DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

Latest CISA Practice Tests and Exam Dumps 2024, Certified Information Systems Auditor | SPOTO

Mock tests are a crucial component of preparing for the latest CISA certification exam, offering several key advantages. These practice tests simulate the real exam environment, allowing candidates to become familiar with the format, timing, and difficulty level of actual exam questions. By practicing with mock tests, candidates can identify their strengths and weaknesses, enabling them to focus their study efforts more effectively. Mock tests also help improve time management skills, as candidates learn to allocate the appropriate amount of time to each question. Additionally, mock tests provide immediate feedback on performance, highlighting areas that require further attention and guiding ongoing study efforts. With access to SPOTO's latest CISA practice tests and exam dumps for 2024, candidates can enhance their exam preparation and increase their chances of success.

Take other online exams

Question #1
Which of the following is the BEST physical security solution for granting and restricting access to individuals based on their unique access needs?
A. Bolting door locks
B. Cipher locks
C. Closed-circuit television (CCTV)
D. Electronic badge system
View answer
Correct Answer: D

View The Updated CISA Exam Questions

SPOTO Provides 100% Real CISA Exam Questions for You to Pass Your CISA Exam!

Question #2
Which of the following controls will BEST ensure that the board of directors receives sufficient information about IT?
A. The CIO reports on performance and corrective actions in a timely manner
B. Regular meetings occur between the board, the CIO, and a technology committee
C. The CIO regularly sends IT trend reports to the board
D. Board members are knowledgeable about IT, and the CIO is consulted on IT issues
View answer
Correct Answer: A
Question #3
A firewall has been installed on the company’s web server. Which concern does the firewall address?
A. Availability of the information
B. Unauthorized modification of information by internal users
C. Accessing information by the outside world
D. Connectivity to the Internet
View answer
Correct Answer: A
Question #4
One advantage of managing an entire collection of projects as a portfolio is that it highlights the need to:
A. identify dependencies between projects
B. inform users about all ongoing projects
C. manage the risk of each individual project
D. manage the quality of each project
View answer
Correct Answer: D
Question #5
Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?
A. Corporate procurement standards are not followed
B. The business units want IT to be responsible for maintenance costs
C. Data security requirements are not considered
D. System inventory becomes inaccurate
View answer
Correct Answer: C
Question #6
An external audit team is deciding whether to rely on internal audit’s work for an annual compliance audit. Which of the following is the GREATEST consideration when making this decision?
A. Independence of the internal audit department from management’s influence
B. Professional certifications held by the internal audit team members
C. Years of experience each of the internal auditors have in performing compliance audits
D. The level of documentation maintained by internal audit and the methods used to collect evidence
View answer
Correct Answer: C
Question #7
Which of the following layer of an enterprise data flow architecture represents subsets of information from the core data warehouse?
A. Presentation layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer
View answer
Correct Answer: C
Question #8
An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation?
A. Device baseline configurations
B. Device registration
C. An acceptable use policy
D. An awareness program
View answer
Correct Answer: C
Question #9
Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?
A. Staff members were not notified about the test beforehand
B. Test results were not communicated to staff members
C. Staff members who failed the test did not receive follow-up education
View answer
Correct Answer: C
Question #10
Electrical surge protectors BEST protect from the impact of:
A. electromagnetic interference
B. power outages
C. sags and spikes
D. reduced voltage
View answer
Correct Answer: C
Question #11
Which of the following type of testing has two major categories: QAT and UAT?
A. Interface testing
B. Unit Testing
C. System Testing
D. Final acceptance testing
View answer
Correct Answer: B
Question #12
An IS auditor discovers a recurring software control process issue that severely impacts the efficiency of a critical business process. Which of the following is the BEST recommendation?
A. Replace the malfunctioning system
B. Determine the compensating controls
C. Identify other impacted processes
View answer
Correct Answer: C
Question #13
An organization has outsourced many application development activities to a third party that uses contract programmers extensively. Which of the following would provide the BEST assurance that the third party’s contract programmers comply with the organization’s security policies?
A. Perform periodic security assessments of the contractors’ activities
B. Conduct periodic vulnerability scans of the application
C. Include penalties for noncompliance in the contracting agreement
D. Require annual signed agreements of adherence to security policies
View answer
Correct Answer: A
Question #14
Which of the following is the MOST effective way to achieve the integration of information security governance into corporate governance?
A. Ensure information security aligns with IT strategy
B. Provide periodic IT balanced scorecards to senior management
C. Align information security budget requests to organizational goals
D. Ensure information security efforts support business goals
View answer
Correct Answer: D
Question #15
A small organization is experiencing rapid growth and plans to create a new information security policy. Which of the following is MOST relevant to creating the policy?
A. Industry standards
B. The business impact analysis (BIA)
C. The business objectives
D. Previous audit recommendations
View answer
Correct Answer: D
Question #16
During a post-incident review. the sequence and correlation of actions must be analyzed PRIMARLY based on:
A. interviews with personnel B
C. logs from systems involved
D. documents created during the incident
View answer
Correct Answer: C
Question #17
Which of the following will MOST effectively help to manage the challenges associated with end user-developed application systems?
A. Developing classifications based on risk
B. Introducing redundant support capacity
C. Prohibiting creation of executable files
D. Applying control practices used by IT
View answer
Correct Answer: C
Question #18
Which of the following fourth generation language depends on self-contained database management systems?
A. Query and report generator
B. Embedded database 4GLs
C. Relational database 4GL
D. Application generators
View answer
Correct Answer: B
Question #19
An information security manager is concerned that executive management does not support information security initiatives. Which of the following is the BEST way to address this situation?
A. Demonstrate alignment of the information security function with business needs
C. Report the risk and status of the information security program to the board
D. Revise the information security strategy to meet executive management’s expectations
View answer
Correct Answer: D
Question #20
An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor’s NEXT step should be to:
A. evaluate the impact of the cloud application on the audit scope
B. revise the audit scope to include the cloud-based application
C. review the audit report when performed by the third party D
View answer
Correct Answer: D
Question #21
Which of the following is the GREATEST risk resulting from conducting periodic reviews of IT over several years based on the same audit program?
A. The amount of errors will increase because the routine work promotes inattentiveness
B. Detection risk is increased because auditees already know the audit program
C. Audit risk is increased because the programs might not be adapted to the organization’s current situation
D. Staff turnover in the audit department will increase because fieldwork becomes less interesting
View answer
Correct Answer: C
Question #22
Which of the following is the MOST effective method of destroying sensitive data stored on electronic media?
A. Physical destruction
B. Degaussing
C. Random character overwrite
D. Low-level formatting
View answer
Correct Answer: A
Question #23
An organization’s IT security policy requires annual security awareness training for all employees. Which of the following would provide the BEST evidence of the training’s effectiveness?
A. Results of a social engineering test
B. Interviews with employees
C. Decreased calls to the incident response team
D. Surveys completed by randomly selected employees
View answer
Correct Answer: D
Question #24
An IS auditor observes a system performance monitoring tool which states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required, an IS auditor should review:
A. the system process activity log
B. system baselines
C. the number of CPUs allocated to each virtual machine
D. organizational objectives
View answer
Correct Answer: C
Question #25
You should know the difference between an exploit and a vulnerability. Which of the following refers to a weakness in the system?
A. exploit
B. vulnerability
C. both
View answer
Correct Answer: B
Question #26
Which of the following is a step in establishing a security policy?
A. Developing platform-level security baselines
B. Developing configurations parameters for the network,
C. Implementing a process for developing and maintaining the policy
D. Creating a RACI matrix
View answer
Correct Answer: A
Question #27
During a privileged access review, an IS auditor observes many help desk employees have privileges within systems not required for their job functions. Implementing which of the following would have prevented this situation?
A. Separation of duties
B. Multi-factor authenticationC
D. Privileged access reviews
View answer
Correct Answer: C
Question #28
If concurrent update transactions to an account are not processed properly, which of the following will be affected?
A. Integrity
B. Confidentiality
C. Availability
D. Accountability
View answer
Correct Answer: A
Question #29
During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?
A. Inspect user acceptance test results
B. Re-perform the calculation with audit software
C. Review sign-off documentation
D. Review the source code related to the calculation
View answer
Correct Answer: D
Question #30
Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization’s backup processes?
A. A written backup policy is not available
B. Backup failures are not resolved in a timely manner
C. The restoration process is slow due to connectivity issues
D. The service levels are not achieved
View answer
Correct Answer: D
Question #31
An IS auditor finds that intellectual property is not being protected to the level specified in the organization’s data classification and protection policy. The business owner is aware of this issue and chooses to accept the risk. Which of the following is the auditor’s BEST course of action?
A. Note the finding and request formal acceptance
B. Include the finding in the follow-up audit
C. Amend the data classification policy
D. Form a committee and further investigate the issue
View answer
Correct Answer: A
Question #32
As IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?
A. Identify whether any compensating controls exist
B. Report a potential segregation of duties (SoD) violation
C. Determine whether another database administrator could make the changes
D. Ensure a change management process is followed prior to implementation
View answer
Correct Answer: C
Question #33
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor’s NEXT course of action?
A. Obtain a verbal confirmation from IT for this exemption
B. Review the list of end-users and evaluate for authorization
C. Verify management’s approval for this exemption
D. Report this control process weakness to senior management
View answer
Correct Answer: A
Question #34
Which of the following types of spyware was originally designed for determining the sources of error or for measuring staff productivity?
A. Keywords logging
B. Keystroke logging
C. Directory logging
D. Password logging
E. None of the choices
View answer
Correct Answer: B
Question #35
Which of the following is the MOST important feature of access control software?
A. Authentication
B. Violation reporting
C. Nonrepudiation
D. Identification
View answer
Correct Answer: D
Question #36
Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?
A. Requiring a key code to be entered on the printer to produce hardcopy
B. Producing a header page with classification level for printed documents
C. Encrypting the data stream between the user’s computer and the printer
D. Using passwords to allow authorized users to send documents to the printer
View answer
Correct Answer: D
Question #37
In which of the following database models is the data represented in terms of tulles and grouped into relations?
A. Hierarchical database model
B. Network database model
C. Relational database model D
View answer
Correct Answer: D
Question #38
Which of the following ISO/OSI layers performs transformations on data to provide a standardized application interface and to provide common communication services such as encryption?
A. Application layer
B. Session layer
C. Presentation layer
D. Transport layer
View answer
Correct Answer: D
Question #39
Which of the following is not a common method of multiplexing data?
A. Analytical multiplexing
B. Time-division multiplexing
C. Asynchronous time-division multiplexing D
View answer
Correct Answer: A
Question #40
In which of the following cloud computing service model are applications hosted by the service provider and made available to the customers over a network? A. Software as a service
B. Data as a service
C. Platform as a service
D. Infrastructure as a service
View answer
Correct Answer: A
Question #41
Which of the following is the BEST way to demonstrate to senior management that organizational security practices comply with industry standards?
A. A report on the maturity of controls
B. Up-to-date policy and procedures documentation
C. Existence of an industry-accepted framework
D. Results of an independent assessment
View answer
Correct Answer: A
Question #42
An online retailer is receiving customer about receiving different items from what they ordered on the organization’s website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?
A. Implement business rules to validate employee data entry
B. Invest in additional employee training for data entry
C. Assign responsibility for improving data quality
D. Outsource data cleansing activities to reliable third parties
View answer
Correct Answer: B
Question #43
Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a continuous software release process?
A. Release documentation is not updated to reflect successful deployment
B. Test libraries have not been reviewed in over six months
C. Developers are able to approve their own releases
D. Testing documentation is not attached to production releases
View answer
Correct Answer: D
Question #44
In a multinational organization, local security regulations should be implemented over global security policy because:
A. global security policies include unnecessary controls for local businesses
B. business objectives are defined by local business unit managers
C. requirements of local regulations take precedence
D. deploying awareness of local regulations is more practical than of global policy
View answer
Correct Answer: B
Question #45
When consolidating several applications from two outdated servers onto one new server, which of the following is the GREATEST concern?
A. Increased software licensing cost
B. Maintenance requires more coordination
C. Decreased utilization of capacity
D. Increased network traffic Explanation/Reference:
View answer
Correct Answer: C
Question #46
Which of the following is the MOST important requirement for an IS auditor to evaluate when reviewing a transmission of personally identifiable information (PII) between two organizations?
A. Completeness
B. Timeliness
C. Necessity
D. Accuracy
View answer
Correct Answer: C
Question #47
Which of the following provides an IS auditor the MOST assurance that an organization is compliant with legal and regulatory requirements?
A. The IT manager is responsible for the organization’s compliance with legal and regulatory requirements
B. Controls associated with legal and regulatory requirements have been identified and tested
D. There is no history of complaints or fines from regulators regarding noncompliance
View answer
Correct Answer: D
Question #48
An organization wants to test business continuity using a scenario in which there are many remote workers trying to access production data at the same time. Which of the following is the BEST testing method in this situation?
A. Application failover testing
B. Network stress testing
C. Alternate site testing
D. Network penetration testing
View answer
Correct Answer: A
Question #49
A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?
A. Penetration test results
B. Database application monitoring logs C
D. Web application firewall implementation
View answer
Correct Answer: S
Question #50
An IS auditor plans to review all access attempts to a video-monitored and proximity-card controlled communications room. Which of the following would be MOST useful to the auditor?
A. System electronic log
B. Security incident log
C. Manual sign-in and sign-out log
D. Alarm system with CCTV
View answer
Correct Answer: A
Question #51
Which of the following layer of an enterprise data flow architecture is responsible for data copying, transformation in Data Warehouse (DW) format and quality control? A. Data Staging and quality layer
B. Desktop Access Layer
C. Data Mart layer
D. Data access layer
View answer
Correct Answer: D
Question #52
When continuous monitoring systems are being implemented, an IS auditor should FIRST identify:
A. the location and format of output files
B. applications that provide the highest financial risk
C. high-risk areas within the organization
D. the controls on which to focus
View answer
Correct Answer: D
Question #53
Which of the following is the MOST reliable network connection medium in an environment where there is strong electromagnetic interference?
A. Coaxial cable
B. Fiber optic cable
C. Shielded twisted-pair cable
D. Wireless link
View answer
Correct Answer: A
Question #54
Which of the following should be the PRIMARY basis for prioritizing follow-up audits?
A. Complexity of management’s actions plans
B. Recommendation from executive management
C. Audit cycle defined in the audit plan
D. Residual risk from the findings of previous audits
View answer
Correct Answer: D
Question #55
A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?
A. System documentation
B. Currency conversion Explanation/Reference:
C. Application interfaces
D. Scope creep
View answer
Correct Answer: B
Question #56
A large insurance company is about to replace a major financial application. Which of the following is the IS auditor’s PRIMARY focus when conducting the preimplementation review? A. Procedure updates
B. Migration of data
C. System manuals
D. Unit testing
View answer
Correct Answer: D
Question #57
Which of the following is the MOST appropriate document for granting authority to an external IS auditor in an audit engagement with a client organization?
A. Approved statement of work
B. Formally approved audit charter
C. An internal memo to all concerned parties
D. Request for proposal for audit services
View answer
Correct Answer: D
Question #58
Which of the following processes is the FIRST step in establishing an information security policy?
A. Security controls evaluation
B. Business risk assessment
C. Review of current global standards
D. Information security audit
View answer
Correct Answer: B
Question #59
Software quality assurance (QA) reviews are planned as part of system development. At which stage in the development process should the first review be initiated?
A. At pre-implementation planning
B. As a part of the user requirements definition
C. Immediately prior to user acceptance testing
D. During the feasibility study
View answer
Correct Answer: A
Question #60
An organization’s IT security policy states that user IDs must uniquely identify individuals and that users should not disclose their passwords. An IS auditor discovers that several generic user IDs are being used. Which of the following is the MOST appropriate course of action for the auditor?
A. Investigate the noncompliance
B. Include the finding in the final audit report
C. Recommend disciplinary action
D. Recommend a change in security policy
View answer
Correct Answer: D
Question #61
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor’s BEST course of action would be to:
A. determine whether the alternative controls sufficiently mitigate the risk and record the results
B. reject the alternative controls and re-prioritize the original issue as high risk
C. postpone follow-up activities and escalate the alternative controls to senior audit management
D. schedule another audit due to the implementation of alternative controls
View answer
Correct Answer: D
Question #62
An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?
A. Partitioning the work environment from personal space on devices
B. Preventing users from adding applications
C. Restricting the use of devices for personal purposes during working hours
D. Installing security software on the devices
View answer
Correct Answer: C
Question #63
The MOST significant reason for using key performance indicators (KPIs) to track the progress of IT projects against initial targets is that they: A. influence management decisions to outsource IT projects
B. identify which projects may require additional funding
C. provide timely indication of when corrective actions need to be taken
D. identify instances where increased stakeholder engagement is required
View answer
Correct Answer: D
Question #64
Which of the following is MOST important for an IS auditor to evaluate when determining the effectiveness of an information security program?
A. Percentage of users aware of the objectives of the security program
B. Percentage of policy exceptions that were approved with justification
C. Percentage of desired control objectives achieved
D. Percentage of reported security incidents Explanation/Reference:
View answer
Correct Answer: A
Question #65
When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the:
A. policies and procedures of the business area being audited
B. business process supported by the system
C. availability reports associated with the cloud-based system
D. architecture and cloud environment of the system
View answer
Correct Answer: A
Question #66
During an IS audit of a data center, it was found that programmers are allowed to make emergency fixes to operational programs. Which of the following should be the IS auditor’s PRIMARY recommendation?
A. Bypass use ID procedures should be put in place to ensure that the changes are subject to after-the-event approval and testing
B. The ability to undertake emergency fixes should be restricted to selected key personnel
C. Programmers should be allowed to implement emergency fixes only after obtaining verbal agreement from the application owner
D. Emergency program changes should be subject to program migration and testing procedures before they are applied to operational systems
View answer
Correct Answer: B
Question #67
Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)?
A. Mobile
B. Redundant
C. Shared
D. Warm
View answer
Correct Answer: A
Question #68
During an annual security review of an organization’s servers, it was found that the customer service team’s file server, which contains sensitive customer data, is accessible to all user IDs in the organization. Which of the following should the information security manager do FIRST?
A. Report the situation to the data owner
B. Remove access privileges to the folder containing the data
C. Train the customer service team on properly controlling file permissions
D. Isolate the server from the network
View answer
Correct Answer: C
Question #69
Which of the following is the PRIMARY role of an IS auditor with regard to data privacy?
A. Ensuring compliance with data privacy laws
B. Communicating data privacy requirements to the organization
C. Drafting the organization’s data privacy policy
D. Verifying that privacy practices match privacy statements
View answer
Correct Answer: B
Question #70
Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?
A. To operate third-party hosted applications
B. To install and manage operating systems C
D. To develop and integrate its applications
View answer
Correct Answer: C
Question #71
Which of the following is a distinguishing feature at the highest level of a maturity model?
A. There are formal standards and procedures
B. Projects are controlled with management supervision
C. A continuous improvement process is applied
D. Processes are monitored continuously
View answer
Correct Answer: C
Question #72
Which of the following should be reviewed FIRST when assessing the effectiveness of an organization’s network security procedures and controls?
A. Data recovery capability
B. Inventory of authorized devices
C. Vulnerability remediation
D. Malware defenses
View answer
Correct Answer: A
Question #73
Which of the following should be PRIMARILY included in a security training program for business process owners?
A. Application vulnerabilities
B. List of security incidents reported
C. Application recovery time
D. Impact of security risks
View answer
Correct Answer: D
Question #74
An organization is implementing the use of mobile devices that will connect to sensitive corporate applications. Which of the following is the BEST recommendation to mitigate risk of data leakage?
A. Remote data wipe
B. GPS tracking software
C. Encrypted RFID tags
D. Data encryption
View answer
Correct Answer: C
Question #75
The risk of communication failure in an e-commerce environment is BEST minimized through the use of:
A. alternative or diverse routing
B. compression software to minimize transmission duration
C. a packet filtering firewall to reroute messages
D. functional or message acknowledgments
View answer
Correct Answer: D
Question #76
Which of the following should be reviewed FIRST when planning an IS audit?
A. Recent financial information
B. Annual business unit budget
C. IS audit standards
D. The business environment
View answer
Correct Answer: C
Question #77
Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?
A. Periodic risk assessment
B. Full operational test C
D. Annual walk-through testing
View answer
Correct Answer: C
Question #78
Wi-Fi Protected Access implements the majority of which IEEE standard?
A. 802
B. 802
C. 802
D. 802
E. None of the choices
View answer
Correct Answer: A
Question #79
A multinational organization is introducing a security governance framework. The information security manager’s concern is that regional security practices differ. Which of the following should be evaluated FIRST?
A. Local regulatory requirements
B. Local IT requirements
C. Cross-border data mobility
D. Corporate security objectives
View answer
Correct Answer: C
Question #80
During the review of a business process reengineering project, the PRIMARY concern of an IS auditor is to determine whether the new business model:
A. is aligned with industry best practices
B. is aligned with organizational goals
C. leverages benchmarking results
D. meets its key performance measures
View answer
Correct Answer: B
Question #81
An IS auditor is reviewing an organization’s sales and purchasing system due to ongoing data quality issues. An analysis of which of the following would provide the MOST useful information to determine the revenue loss?
A. Correlation between the number of issues and average downtime
B. Cost of implementing data validation controls within the system
C. Comparison of the cost of data acquisition and loss in sales revenue
D. Correlation between data errors and loss in value of transactions
View answer
Correct Answer: C
Question #82
ISO 9126 is a standard to assist in evaluating the quality of a product. Which of the following is defined as a set of attributes that bear on the existence of a set of functions and their specified properties? A. Reliability
B. Usability
C. Functionality
D. Maintainability
View answer
Correct Answer: D
Question #83
What is the PRIMARY benefit of prototyping as a method of system development?
A. Reduces the need for testing
B. Minimizes the time the IS auditor has to review the system
C. Increases the likelihood of user satisfaction
D. Eliminates the need for documentation
View answer
Correct Answer: D
Question #84
You are part of a security staff at a highly profitable bank and each day, all traffic on the network is logged for later review. Every Friday when major deposits are made you're seeing a series of bits placed in the "Urgent Pointer" field of a TCP packet. This is only 16 bits which isn't much but it concerns you because:
A. This could be a sign of covert channeling in bank network communications and should be investigated
B. It could be a sign of a damaged network cable causing the issue
C. It could be a symptom of malfunctioning network card or drivers and the source system should be checked for the problem
D. It is normal traffic because sometimes the previous fields 16-bit checksum value can over run into the urgent pointer's 16-bit field causing the condition
View answer
Correct Answer: A
Question #85
What is the PRIMARY advantage of prototyping as part of systems development?
A. Maximizes user satisfaction
B. Eliminates the need for internal controls
C. Increases accuracy in reporting
D. Reduces the need for compliance testing A What is the BEST population to select from when testing that programs are migrated to production with proper approval?
A. List of changes provided by application programming managers
B. List of production programs
C. Completed change request forms
D. Change advisory board meeting minutes
View answer
Correct Answer: A
Question #86
The MOST important function of a business continuity plan is to:
A. ensure that the critical business functions can be recovered
B. provide procedures for evaluating tests of the business continuity plan
C. provide a schedule of events that has to occur if there is a disaster
D. ensure that all business functions are restored
View answer
Correct Answer: D
Question #87
Which of the following is not a good tactic to use against hackers?
A. Enticement
B. Entrapment
View answer
Correct Answer: B
Question #88
During a review of an organization’s IT incident management practices, the IS auditor finds the quality of incident resolution documentation is poor. Which of the following is the BEST recommendation to help address this issue?
A. Have service desk staff create documentation be choosing from pre-selected answers in the service management tool
B. Require service desk staff to open incident tickets only when they have sufficient information
C. Revise incident resolution procedures and provide training for service desk staff on the applicable updates
View answer
Correct Answer: A
Question #89
In which of the following SDLC phases would the IS auditor expect to find that controls have been incorporated into system specifications? A. Development
B. Implementation
C. Design
D. Feasibility
View answer
Correct Answer: B
Question #90
Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system’s edit routine?
A. Interviews with knowledgeable users
B. Use of test transactions
C. Review of source code
D. Review of program documentation
View answer
Correct Answer: S
Question #91
Which of the following procedures should be implemented prior to disposing of surplus computer equipment to employees?
A. Use operating system commands to delete all files from the hard drive
B. Have the employee receiving the machine sign a nondisclosure agreement
C. Use application delete commands to remove files
D. Overwrite the hard drive with random data
View answer
Correct Answer: B
Question #92
An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important to include?
A. Approval of data changes
B. Audit logging of administrative user activity
C. Segregation of duties controls
D. User access provisioning C While reviewing a hot site, the IS auditor discovers that one type of hardware platform is not installed
A. recommend the purchase and installation of hardware at the hot site
B. report the finding immediately to senior IS management
C. determine the business impact of the absence of the hardware
D. establish the lead time for delivery of a new machine
View answer
Correct Answer: C
Question #93
Which of the following should be an IS auditor’s PRIMARY concern when evaluating an organization’s information security policies, procedures, and controls for third-party vendors?
A. The third-party vendors have their own information security requirements
B. The organization is still responsible for protecting the data
C. Noncompliance is easily detected
D. The same procedures and controls are used for all third-party vendors
View answer
Correct Answer: D
Question #94
An organization plans to implement a virtualization strategy enabling multiple operating systems on a single host. Which of the following should be the GREATEST concern with this strategy?
A. Adequate storage space
B. Complexity of administration
C. Network bandwidth
D. Application performance
View answer
Correct Answer: B
Question #95
Which of the following refers to a symmetric key cipher which operates on fixedlength groups of bits with an unvarying transformation?
A. stream cipher
B. block cipher
C. check cipher
D. string cipher
E. None of the choices
View answer
Correct Answer: B
Question #96
Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?
A. Control
B. Residual
C. Audit
D. Inherent
View answer
Correct Answer: S
Question #97
When determining the specifications for a server supporting an online application using more than a hundred endpoints, which of the following is the MOST important factor to be considered?
A. High availability of different systems
B. Cost-benefit comparison between the available systems
C. Reputation of the vendors and their customer base
D. Transaction volume estimate during peak periods
View answer
Correct Answer: A
Question #98
Which of the following is the BEST course of action for an information security manager to align security and business goals?
A. Reviewing the business strategy
B. Actively engaging with stakeholders
C. Conducting a business impact analysis
D. Defining key performance indicators
View answer
Correct Answer: A
Question #99
Which of the following is the BEST reason for an organization to develop a business continuity plan?
A. To develop a detailed description of information systems and processes
B. To identify the users of information systems and processes
C. To avoid the costs resulting from the failure of key systems and processes
D. To establish business unit prioritization of systems, projects, and strategies
View answer
Correct Answer: C
Question #100
Labeling information according to its security classification:
A. reduces the need to identify baseline controls for each classification
B. reduces the number and type of countermeasures required
C. enhances the likelihood of people handling information securely
D. affects the consequences if information is handled insecurely
View answer
Correct Answer: D
Question #101
The GREATEST risk when performing data normalization is:
A. the increased complexity of the data model
B. duplication of audit logs
C. reduced data redundancy D
View answer
Correct Answer: B
Question #102
Which of the following is MOST important for an IS auditor to determine when evaluating a database for privacy-related risks? A. Whether copies of production data are masked
B. Whether the integrity of the data dictionary is maintained
C. Whether data import and export procedures are approved
D. Whether all database tables are normalized
View answer
Correct Answer: C
Question #103
Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?
A. The hypervisor is updated quarterly
B. Guest operating systems are updated monthly
C. Antivirus software has been implemented on the guest operating system only
D. A variety of guest operating systems operate on one virtual server
A. Alignment of the process to business objectives
B. Quality control review of new payments
C. Management approval of payments
D. Input validation
View answer
Correct Answer: D
Question #104
Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of duties conflict?
A. Quality assurance
B. Systems analyst
C. Application end user
D. Security administrator
View answer
Correct Answer: D
Question #105
The Federal Information Processing Standards (FIPS) were developed by:
A. the United States Federal government
B. ANSI
C. ISO
D. IEEE
E. IANA
F. None of the choices
View answer
Correct Answer: A
Question #106
An auditor notes the administrator user ID is shared among three financial managers to perform month-end updates. Which of the following is the BEST recommendation to ensure the administrator ID in the financial system is controlled effectively?
A. Implement use of individual software tokens B
C. Institute user ID logging and monitoring
D. Ensure data in the financial systems has been classified
View answer
Correct Answer: C
Question #107
Which of the following is the PRIMARY benefit to an organization using an automated event monitoring solution?
A. Enhanced forensic analysis
B. Improved response time to incidents C
D. Reduced need for manual analysis
View answer
Correct Answer: D
Question #108
Which of the following is the BEST key performance indicator (KPI) for determining how well the IT policy is aligned to the business requirements?
A. Number of approved exceptions to the policy
B. Total cost of policy breaches
C. Total cost to support the policy
D. Number of inquiries regarding the policy
View answer
Correct Answer: A
Question #109
When reviewing business continuity plan (BCP) test results, it is MOST important for the IS auditor to determine whether the test:
A. verifies the ability to resume key business operations
B. considers changes to the systems environment
C. assesses the capability to retrieve vital records
D. follows up on activities that occurred since the previous test
View answer
Correct Answer: D
Question #110
A cloud service provider is unable to provide an independent assessment of controls. Which of the following is the BEST way to obtain assurance that the provider can adequately protect the organization’s information?
A. Check references supplied by the provider’s other customers
B. Invoke the right to audit per the contract
C. Review the provider’s information security policy
D. Review the provider’s self-assessment
View answer
Correct Answer: B
Question #111
Which of the following is MOST important for an IS auditor to consider when evaluating a Software as a Service (SaaS) arrangement?
A. Total cost of ownership
B. Frequency of software updates
C. Physical security
D. Software availability
View answer
Correct Answer: S
Question #112
During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?
A. Implement periodic reconciliations
B. Review quality assurance (QA) test results
View answer
Correct Answer: A
Question #113
Which of the following would be MOST useful for determining whether the goals of IT are aligned with the organization’s goals?
A. Balanced scorecard
B. Enterprise architecture
C. Key performance indicators
D. Enterprise dashboard
View answer
Correct Answer: C
Question #114
When reviewing capacity monitoring, an IS auditor notices several incidents where storage capacity limits were reached, while the average utilization was below 30%. Which of the following would the IS auditor MOST likely identify as the root cause?
A. The IT response to the alerts was too slow
B. The amount of data produced was unacceptable for operations
C. The storage space should have been enlarged in time
D. The dynamics of the utilization were not properly taken into account
View answer
Correct Answer: D
Question #115
During a follow-up audit, an IS auditor concludes that a previously identified issue has not been adequately remediated. The auditee insists the risk has been addressed. The auditor should:
A. recommend an independent assessment by a third party
B. report the disagreement according to established procedures
C. follow-up on the finding next year
D. accept the auditee’s position and close the finding A An organization allows employee use of personal mobile devices for corporate email
A. Email forwarding to private devices requires excessive network bandwidth
B. There is no corporate policy for the acceptable use of private devices
C. There is no adequate tracking of the working time spent out-of-hours
D. The help desk is not able to fully support different kinds of private devices
View answer
Correct Answer: S
Question #116
A critical server for a hospital has been encrypted by ransomware. The hospital is unable to function effectively without this server. Which of the following would MOST effectively allow the hospital to avoid paying the ransom? A. A continual server replication process
B. A property tested offline backup system
C. A property configured firewall
D. Employee training on ransomware
View answer
Correct Answer: B
Question #117
C. D. Which of the following is the MOST important for an IS auditor to do during an exit meeting with an auditee?
A. Ensure that the facts presented in the report are correct
B. Specify implementation dates for the recommendations
C. Request input in determining corrective action
D. Communicate the recommendations to senior management
View answer
Correct Answer: C
Question #118
Which of the following is MOST critical to the success of an information security program?
A. Integration of business and information security
B. Alignment of information security with IT objectives
C. Management’s commitment to information security
D. User accountability for information security
View answer
Correct Answer: A
Question #119
The MAIN consideration when designing an incident escalation plan should be ensuring that:
A. information assets are classified
B. appropriate stakeholders are involved
C. high-impact risks have been identified
D. requirements cover forensic analysis
View answer
Correct Answer: C
Question #120
What is an IS auditor’s BEST course of action when provided with a status update indicating audit recommendations related to segregation of duties for financial staff have been implemented?
A. Verify sufficient segregation of duties controls are in place
B. Request documentation of the segregation of duties policy and procedures
C. Note the department’s response in the audit workpapers and records
D. Confirm with the business that the recommendations are implemented
View answer
Correct Answer: D
Question #121
Which of the following data validation control validates input data against predefined range values?
A. Range Check
B. Table lookups C
D. Reasonableness check
View answer
Correct Answer: C
Question #122
An IS auditor finds that application servers had inconsistent configurations leading to potential security vulnerabilities. Which of the following should the auditor recommend FIRST?
A. Enforce server baseline standards
B. Improve change management processes using a workflow tool
C. Hold the application owner accountable for monitoring metrics
D. Use a single vendor for the application servers
View answer
Correct Answer: A
Question #123
Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?
A. Performing independent reviews of responsible parties engaged in the project
B. Ensuring the project progresses as scheduled and milestones are achieved
C. Performing day-to-day activities to ensure the successful completion of the project
D. Providing sign off on the design of controls for the data center
View answer
Correct Answer: C
Question #124
Which of the following is MOST important for an IS auditor to consider during a review of the IT governance of an organization?
A. Funding allocations
B. Risk management methodology
C. Defined service levels
D. Decision making responsibilities
View answer
Correct Answer: B
Question #125
After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor’s BEST course of action would be to:
A. review the results of compliance testing
B. quantify improvements in client satisfaction
C. confirm that risk has declined since the application system release
D. perform a gap analysis against the benefits defined in the business case
View answer
Correct Answer: C
Question #126
An IS auditor conducts a review of a third-party vendor’s reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?
A. Some KPIs are not documented
B. KPIs have never been updated
C. KPIs data is not being analyzed
D. KPIs are not clearly defined
View answer
Correct Answer: D
Question #127
Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?
A. To efficiently test an entire population
B. To perform direct testing of production data
C. To conduct automated sampling for testing
D. To enable quicker access to information
View answer
Correct Answer: S
Question #128
When reviewing the effectiveness of data center operations, the IS auditor would FIRST establish that system performance:
A. is monitored and reported against agreed service levels
B. reflects the expected usage levels established at implementation
C. meets the expected targets specified by the manufacturer
D. is within generally accepted reliability levels for that system
View answer
Correct Answer: C
Question #129
An organization that has suffered a cyber attack is performing a forensic analysis of the affected users’ computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
A. The chain of custody has not been documented
B. The legal department has not been engaged
C. An imagining process was used to obtain a copy of the data from each computer
D. Audit was only involved during extraction of the information
View answer
Correct Answer: B
Question #130
To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should review the:
A. test plan and results of past tests
B. plans and procedures in the business continuity plan
C. capacity of backup facilities
D. hardware and software inventory
View answer
Correct Answer: D
Question #131
Many WEP systems require a key in a relatively insecure format. What format is this?
A. binary format
B. hexadecimal format
C. 128 bit format
D. 256 bit format
E. None of the choices
View answer
Correct Answer: B
Question #132
Which of the following will BEST protect an organization against spear phishing?
A. Email content filtering B
C. End-user training
D. Antivirus software
View answer
Correct Answer: B
Question #133
Which of the following is the client organization’s responsibility in a Software as a Service (SaaS) environment?
A. Detecting unauthorized access
B. Ensuring that users are properly authorized
C. Ensuring the data is available when needed
D. Preventing insertion of malicious code
View answer
Correct Answer: A
Question #134
An organization has outsourced some of its subprocesses to a service provider. When scoping the audit of the provider, the organization’s internal auditor should FIRST:
A. evaluate operational controls of the provider
B. discuss audit objectives with the provider
C. review internal audit reports of the provider
D. review the contract with the provider
View answer
Correct Answer: B
Question #135
An IS auditor is reviewing the process followed in identifying and prioritizing the critical business processes. This process is part of the:
A. balanced scorecard
B. business impact analysis (BIA)
C. operations component of the business continuity plan (BCP)
D. enterprise risk management plan
View answer
Correct Answer: D
Question #136
An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the data on the backup tapes?
A. Ensure that data is encrypted before leaving the facility
B. Ensure that the transport company obtains signatures for all shipments
C. Confirm that data is transported in locked tamper-evident containers
D. Confirm that data transfers are logged and recorded
View answer
Correct Answer: A
Question #137
Which of the following sampling techniques is commonly used in fraud detection when the expected occurrence rate is small and the specific controls are critical?
A. Discovery sampling
B. Monetary unit sampling
C. Stop-or-go sampling
D. Random sampling
View answer
Correct Answer: D
Question #138
Which of the following is MOST important for the IS auditor to verify when reviewing the development process of a security policy?
A. Evidence of active involvement of key stakeholders
B. Output from the enterprise’s risk management system
C. Identification of the control framework
D. Evidence of management approval
View answer
Correct Answer: D
Question #139
Which of the following could be determined by entity-relationship diagram?
A. Links between data objects
B. How the system behaves as a consequence of external events
C. How data are transformed as they move through the system
D. Modes of behavior of data objects
View answer
Correct Answer: A
Question #140
An IS auditor has observed gaps in the data available to the organization for detecting incidents. Which of the following would be the BEST recommendation to improve the organization’s security incident response capability?
A. Document procedures for incident escalation
B. Document procedures for incident classification
View answer
Correct Answer: C
Question #141
What is the BEST indicator of successful implementation of an organization’s information security policy?
A. Reduced number of successful phishing incidents
B. Reduced number of help desk calls
C. Reduced number of noncompliance penalties incurred
D. Reduced number of false-positive security events
View answer
Correct Answer: B
Question #142
Which of the following would be MOST important to update once a decision has been made to outsource a critical application to a cloud service provider?
A. Project portfolio
B. IT resource plan
C. IT budget
D. Business impact analysis (BIA)
View answer
Correct Answer: B
Question #143
Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)? Developing the CSA questionnaire
B. Developing the remediation plan
C. Implementing the remediation plan
D. Partially completing the CSA
View answer
Correct Answer: C
Question #144
A change to the scope of an IT project has been formally submitted to the project manager. What should the project manager do NEXT?
A. Update the project plan to reflect the change in scope
B. Discuss the change with the project team and determine if it should be approved
C. Escalate the change to the change advisory board for approval
D. Determine how the change will affect the schedule and budget
View answer
Correct Answer: B
Question #145
An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes?
A. Results from a business impact analysis B
C. An inventory of security controls currently in place
D. Deadline and penalties for noncompliance
View answer
Correct Answer: D
Question #146
An organization has an approved bring your own device (BYOD) program. Which of the following is the MOST effective method to enforce application control on personal devices?
A. Implement a mobile device management solution
B. Establish a mobile device acceptable use policy
C. Implement a web application firewall
D. Educate users regarding the use of approved applications
View answer
Correct Answer: D
Question #147
An IS auditor is reviewing an organization’s incident management processes and procedures. Which of the following observations should be the auditor’s GREATEST concern?
A. Ineffective incident classification
B. Ineffective incident prioritization
C. Ineffective incident detection
D. Ineffective post-incident review
View answer
Correct Answer: D
Question #148
Which of the following would be the GREATEST concern to an IS auditor reviewing an IT outsourcing arrangement? Explanation/Reference: A. Several IT personnel perform the same functions as the vendor.
B. The contract does not include a renewal option
C. Development of KPIs that will be used was assigned to the vendor
D. Some penalties were waived during contract negotiations
View answer
Correct Answer: C
Question #149
An emergency change was made to an IT system as a result of a failure. Which of the following should be of GREATEST concern to the organization’s information security manager?
A. The operations team implemented the change without regression testing
B. The change did not include a proper assessment of risk
C. Documentation of the change was made after implementation
D. The information security manager did not review the change prior to implementation
View answer
Correct Answer: S
Question #150
During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?
A. Logical relationship check
B. Existence check
C. Table look-ups
D. Referential integrity
View answer
Correct Answer: A
Question #151
Which of the following BEST indicates a need to review an organization’s information security policy?
A. Completion of annual IT risk assessment
B. Increasing complexity of business transactions
C. Increasing exceptions approved by management
D. High number of low-risk findings in the audit report
View answer
Correct Answer: A
Question #152
Which of the following is MOST important to the effective management of an end user-developed application?
A. Implementing best practice folder structures
B. Continuous monitoring to facilitate prompt escalation of issues
C. Assigning risk ratings based on probability and impact
D. Stress testing the application through use of data outliers
View answer
Correct Answer: D
Question #153
A core business unit relies on an effective legacy system that does not meet the current security standards and threatens the enterprise network. Which of the following is the BEST course of action to address the situation?
A. Require that new systems that can meet the standards be implemented
B. Document the deficiencies in the risk register
C. Develop processes to compensate for the deficiencies
D. Disconnect the legacy system from the rest of the network
View answer
Correct Answer: A
Question #154
Which of the following is the PRIMARY reason for an IS auditor to issue an interim audit report?
A. To avoid issuing a final audit report
B. To enable the auditor to complete the engagement in a timely manner
C. To provide feedback to the auditee for timely remediation
D. To provide follow-up opportunity during the audit
View answer
Correct Answer: B
Question #155
Which of the following is MOST important in determining a project’s feasibility?
A. The organization’s main competitor has initiated a similar project
B. The IT steering committee endorses the project
C. A project management methodology is established
D. The project’s value is established in an approved business case
View answer
Correct Answer: D
Question #156
An IS auditor reviewed the business case for a proposed investment to virtualize an organization’s server infrastructure. Which of the following is MOST likely to be included among the benefits in the project proposal?
A. Fewer operating system licenses
B. Better efficiency of logical resources C
D. Less memory and storage space
View answer
Correct Answer: D
Question #157
Which of the following is the MOST effective data loss control when connecting a personally owned mobile device to the corporate email system?
A. A senior manager must approve each new connection
B. Email synchronization must be prevented when connected to a public Wi-Fi hotspot
C. Email must be stored in an encrypted format on the mobile device
View answer
Correct Answer: A
Question #158
A review of Internet security disclosed that users have individual user accounts with the Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only corporate network is used. The organization should FIRST:
A. use a proxy server to filter out Internet sites that should not be accessed
B. keep a manual log of Internal access
C. monitor remote access activities
D. include a statement in its security policy about Internet use
View answer
Correct Answer: C
Question #159
Which of the following is the BEST methodology to use for estimating the complexity of developing a large business application?
A. Function point analysis
B. Software cost estimation
C. Work breakdown structure
D. Critical path analysis A An organization is considering allowing users to connect personal devices to the corporate network
A. Configure users on the mobile device management solution
B. Create inventory records of personal devices
C. Implement an acceptable use policy
D. Conduct security awareness training
View answer
Correct Answer: A
Question #160
A database administrator (DBA) extracts a user listing for an auditor as testing evidence. Which of the following will provide the GREATEST assurance that the user listing is reliable?
A. Requesting a query that returns the count of the users
B. Requesting a copy of the query that generated the user listing
C. Obtaining sign-off from the DBA to attest that the list is complete
D. Witnessing the DBA running the query in-person
View answer
Correct Answer: C
Question #161
Statistical sampling is NOT based on which of the following audit sample techniques?
A. Haphazard Sampling B
C. Cell Sampling
D. Fixed interval sampling
View answer
Correct Answer: A
Question #162
Which of the following BEST provides continuous availability of network bandwidth for critical application services?
A. Configuration management
B. Cloud computing
C. Problem management
D. Quality of service (QoS)
View answer
Correct Answer: C
Question #163
Which of the following is MOST important when evaluating the retention period for a cloud provider’s client data backups?
A. Cost of data storage
B. Contractual commitments
C. Previous audit recommendations
D. Industry best practice
View answer
Correct Answer: A
Question #164
An IS auditor is conducting a review of an organization’s information systems and discovers data that is no longer needed by business applications. Which of the following would be the IS auditor’s BEST recommendation?
A. Ask the data custodian to remove it after confirmation from the business user
B. Assess the data according to the retention policy
C. Back up the data to removable media and store in a secure area
D. Keep the data and protect it using a data classification policy
View answer
Correct Answer: B
Question #165
Which of the following is an IS auditor’s BEST course of action upon learning that preventive controls have been replaced with detective and corrective controls?
A. Report the issue to management as the risk level has increased
B. Recommend the implementation of preventive controls in addition to the other controls
C. Verify the revised controls enhance the efficiency of related business processes
D. Evaluate whether new controls manage the risk at an acceptable level
View answer
Correct Answer: A
Question #166
Which of the following IS audit recommendations would BEST help to ensure appropriate mitigation will occur on control weaknesses identified during an audit? Assign actions to responsible personnel and follow up.
B. Report on progress to the audit committee
C. Perform a cost-benefit analysis on remediation strategy
D. Implement software to input the action points from the IS audit
View answer
Correct Answer: B
Question #167
Which of the following findings should be of MOST concern to an IS auditor when evaluating information security governance within an organization?
A. The data center manager has final sign-off on security projects
B. The information security oversight committee meets quarterly
C. The information security department has difficulty filling vacancies
D. Information security policies were last updated two years ago
View answer
Correct Answer: B
Question #168
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
A. Verify the disaster recovery plan (DRP) has been tested
B. Ensure the intrusion prevention system (IPS) is effective
C. Confirm the incident response team understands the issue
D. Assess the security risks to the business
A. Operators are degaussing magnetic tapes during night shifts
B. System programmers have logged access to operating system parameters
C. System programmers are performing the duties of operators
D. Operators are acting as tape librarians on alternate shifts
View answer
Correct Answer: B
Question #169
A start-up company acquiring servers for its order-taking system is unable to predict the volume of transactions. Which of the following is MOST important for the company to consider?
A. Scalability
B. Configuration
C. Optimization
D. Compatibility
View answer
Correct Answer: B
Question #170
What is an IS auditor’s BEST recommendation for management if a network vulnerability assessment confirms that critical patches have not been applied since the last assessment?
A. Implement a process to test and apply appropriate patches
B. Apply available patches and continue periodic monitoring
C. Configure servers to automatically apply available patches
D. Remove unpatched devices from the network
View answer
Correct Answer: A
Question #171
Which of the following should be an IS auditor’s BEST recommendation to prevent installation of unlicensed software on employees’ company-provided devices?
A. Enforce audit logging of software installation activities
B. Restrict software installation authority to administrative users only
C. Implement software blacklisting
D. Remove unlicensed software from end-user devices
View answer
Correct Answer: A
Question #172
An organization wants to reuse company-provided smartphones collected from staff leaving the organization. Which of the following would be the BEST recommendation?
A. The memory cards of the smartphones should be replaced
B. Smartphones should not be reused, but physically destroyed
C. Data should be securely deleted from the smartphones
D. The SIM card and telephone number should be changed
View answer
Correct Answer: C
Question #173
Management decided to accept the residual risk of an audit finding and not take the recommended actions. The internal audit team believes the acceptance is inappropriate and has discussed the situation with executive management. After this discussion, there is still disagreement regarding the decision. Which of the following is the BEST course of action by internal audit?
A. Report this matter to the audit committee without notifying executive management
B. Document in the audit report that management has accepted the residual risk and take no further actions
C. Report the issue to the audit committee in a joint meeting with executive management for resolution
D. Schedule another meeting with executive management to convince them of taking action as recommended
View answer
Correct Answer: D
Question #174
Communicating which of the following would BEST encourage management to initiate appropriate actions following the receipt of report findings? A. Risk implications of the observations
B. Strict deadlines to close all observations
C. Statistical sampling used to derive observations
D. Recommendations that align with the business strategy
View answer
Correct Answer: C
Question #175
To help ensure the accuracy and completeness of end-user computing output, it is MOST important to include strong: A. reconciliation controls.
B. change management controls
C. access management controls
D. documentation controls
View answer
Correct Answer: A
Question #176
Which of the following would BEST help to ensure compliance with an organization’s information security requirements by an IT service provider?
A. Defining the business recovery plan with the IT service provider
B. Requiring an external security audits of the IT service provider
C. Defining information security requirements with internal IT
D. Requiring regular reporting from the IT service provider
View answer
Correct Answer: D
Question #177
The MOST important reason for documenting all aspects of a digital forensic investigation is that documentation:
A. provides traceability for independent investigation by third parties
B. ensures compliance with corporate incident response policies
C. ensures the process will be repeatable in future investigations
D. meets IT audit documentation standards
View answer
Correct Answer: B
Question #178
Which of the following is MOST likely to be included in computer operating procedures in a large data center?
A. Instructions for job scheduling
B. Procedures for resequencing source code
C. Procedures for utility configuration
D. Guidance on setting security parameters
View answer
Correct Answer: B

View The Updated ISACA Exam Questions

SPOTO Provides 100% Real ISACA Exam Questions for You to Pass Your ISACA Exam!

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number: