Correct Answer: A
Question #127
Which of the following findings would have the GREATEST impact on the objective of a business intelligence system?
A. Key control have not been tested in a year
B. Decision support queries use database functions proprietary to the vendor
C. The hot site for disaster recovery does not include the decision support system
D. Management reports have not been evaluated since implementation
View answer
Correct Answer: D
Question #128
The MOST important objective of security awareness training for business staff is to:
A. understand intrusion methods
B. reduce negative audit findings
C. increase compliance
D. modify behavior
View answer
Correct Answer: D
Question #129
Which of the following should be the PRIMARY concern of an IS auditor during a review of an external IT service level agreement (SLA) for computer operations?
A. No employee succession plan
B. Changes in services are not tracked
C. Lack of software escrow provisions
D. Vendor has exclusive control of IT resources Explanation/Reference:
View answer
Correct Answer: A
Question #130
Which of the following would be an IS auditor's GREATEST concern when evaluating a cybersecurity incident response plan?
A. The plan has not been recently tested
B. Roles and responsibilities are not detailed for each process
C. Stakeholder contact details are not up-to-date
D. The plan does not include incident response metrics
View answer
Correct Answer: D
Question #131
Which of the following is a tool you can use to simulate a big network structure on a single computer?
A. honeymoon
B. honeytrap
C. honeytube
D. honeyd
E. None of the choices
View answer
Correct Answer: D
Question #132
Which of the following findings would be of GREATEST concern to an IS auditor performing an information security audit of critical server log management activities?
A. Log records can be overwritten before being reviewed
C. Log records are dynamically into different servers
D. Logs are monitored using manual processes
View answer
Correct Answer: C
Question #133
Which of the following BEST demonstrates effective information security management within an organization?
A. Employees support decisions made by information security management
B. Excessive risk exposure in one department can be absorbed by other departments
C. Information security governance is incorporated into organizational governance
D. Control ownership is assigned to parties who can accept losses related to control failure
View answer
Correct Answer: C
Question #134
Which of the following is the PRIMARY objective of the IS audit function?
A. Perform reviews based on standards developed by professional organizations
B. Reports to management on the functioning of internal controls
C. Certify the accuracy of financial data
D. Facilitate extraction of computer-based data for substantive testing
View answer
Correct Answer: C
Question #135
During an audit, the client learns that the IS auditor has recently completed a similar security review at a competitor. The client inquires about the competitor’s audit results. What is the BEST way for the auditor to address this inquiry?
A. Explain that it would be inappropriate to discuss the results of another audit client
B. Escalate the question to the audit manager for further action
C. Discuss the results of the audit omitting specifics related to names and products
View answer
Correct Answer: D
Question #136
During a database audit, an IS auditor noted frequent problems due to the growing size of the order tables. Which of the following is the BEST recommendation in this situation?
A. Develop an archiving approach
B. Periodically delete completed orders
C. Build more table indices
D. Migrate to a different database management system
View answer
Correct Answer: A
Question #137
Which of the following is MOST important when selecting an information security metric?
A. Defining the metric in quantitative terms
B. Aligning the metric to the IT strategy C
D. Ensuring the metric is repeatable
View answer
Correct Answer: D
Question #138
During business process reengineering (BPR) of a bank’s teller activities, an IS auditor should evaluate:
A. the impact of changed business processes
B. the cost of new controls
C. BPR project plans
D. continuous improvement and monitoring plans
View answer
Correct Answer: B
Question #139
During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following would be the IS auditor’s BEST recommendation to management?
A. Perform system verification checks for unique data values on key fields
B. Request senior management approval of all new vendor details
C. Run system reports of full vendor listings periodically to identify duplication
D. Build a segregation of duties control into the vendor creation process
View answer
Correct Answer: D
Question #140
An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?
A. Access control requirements
B. Hardware configurations
C. Perimeter network security diagram
D. Help desk availability
View answer
Correct Answer: C
Question #141
The CIO of an organization is concerned that the information security policies may not be comprehensive. Which of the following should an IS auditor recommend be performed FIRST?
A. Obtain a copy of their competitor’s policies
B. Determine if there is a process to handle exceptions to the policies
C. Establish a governance board to track compliance with the policies
D. Compare the policies against an industry framework
View answer
Correct Answer: D
Question #142
Which of the following should be of MOST concern to an IS auditor reviewing the BCP?
A. The disaster levels are based on scopes of damaged functions, but not on duration
B. The difference between low-level disaster and software incidents is not clear
C. The overall BCP is documented, but detailed recovery steps are not specified
D. The responsibility for declaring a disaster is not identified
View answer
Correct Answer: D
Question #143
The PRIMARY reason an organization would require that users sign an acknowledgment of their system access responsibilities is to:
A. maintain compliance with industry best practices
B. serve as evidence of security awareness training
C. assign accountability for transactions made with the user’s ID
D. maintain an accurate record of users’ access rights
View answer
Correct Answer: C
Question #144
The MOST important success factor in planning a penetration test is:
A. the documentation of the planned testing procedure
B. scheduling and deciding on the timed length of the test
C. the involvement of the management of the client organization
D. the qualifications and experience of staff involved in the test
View answer
Correct Answer: C
Question #145
Before concluding that internal controls can be relied upon, the IS auditor should:
A. discuss the internal control weaknesses with the auditee
B. document application controls
C. conduct tests of compliance
D. document the system of internal control
View answer
Correct Answer: D
Question #146
What is the PRIMARY benefit to executive management when audit, risk, and security functions are aligned?
A. More efficient incident handling
B. Reduced number of assurance reports
C. More effective decision making
D. More timely risk reporting
View answer
Correct Answer: B
Question #147
In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs. Which of the following would be the IS auditor’s BEST recommendation?
A. Develop procedures to verify that the application logs are not modified
B. Prevent the operator from performing application development activities
C. Assign an independent second reviewer to verify the application logs
D. Restrict the computer operator’s access to the production environment
View answer
Correct Answer: C
Question #148
An accurate biometric system usually exhibits (Choose two.):
A. low EER
B. low CER
C. high EER
D. high CER
E. None of the choices
View answer
Correct Answer: AB
Question #149
Explanation/Reference: As part of a follow-up of a previous year’s audit, an IS auditor has increased the expected error rate for a sample. The impact will be:
A. degree of assurance increases
B. standard deviation decreases
C. sampling risk decreases
D. required sample size increases
View answer
Correct Answer: D
Question #150
Which of the following observations noted during a review of the organization’s social media practices should be of MOST concern to the IS auditor?
A. The organization does not require approval for social media posts
B. More than one employee is authorized to publish on social media on behalf of the organization
C. Not all employees using social media have attended the security awareness program
D. The organization does not have a documented social media policy
View answer
Correct Answer: B
Question #151
An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities should be included as part of the QA program requirements?
A. Reporting program results to the board
B. Reviewing audit standards periodically
C. Analyzing user satisfaction reports from business lines
D. Conducting long-term planning for internal audit staffing
View answer
Correct Answer: S
Question #152
The risk that the IS auditor will not find an error that has occurred is identified by which of the following terms?
A. Control
B. Prevention
C. Inherent
D. Detection
View answer
Correct Answer: C
Question #153
An IS auditor finds that a mortgage origination team receives customer mortgage applications via a shared repository. Which of the following test procedures is the BEST way to assess whether there are adequate privacy controls over this process?
A. Validate whether the encryption is compliant with the organization’s requirements
B. Validate that data is entered accurately and timely
C. Validate whether documents are deleted according to data retention procedures
D. Validate whether complex passwords are required
View answer
Correct Answer: D
Question #154
Which of the following procedures should an IS auditor complete FIRST when evaluating the adequacy of IT key performance indicators (KPIs)?
A. Independently calculate the accuracy of the KPIs
B. Review KPIs that indicate poor IT performance
C. Validate the KPI thresholds
D. Determine whether the KPIs support IT objectives
A. Tolerable error
B. Accessibility of the data
C. Data integrity
D. Responsiveness of the auditee
View answer
Correct Answer: S
Question #155
An organization currently using tape backups takes one full backup weekly and incremental backups daily. They recently augmented their tape backup procedures with a backup-to- disk solution. This is appropriate because:
A. fast synthetic backups for offsite storage are supported
B. backup to disk is always significantly faster than backup to tape
C. tape libraries are no longer needed
D. data storage on disks is more reliable than on tapes
View answer
Correct Answer: A
Question #156
The MOST effective way to determine if IT is meeting business requirements is to establish:
A. industry benchmarks
C. a capability model
D. key performance indicators (KPIs)
View answer
Correct Answer: A
Question #157
The MOST important difference between hashing and encryption is that hashing:
A. is irreversible
B. output is the same length as the original message
C. is concerned with integrity and security
D. is the same at the sending and receiving end
View answer
Correct Answer: A
Question #158
Performance monitoring tools report that servers are consistently above the recommended utilization capacity. Which of the following is the BEST recommendation of the IS auditor?
A. Develop a capacity plan based on usage projections
B. Deploy load balancers
C. Monitor activity logs
D. Add servers until utilization is at target capacity
View answer
Correct Answer: D
Question #159
Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?
A. Number of false negatives
B. Number of false positives
C. Legitimate traffic blocked by the system
D. Reliability of IDS logs
View answer
Correct Answer: B
Question #160
When removing a financial application system from production, which of the following is MOST important?
A. Media used by the retired system has been sanitized
B. Data retained for regulatory purposes can be retrieved
C. End-user requests for changes are recorded and tracked
D. Software license agreements are retained
View answer
Correct Answer: B
Question #161
When planning an application audit, it is MOST important to evaluate risk factors by interviewing:
A. process owners
B. application owners
C. IT management
D. application users
View answer
Correct Answer: C
Question #162
A vendor service level agreement (SLA) requires backups to be physically secured. An IS audit of the backup system revealed a number of the backup media were missing. Which of the following should be the auditor’s NEXT step?
A. Recommend a review of the vendor’s contract
B. Recommend identification of the data stored on the missing media
D. Include the missing backup media finding in the audit report
View answer
Correct Answer: A
Question #163
Am advantage of the use of hot sites as a backup alternative is that:
A. the costs associated with hot sites are low
B. hot sites can be used for an extended amount of time
C. hot sites can be made ready for operation within a short period of time
D. they do not require that equipment and systems software be compatible with the primary site
View answer
Correct Answer: C
Question #164
During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor should FIRST:
A. notify management
B. redesign the customer order process
C. document the finding in the report
D. suspend credit card processing
View answer
Correct Answer: A
Question #165
Which of the following is the MOST effective way of ensuring that business units comply with an information security governance framework?
A. Conducting information security awareness training
B. Performing security assessments and gap analyses
C. Integrating security requirements with processes
D. Conducting a business impact analysis (BIA)
View answer
Correct Answer: D
Question #166
In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?
A. Update the corporate mobile usage policy to prohibit texting
B. Conduct a business impact analysis (BIA) and provide the report to management
C. Stop providing mobile devices until the organization is able to implement controls
D. Include the topic of prohibited texting in security awareness training
View answer
Correct Answer: B
Question #167
In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon. The auditor should FIRST:
A. mark the recommendation as satisfied and close the finding
B. verify if management’s action mitigates the identified risk C
D. escalate the deviation to the audit committee
View answer
Correct Answer: A
Question #168
A 5-year audit plan provides for general audits every year and application audits on alternating years. To achieve higher efficiency, the IS audit manager would MOST likely: D.
A. proceed with the plan and integrate all new applications
B. alternate between control self-assessment (CSA) and general audits every year
C. implement risk assessment criteria to determine audit priorities
D. have control self-assessments (CSAs) and formal audits of applications on alternating years
View answer
Correct Answer: A
Question #169
Rather than decommission an entire legacy application, an organization’s IT department has chosen to replace specific modules while maintaining those still relevant. Which of the following artifacts is MOST important for an IS auditor to review?
A. IT service management catalog and service level requirements
B. Security requirements for legacy data masking and data destruction
C. Applicable licensing agreements for the application
D. Future state architecture and requirements
View answer
Correct Answer: D
Question #170
An organization performs nightly backups but does not have a formal policy. An IS auditor should FIRST:
A. evaluate current backup procedures
B. escalate to senior management
C. document a policy for the organization
D. recommend automated backup
View answer
Correct Answer: A
Question #171
Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?
A. Identifying risk mitigation options
B. Identifying key business risks
C. Identifying critical business processes
D. Identifying the threat environment
View answer
Correct Answer: D

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: