CISA Exam 388 Questions with Verified Answers,100% CORRECT

CISA Exam 388 Questions with Verified Answers Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? a. Parity check b. Echo check c. Block sum check d. Cyclic redundancy check - CORRECT ANSWER d. Cyclic redundancy check Which of the following issues associated with a data center's closed circuit television (CCTV) surveillance cameras should be of MOST concern to an IS auditor? A. CCTV recordings are not regularly reviewed. B. CCTV records are deleted after one year. C. CCTV footage is not recorded 24 x 7. D. CCTV cameras are not installed in break rooms. - CORRECT ANSWER A. CCTV recordings are not regularly reviewed. An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor's PRIMARY concern is that: A. a clear business case has been established. B. the new hardware meets established security standards. C. a full, visible audit trail will be included. D. the implementation plan meets user requirements. - CORRECT ANSWER A. a clear business case has been established. An organization is implementing a new system that supports a month-end business process. Which of the following implementation strategies would be MOST efficient to decrease business downtime? A. Cutover B. Phased C. Pilot D. Parallel - CORRECT ANSWER C. Pilot Which of the following is the BEST way to ensure that an application is performing according to its specifications? A. Pilot testing B. System testing C. Integration testing D. Unit testing - CORRECT ANSWER C. Integration testing An employee loses a mobile device resulting in loss of sensitive corporate data. Which of the following would have BEST prevented data leakage? A. Data encryption on the mobile device B. The triggering of remote data wipe capabilities C. Awareness training for mobile device users D. Complex password policy for mobile devices - CORRECT ANSWER A. Data encryption on the mobile device During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate: A. cost-benefit analysis. B. acceptance testing. C. application test cases. D. project plans. - CORRECT ANSWER C. application test cases. Upon completion of audit work, an IS auditor should: A. provide a report to the auditee stating the initial findings. B. provide a report to senior management prior to discussion with the auditee. C. distribute a summary of general findings to the members of the auditing team. D. review the working papers with the auditee. - CORRECT ANSWER A. provide a report to the auditee stating the initial findings. During an IT general controls audit of a high-risk area where both internal and external audit teams are reviewing the same areas simultaneously, which of the following is the BEST approach to optimize resources? A. Leverage the work performed by external audit for the internal audit testing. B. Ensure both the internal and external auditors perform the work simultaneously. C. Roll forward the general controls audit to the subsequent audit year. D. Request that the external audit team leverage the internal audit work. - CORRECT ANSWER A. Leverage the work performed by external audit for the internal audit testing. The GREATEST benefit of using a prototyping approach in software development is that it helps to: A. improve efficiency of quality assurance (QA) testing. B. conceptualize and clarify requirements. C. decrease the time allocated for user testing and review. D. minimize scope changes to the system. - CORRECT ANSWER D. minimize scope changes to the system. Management receives information indicating a high level of risk associated with potential flooding near the organization's data center with in the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted? A. Risk reduction B. Risk acceptance C. Risk transfer D. Risk avoidance - CORRECT ANSWER D. Risk avoidance Which of the following MOST effectively minimizes downtime during system conversions? A. Phased approach B. Parallel run C. Direct cutover D. Pilot study - CORRECT ANSWER B. Parallel run Which of the following would MOST effectively ensure the integrity of data transmitted over a network? A. Message encryption B. Steganography C. Certificate authority (CA) D. Message digest - CORRECT ANSWER D. Message digest An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern? A. A gap analysis against regulatory requirements has not been conducted. B. The third-party disclosed a policy-related issue of noncompliance. C. The organization has not reviewed the third party's policies and procedures. D. The organization has not communicated regulatory requirements to the third party. - CORRECT ANSWER D. The organization has not communicated regulatory requirements to the third party. An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical? A. The quality of the data is not monitored. B. The transfer protocol does not require authentication. C. Imported data is not disposed frequently. D. The transfer protocol is not encrypted. - CORRECT ANSWER A. The quality of the data is not monitored. In a controlled application development environment, the MOST important segregation of duties should be between the person who implements changes into the production environment and the: A. application programmer. B. quality assurance (QA) personnel. C. computer operator. D. systems programmer. - CORRECT ANSWER A. application programmer. A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control? A. Rotation of log monitoring and analysis responsibilities B. Additional management reviews and reconciliations C. Mandatory vacations D. Third-party assessments - CORRECT ANSWER B. Additional management reviews and reconciliations Which of the following is the BEST indicator of the effectiveness of an organization's incident response program? A. Number of successful penetration tests B. Percentage of protected business applications C. Number of security vulnerability patches D. Financial impact per security event - CORRECT ANSWER B. Percentage of protected business applications An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives. Which of the following findings should be the IS auditor's GREATEST concern? A. Mobile devices are not encrypted. B. Users are not required to sign updated acceptable use agreements. C. The business continuity plan (BCP) was not updated. D. Users have not been trained on the new system. - CORRECT ANSWER C. The business continuity plan (BCP) was not updated. Which of the following security measures will reduce the risk of propagation when a cyberattack occurs? A. Data loss prevention (DLP) system B. Perimeter firewall C. Network segmentation D. Web application firewall - CORRECT ANSWER C. Network segmentation When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery: A. channel access only through the public-facing firewall. B. channel access through authentication. C. communicate via Transport Layer Security (TLS). D. block authorized users from unauthorized activities. - CORRECT ANSWER C. communicate via Transport Layer Security (TLS). During audit fieldwork, an IS auditor learns that employees are allowed to connect their personal devices to company-owned computers. How can the auditorBEST validate that appropriate security controls are in place to prevent data loss? A. Verify the data loss prevention (DLP) tool is properly configured by the organization. B. Review compliance with data loss and applicable mobile device user acceptance policies. C. Verify employees have received appropriate mobile device security awareness training. D. Conduct a walk-through to view results of an employee plugging in a device to transfer confidential data. - CORRECT ANSWER B. Review compliance with data loss and applicable mobile device user acceptance policies. Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed? A. Implementation methodology B. Test results C. Purchasing guidelines and policies D. Results of live processing - CORRECT ANSWER D. Results of live processing Which of the following is an advantage of using agile software development methodology over the waterfall methodology? A. Quicker end user acceptance B. Clearly defined business expectations C. Quicker deliverables D. Less funding required overall - CORRECT ANSWER C. Quicker deliverables In an online application, which of the following would provide the MOST information about the transaction audit trail? A. File layouts B. Data architecture C. System/process flowchart D. Source code documentation - CORRECT ANSWER B. Data architecture On a public-key cryptosystem when there is no previous knowledge between parties, which of the following will BEST help to prevent one person from using a fictitious key to impersonate someone else? A. Send a certificate that can be verified by a certification authority with the public key. B. Encrypt the message containing the sender's public key, using the recipient's public key. C. Send the public key to the recipient prior to establishing the connection. D. Encrypt the message containing the sender's public key, using a private-key cryptosystem. - CORRECT ANSWER A. Send a certificate that can be verified by a certification authority with the public key. Which of the following would provide the MOST important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program? A. Results of a risk assessment B. Policies including BYOD acceptable use statements C. Findings from prior audits D. An inventory of personal devices to be connected to the corporate network - CORRECT ANSWER A. Results of a risk assessment Which audit approach is MOST helpful in optimizing the use of IS audit resources? A. Agile auditing B. Continuous auditing C. Risk-based auditing D. Outsourced auditing - CORRECT ANSWER C. Risk-based auditing An IS auditor learns the organization has experienced several server failures in its distributed environment. Which of the following is the BEST recommendation to limit the potential impact of server failures in the future? A. Failover power B. Clustering C. Parallel testing D. Redundant pathways - CORRECT ANSWER B. Clustering During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action? A. Request management wait until a final report is ready for discussion. B. Request the auditee provide management responses. C. Review working papers with the auditee. D. Present observations for discussion only. - CORRECT ANSWER D. Present observations for discussion only. Which of the following is the MOST important responsibility of user departments associated with program changes? A. Analyzing change requests B. Providing unit test data C. Updating documentation to reflect latest changes D. Approving changes before implementation - CORRECT ANSWER A. Analyzing change requests Which of the following would be of GREATEST concern when reviewing an organization's security information and event management (SIEM) solution? A. SIEM reporting is ad hoc. B. SIEM reporting is customized. C. SIEM configuration is reviewed annually. D. The SIEM is decentralized. - CORRECT ANSWER D. The SIEM is decentralized. An IS auditor is evaluating the access controls for a shared customer relationship management (CRM) system. Which of the following would be the GREATEST concern? A. Audit logging is not enabled. B. Single sign-on is not enabled. C. Complex passwords are not required. D. Security baseline is not consistently applied. - CORRECT ANSWER A. Audit logging is not enabled. An organization is planning an acquisition and has engaged an IS auditor to evaluate the IT governance framework of the target company. Which of the following would be MOST helpful in determining the effectiveness of the framework? A. Recent third-party IS audit reports B. Current and previous internal IS audit reports C. IT performance benchmarking reports with competitors D. Self-assessment reports of IT capability and maturity - CORRECT ANSWER A. Recent third-party IS audit reports Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure? A. The policy includes a strong risk-based approach. B. The retention period complies with data owner responsibilities. C. The retention period allows for review during the year-end audit. D. The total transaction amount has no impact on financial reporting. - CORRECT ANSWER A. The policy includes a strong risk-based approach. Which of the following should an IS auditor be MOST concerned with during a post-implementation review? A. The system does not have a maintenance plan. B. The system contains several minor defects. C. The system deployment was delayed by three weeks. D. The system was over budget by 15%. - CORRECT ANSWER B. The system contains several minor defects. An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action? A. Note the exception in a new report as the item was not addressed by management. B. Interview management to determine why the finding was not addressed. C. Recommend alternative solutions to address the repeat finding. D. Conduct a risk assessment of the repeat finding. - CORRECT ANSWER B. Interview management to determine why the finding was not addressed. During which process is regression testing MOST commonly used? A. Unit testing B. System modification C. Stress testing D. Program development - CORRECT ANSWER B. System modification An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action? A. Contact the incident response team to conduct an investigation. B. Advise management of the crime after the investigation. C. Examine the computer to search for evidence supporting the suspicions. D. Notify local law enforcement of the potential crime before further investigation. - CORRECT ANSWER A. Contact the incident response team to conduct an investigation. Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center? A. Knowledge of the IT staff regarding data protection requirements B. Complete and accurate list of information assets that have been deployed C. Segregation of duties between staff ordering and staff receiving information assets D. Availability and testing of onsite backup generators - CORRECT ANSWER B. Complete and accurate list of information assets that have been deployed Providing security certification for a new system should include which of the following prior to the system's implementation? A. End-user authorization to use the system in production B. Testing of the system within the production environment C. An evaluation of the configuration management practices D. External audit sign-off on financial controls - CORRECT ANSWER C. An evaluation of the configuration management practices Which of the following should be the FIRST step when developing a data loss prevention (DLP) solution for a large organization? A. Create the DLP policies and templates. B. Conduct a threat analysis against sensitive data usage. C. Conduct a data inventory and classification exercise. D. Identify approved data workflows across the enterprise. - CORRECT ANSWER C. Conduct a data inventory and classification exercise. The success of control self-assessment depends highly on: a. line managers assuming a portion of the responsibility for control monitoring. b. assigning staff managers, the responsibility for building controls. c. the implementation of a stringent control policy and rule-driven controls. d. the implementation of supervision and monitoring of controls of assigned duties. - CORRECT ANSWER a. line managers assuming a portion of the responsibility for control monitoring. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: a. address audit objectives. b. collect sufficient evidence. c. specify appropriate tests. d. minimize audit resources. - CORRECT ANSWER a. address audit objectives. A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? a. Key verification b. One-for-one checking c. Manual recalculations d. Functional acknowledgements - CORRECT ANSWER d. Functional acknowledgements When developing a risk management program, what is the FIRST activity to be performed? a. Threat assessment b. Classification of data c. Inventory of assets d. Criticality analysis - CORRECT ANSWER c. Inventory of assets Which of the following situations could impair the independence of an IS auditor? The IS auditor: a. implemented specific functionality during the development of an application. b. designed an embedded audit module for auditing an application. c. participated as a member of an application project team and did not have operational responsibilities. d. provided consulting advice concerning application good practices. - CORRECT ANSWER a. implemented specific functionality during the development of an application. When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? a. The point at which controls are exercised as data flow through the system b. Only preventive and detective controls are relevant c. Corrective controls are regarded as compensating d. Classification allows an IS auditor to determine which controls are missing - CORRECT ANSWER a. The point at which controls are exercised as data flow through the system During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should: a. ask the auditee to sign a release form accepting full legal responsibility. b. elaborate on the significance of the finding and the risk of not correcting it. c. report the disagreement to the audit committee for resolution. d. accept the auditee's position because they are the process owners. - CORRECT ANSWER b. elaborate on the significance of the finding and the risk of not correcting it. During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: a. create the procedures document based on the practices. b. issue an opinion of the current state and end the audit. c. conduct compliance testing on available data. d. identify and evaluate existing practices. - CORRECT ANSWER d. identify and evaluate existing practices. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? a. Overlapping controls b. Boundary controls c. Access controls d. Compensating controls - CORRECT ANSWER d. Compensating controls For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? a. Use of computer-assisted audit techniques b. Quarterly risk assessments c. Sampling of transaction logs d. Continuous auditing - CORRECT ANSWER d. Continuous auditing An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? a. Development of an audit program b. Define the audit scope c. Identification of key information owners d. Development of a risk assessment - CORRECT ANSWER d. Development of a risk assessment Which of the following is evaluated as a preventive control by an IS auditor performing an audit? a. Transaction logs b. Before and after image reporting c. Table lookups d. Tracing and tagging - CORRECT ANSWER c. Table lookups Which of the following is MOST important to ensure that effective application controls are maintained? a. Exception reporting b. Manager involvement c. Control self-assessment d. Peer reviews - CORRECT ANSWER c. Control self-assessment While performing an audit of an accounting application's internal data integrity controls, an IS auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to: a. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions. b. complete the audit and not report the control deficiency because it is not part of the audit scope. c. continue to test the accounting application controls and include the deficiency in the final report. d. cease all audit activity until the control deficiency is resolved. - CORRECT ANSWER c. continue to test the accounting application controls and include the deficiency in the final report. An organization's IS audit charter should specify the: a. plans for IS audit engagements. b. objectives and scope of IS audit engagements. c. detailed training plan for the IS audit staff. d. role of the IS audit function. - CORRECT ANSWER d. role of the IS audit function. Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? a. Prioritize the identified risk. b. Define the audit universe. c. Identify the critical controls. d. Determine the testing approach. - CORRECT ANSWER b. Define the audit universe. An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: a. most valuable information assets. b. IS audit resources to be deployed. c. auditee personnel to be interviewed. d. control objectives and activities. - CORRECT ANSWER d. control objectives and activities. An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: a. remove the IS auditor from the engagement. b. cancel the engagement. c. disclose the issue to the client. d. take steps to restore the IS auditor's independence. - CORRECT ANSWER c. disclose the issue to the client. The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? a. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. b. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. d. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the - CORRECT ANSWER c. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? a. Participating in the design of the risk management framework b. Advising on different implementation techniques c. Facilitating risk awareness training d. Performing due diligence of the risk management processes - CORRECT ANSWER a. Participating in the design of the risk management framework While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: a. effectiveness of the QA function because it should interact between project management and user management. b. efficiency of the QA function because it should interact with the project implementation team. c. effectiveness of the project manager because the project manager should interact with the QA function. d. efficiency of the project manager because the QA function needs to communicate with the project implementation team. - CORRECT ANSWER a. effectiveness of the QA function because it should interact between project management and user management. Which of the following choices would be the BEST source of information when developing a risk-based audit plan? a. Process owners identify key controls. b. System custodians identify vulnerabilities. c. Peer auditors understand previous audit results. d. Senior management identify key business processes. - CORRECT ANSWER d. Senior management identify key business processes. Which of the following is in the BEST position to approve changes to the audit charter? a. Board of directors b. Audit committee c. Executive management d. Director of internal audit - CORRECT ANSWER b. Audit committee A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a: a. directive control. b. corrective control. c. compensating control. d. detective control. - CORRECT ANSWER b. corrective control. A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this? a. Detective b. Preventive c. Corrective d. Directive - CORRECT ANSWER b. Preventive Which of the following is the PRIMARY purpose of a risk-based audit? a. High-impact areas are addressed first. b. Audit resources are allocated efficiently. c. Material areas are addressed first. d. Management concerns are prioritized. - CORRECT ANSWER c. Material areas are addressed first. In a small organization, the function of release manager and application programmer are performed by the same employee. What is the BEST compensating control in this scenario? a. Hiring additional staff to provide segregation of duties b. Preventing the release manager from making program modifications c. Logging of changes to development libraries d. Verifying that only approved program changes are implemented - CORRECT ANSWER d. Verifying that only approved program changes are implemented Which of the following is MOST likely to be considered a conflict of interest for an IS auditor who is reviewing a cybersecurity implementation? a. Delivering cybersecurity awareness training b. Designing the cybersecurity controls c. Advising on the cybersecurity framework d. Conducting the vulnerability assessment - CORRECT ANSWER b. Designing the cybersecurity controls Which of the following is MOST important for an IS auditor to understand when auditing an e-commerce environment? a. The technology architecture of the e-commerce environment b. The policies, procedures and practices forming the control environment c. The nature and criticality of the business process supported by the application d. Continuous monitoring of control measures for system availability and reliability - CORRECT ANSWER c. The nature and criticality of the business process supported by the application An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank's financial risk is properly addressed, the IS auditor will most likely review which of the following? a. Privileged access to the wire transfer system b. Wire transfer procedures c. Fraud monitoring controls d. Employee background checks - CORRECT ANSWER b. Wire transfer procedures An IS auditor notes that failed login attempts to a core financial system are automatically logged and the logs are retained for a year by the organization. This logging is: a. an effective preventive control. b. a valid detective control. c. not an adequate control. d. a corrective control. - CORRECT ANSWER c. not an adequate control. Which audit technique provides the BEST evidence of the segregation of duties in an IT department? a. Discussion with management b. Review of the organization chart c. Observation and interviews d. Testing of user access rights - CORRECT ANSWER c. Observation and interviews The PRIMARY purpose for meeting with auditees prior to formally closing a review is to: a. confirm that the auditors did not overlook any important issues. b. gain agreement on the findings. c. receive feedback on the adequacy of the audit procedures. d. test the structure of the final presentation. - CORRECT ANSWER b. gain agreement on the findings. Which of the following sampling methods is MOST useful when testing for compliance? a. Attribute sampling b. Variable sampling c. Stratified mean per unit sampling d. Difference estimation sampling - CORRECT ANSWER a. Attribute sampling Which of the following would normally be the MOST reliable evidence for an IS auditor? a. A confirmation letter received from a third party verifying an account balance b. Assurance from line management that an application is working as designed c. Trend data obtained from Internet sources d. Ratio analysis developed by the IS auditor from reports supplied by line management - CORRECT ANSWER a. A confirmation letter received from a third party verifying an account balance The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? a. Generate sample test data b. Generalized audit software c. Integrated test facility d. Embedded audit module - CORRECT ANSWER b. Generalized audit software In the process of evaluating program change controls, an IS auditor would use source code comparison software to: a. examine source program changes without information from IS personnel. b. detect a source program change made between acquiring a copy of the source and the comparison run. c. identify and validate any differences between the control copy and the production program. d. ensure that all changes made in the current source copy are tested. - CORRECT ANSWER a. examine source program changes without information from IS personnel. After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: a. expand activities to determine whether an investigation is warranted. b. report the matter to the audit committee. c. report the possibility of fraud to management. d. consult with external legal counsel to determine the course of action to be taken. - CORRECT ANSWER a. expand activities to determine whether an investigation is warranted. When selecting audit procedures, an IS auditor should use professional judgment to ensure that: a. sufficient evidence will be collected. b. significant deficiencies will be corrected within a reasonable period. c. all material weaknesses will be identified. d. audit costs will be kept at a minimum level. - CORRECT ANSWER a. sufficient evidence will be collected. An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: a. the probability of error must be objectively quantified. b. the auditor wants to avoid sampling risk. c. generalized audit software is unavailable. d. the tolerable error rate cannot be determined. - CORRECT ANSWER a. the probability of error must be objectively quantified. The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? a. Stop-or-go b. Classical variable c. Discovery d. Probability-proportional-to-size - CORRECT ANSWER c. Discovery An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. b. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. c. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. d. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. - CORRECT ANSWER a. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. An IS auditor is carrying out a system configuration review. Which of the following would be the BEST evidence in support of the current system configuration settings? a. System configuration values imported to a spreadsheet by the system administrator b. Standard report with configuration values retrieved from the system by the IS auditor c. Dated screenshot of the system configuration settings made available by the system administrator d. Annual review of approved system configuration values by the business owner - CORRECT ANSWER b. Standard report with configuration values retrieved from the system by the IS auditor Which of the following will MOST successfully identify overlapping key controls in business application systems? a. Reviewing system functionalities that are attached to complex business processes b. Submitting test transactions through an integrated test facility c. Replacing manual monitoring with an automated auditing solution d. Testing controls to validate that they are effective - CORRECT ANSWER c. Replacing manual monitoring with an automated auditing solution Which of the following should be the FIRST action of an IS auditor during a dispute with a department manager over audit findings? a. Retest the control to validate the finding. b. Engage a third party to validate the finding. c. Include the finding in the report with the department manager's comments. d. Revalidate the supporting evidence for the finding. - CORRECT ANSWER An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? a. Issue an audit finding. b. Seek an explanation from IS management. c. Review the classifications of data held on the server. d. Expand the sample of logs reviewed. - CORRECT ANSWER d. Expand the sample of logs reviewed. An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? a. Walk-through with the reviewer of the operation of the control b. System-generated exception reports for the review period with the reviewer's sign-off c. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer d. Management's confirmation of the effectiveness of the control for the review period - CORRECT ANSWER c. A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit? a. Managing audit staff b. Allocating resources c. Project management d. Attention to detail - CORRECT ANSWER c. Project management An auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take? a. Discuss the finding with the IT auditor's manager. b. Retest the control to confirm the finding. c. Elevate the risk associated with the control. d. Discuss the finding with the auditee's manager. - CORRECT ANSWER a. Discuss the finding with the IT auditor's manager. Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? a. To collect evidence while transactions are processed b. To reduce requirements for periodic internal audits c. To identify and report fraudulent transactions d. To increase efficiency of the audit function - CORRECT ANSWER a. To collect evidence while transactions are processed Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? a. Variable sampling b. Judgmental sampling c. Stratified random sampling d. Systematic sampling - CORRECT ANSWER While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: a. report the issue to IT management. b. discuss the issue with the service provider. c. perform a risk assessment. d. perform an access review. - CORRECT ANSWER a. report the issue to IT management. An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? a. Usefulness b. Reliability c. Relevance d. Adequacy - CORRECT ANSWER b. Reliability In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: a. stop-or-go sampling. b. substantive testing. c. compliance testing. d. discovery sampling. - CORRECT ANSWER b. substantive testing. During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department? a. Discuss it with the IT managers. b. Review the IT job descriptions. c. Research past IT audit reports. d. Evaluate the organizational structure. - CORRECT ANSWER a. Discuss it with the IT managers. Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? a. Re-performance b. Process walk-through c. Observation d. Documentation review - CORRECT ANSWER An IS auditor is comparing equipment in production with inventory records. This type of testing is an example of: a. substantive testing. b. compliance testing. c. analytical testing. d. control testing. - CORRECT ANSWER a. substantive testing. A local area network (LAN) administrator normally is restricted from: a. having end-user responsibilities. b. reporting to the end-user manager. c. having programming responsibilities. d. being responsible for LAN security administration. - CORRECT ANSWER c. having programming responsibilities. IT governance is PRIMARILY the responsibility of the: a. chief executive officer. b. board of directors. c. IT steering committee. d. audit committee. - CORRECT ANSWER b. board of directors. Which of the following is MOST critical for the successful implementation and maintenance of a security policy? a. Assimilation of the framework and intent of a written security policy by all appropriate parties b. Management support and approval for the implementation and maintenance of a security policy c. Enforcement of security rules by providing punitive actions for any violation of security rules d. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software - CORRECT ANSWER a. Assimilation of the framework and intent of a written security policy by all appropriate parties An IS auditor reviews an organizational chart PRIMARILY for: a. an understanding of the complexity of the organizational structure. b. investigating various communication channels. c. understanding the responsibilities and authority of individuals. d. investigating the network connected to different employees. - CORRECT ANSWER c. understanding the responsibilities and authority of individuals. The PRIMARY objective of implementing corporate governance is to: a. provide strategic direction. b. control business operations. c. align IT with business. d. implement good practices. - CORRECT ANSWER a. provide strategic direction. Which of the following is the MOST important element for the successful implementation of IT governance? a. Implementing an IT scorecard b. Identifying organizational strategies c. Performing a risk assessment d. Creating a formal security policy - CORRECT ANSWER b. Identifying organizational strategies A benefit of open system architecture is that it: a. facilitates interoperability within different systems. b. facilitates the integration of proprietary components. c. will be a basis for volume discounts from equipment vendors. d. allows for the achievement of more economies of scale for equipment. - CORRECT ANSWER a. facilitates interoperability within different systems. Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? a. Three users with the ability to capture and verify their own messages b. Five users with the ability to capture and send their own messages c. Five users with the ability to verify other users and to send their own messages c. Three users with the ability to capture and verify the messages of other users and to send their own messages - CORRECT ANSWER a. Three users with the ability to capture and verify their own messages As a driver of IT governance, transparency of IT's cost, value, and risk is primarily achieved through: a. performance measurement. b. strategic alignment. c. value delivery. d. resource management. - CORRECT ANSWER a. performance measurement. Which of the following IT governance good practices improves strategic alignment? a. Supplier and partner risk is managed. b. A knowledge base on customers, products, markets and processes is in place. c. A structure is provided that facilitates the creation and sharing of business information. d. Top management mediates between the imperatives of business and technology - CORRECT ANSWER d. Top management mediates between the imperatives of business and technology To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: a. control self-assessments. b. a business impact analysis. c. an IT balanced scorecard. d. business process reengineering. - CORRECT ANSWER c. an IT balanced scorecard. An IS auditor is reviewing an IT security risk management program. Measures of security risk should: a. address all of the network risk. b. be tracked over time against the IT strategic plan. c. consider the entire IT environment. d. result in the identification of vulnerability tolerances. - CORRECT ANSWER c. consider the entire IT environment. When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: a. incorporates state of the art technology. b. addresses the required operational controls. c. articulates the IT mission and vision. d. specifies project management practices. - CORRECT ANSWER c. articulates the IT mission and vision. An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: a. recommend that this separate project be completed as soon as possible. b. report this issue as a finding in the audit report. c. recommend the adoption of the Zachmann framework. d. re-scope the audit to include the separate project as part of the current audit. - CORRECT ANSWER b. report this issue as a finding in the audit report. After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented? a. A cost-benefit analysis b. An annual loss expectancy calculation c. A comparison of the cost of the IPS and firewall and the cost of the business systems d. A business impact analysis - CORRECT ANSWER a. A cost-benefit analysis When developing a formal enterprise security program, the MOST critical success factor is the: a. establishment of a review board. b. creation of a security unit. c. effective support of an executive sponsor. d. selection of a security process owner. - CORRECT ANSWER c. effective support of an executive sponsor. Which of the following is normally a responsibility of the chief information security officer? a. Periodically reviewing and evaluating the security policy b. Executing user application and software testing and evaluation c. Granting and revoking user access to IT resources d. Approving access to data and applications - CORRECT ANSWER a. Periodically reviewing and evaluating the security policy The PRIMARY benefit of implementing a security program as part of a security governance framework is the: a. alignment of the IT activities with IS audit recommendations. b. enforcement of the management of security risk. c. implementation of the chief information security officer's recommendations. d. reduction of the cost for IT security. - CORRECT ANSWER b. enforcement of the management of security risk. An enterprise's risk appetite is BEST established by: a. the chief legal officer. b. security management. c. the audit committee. d. the steering committee. - CORRECT ANSWER d. the steering committee. A small organization has only one database administrator (DBA) and one system administrator. The DBA has root access to the UNIX server, which hosts the database application. How should segregation of duties be enforced in this scenario? a. Hire a second DBA and split the duties between the two individuals. b. Remove the DBA's root access on all UNIX servers. c. Ensure that all actions of the DBA are logged and that all logs are backed up to tape. d. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access. - CORRECT ANSWER d. Ensure that database logs are forwarded to a UNIX server where the DBA does not have root access. An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? a. A cost analysis b. The security risk of the current technology c. Compatibility with existing systems d. A risk analysis - CORRECT ANSWER d. A risk analysis An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? a. Existing IT mechanisms enabling compliance b. Alignment of the policy to the business strategy c. Current and future technology initiatives d. Regulatory compliance objectives defined in the policy - CORRECT ANSWER a. Existing IT mechanisms enabling compliance As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? a. Use cloud providers for low-risk operations. b. Revise compliance enforcement processes. c. Request that senior management accept the risk. d. Postpone low-priority security procedures. - CORRECT ANSWER c. Request that senior management accept the risk. A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: a. the security controls of the application may not meet requirements. b. the application may not meet the requirements of the business users. c. the application technology may be inconsistent with the enterprise architecture. d. the application may create unanticipated support issues for IT. - CORRECT ANSWER c. the application technology may be inconsistent with the enterprise architecture. The MOST important element for the effective design of an information security policy is the: a. threat landscape. b. prior security incidents. c. emerging technologies. d. enterprise risk appetite. - CORRECT ANSWER d. enterprise risk appetite. Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? a. Minimizing costs for the services provided b. Prohibiting the provider from subcontracting services c. Evaluating the process for transferring knowledge to the IT department d. Determining if the services were provided as contracted - CORRECT ANSWER d. Determining if the services were provided as contracted Which of the following is the PRIMARY objective of an IT performance measurement process? a. Minimize errors b. Gather performance data c. Establish performance baselines d. Optimize performance - CORRECT ANSWER d. Optimize performance Which of the following goals do you expect to find in an organization's strategic plan? a. Results of new software testing b. An evaluation of information technology needs c. Short-term project plans for a new planning system d. Approved suppliers for products offered by the company - CORRECT ANSWER d. Approved suppliers for products offered by the company In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: a. there is an integration of IT and business personnel within projects. b. there is a clear definition of the IT mission and vision. c. a strategic information technology planning scorecard is in place. d. the plan correlates business objectives to IT goals and objectives. - CORRECT ANSWER a. there is an integration of IT and business personnel within projects. An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: a. a backup server is available to run ETCS operations with up-to-date data. b. a backup server is loaded with all relevant software and data. c. the systems staff of the organization is trained to handle any event. d. source code of the ETCS application is placed in escrow. - CORRECT ANSWER d. source code of the ETCS application is placed in escrow. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: a. claims to meet or exceed industry security standards. b. agrees to be subject to external security reviews. c. has a good market reputation for service and experience. d. complies with security policies of the organization. - CORRECT ANSWER b. agrees to be subject to external security reviews. Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? a. Core activities that provide a differentiated advantage to the organization have been outsourced. b. Periodic renegotiation is not specified in the outsourcing contract. c. The outsourcing contract fails to cover every action required by the business. d. Similar activities are outsourced to more than one vendor. - CORRECT ANSWER a. Core activities that provide a differentiated advantage to the organization have been outsourced. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: a. dependency on a single person. b. inadequate succession planning. c. one person knowing all parts of a system. d. a disruption of operations. - CORRECT ANSWER c. one person knowing all parts of a system. A decision support system is used to help high-level management: a. solve highly structured problems. b. combine the use of decision models with predetermined criteria. c. make decisions based on data analysis and interactive models. d. support only structured decision-making tasks. - CORRECT ANSWER c. make decisions based on data analysis and interactive models. An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? a. The vendor provides the latest third-party audit report for verification. b. The vendor provides the latest internal audit report for verification. c. The vendor agrees to implement controls in alignment with the enterprise. d. The vendor agrees to provide annual external audit reports in the contract. - CORRECT ANSWER d. The vendor agrees to provide annual external audit reports in the contract. During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network? a. The contract does not contain a right-to-audit clause for the third party. b. The contract was not reviewed by an information security subject matter expert prior to signing. c. The IS outsourcing guidelines are not approved by the board of directors. d. There is a lack of well-defined IS performance evaluation procedures. - CORRECT ANSWER a. The contract does not contain a right-to-audit clause for the third party. Which of the following does an IS auditor FIRST reference when performing an IS audit? a. Implemented procedures b. Approved policies c. Internal standards d. Documented practices - CORRECT ANSWER b. Approved policies While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? a. Monthly committee meetings include the subcontractor's IS manager b. Management reviews weekly reports from the subcontractor c. Permission is obtained from the government agent regarding the contract d. Periodic independent audit of the work delegated to the subcontractor - CORRECT ANSWER d. Periodic independent audit of the work delegated to the subcontractor Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement with an external IT service provider? a. Payment terms b. Uptime guarantee c. Indemnification clause d. Default resolution - CORRECT ANSWER b. Uptime guarantee Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: a. pre-BPR process flowcharts. b. post-BPR process flowcharts. c. BPR project plans. d. continuous improvement and monitoring plans. - CORRECT ANSWER b. post-BPR process flowcharts. During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced, and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: a. buffer overflow. b. brute force attack. c. distributed denial-of-service attack,. d. war dialing attack. - CORRECT ANSWER a. buffer overflow. Information for detecting unauthorized input from a user workstation would be BEST provided by the: a. console log printout. b. transaction journal. c. automated suspense file listing. d. user error report. - CORRECT ANSWER b. transaction journal. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are processed accurately, and the corresponding products are produced? a. Verifying production of customer orders b. Logging all customer orders in the ERP system c. Using hash totals in the order transmitting process d. Approving (production supervisor) orders prior to production - CORRECT ANSWER a. Verifying production of customer orders Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques provides the GREATEST assistance in developing an estimate of project duration? a. Function point analysis b. Program evaluation review technique chart c. Rapid application development d. Object-oriented system development - CORRECT ANSWER b. Program evaluation review technique chart Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion? a. Function point analysis b. Earned value analysis c. Cost budget d. Program evaluation and review technique - CORRECT ANSWER b. Earned value analysis During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal. The IS auditor should FIRST: a. test the software for compatibility with existing hardware. b. perform a gap analysis. c. review the licensing policy. d. ensure that the procedure had been approved. - CORRECT ANSWER d. ensure that the procedure had been approved. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely: a. check to ensure that the type of transaction is valid for the card type. b. verify the format of the number entered, then locate it on the database. c. ensure that the transaction entered is within the cardholder's credit limit. d. confirm that the card is not shown as lost or stolen on the master file. - CORRECT ANSWER b. verify the format of the number entered, then locate it on the database. The most common reason for the failure of information systems to meet the needs of users is that: a. user needs are constantly changing. b. the growth of system requirements was forecast inaccurately. c. the hardware system limits the number of concurrent users. d. user participation in defining the system's requirements was inadequate. - CORRECT ANSWER d. user participation in defining the system's requirements was inadequate. The use of object-oriented design and development techniques would MOST likely: a. facilitate the ability to reuse modules. b. improve system performance. c. enhance control effectiveness. d. speed up the system development life cycle. - CORRECT ANSWER a. facilitate the ability to reuse modules. Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? a. User management b. Project steering committee c. Senior management d. Quality assurance staff - CORRECT ANSWER a. User management Which of the following BEST helps to prioritize project activities and determine the time line for a project? a. A Gantt chart b. Earned value analysis c. Program evaluation review technique d. Function point analysis - CORRECT ANSWER c. Program evaluation review technique An IS auditor who is auditing the software acquisition process will ensure that the: a. contract is reviewed and approved by the legal counsel before it is signed. b. requirements cannot be met with the systems already in place. c. requirements are found to be critical for the business. d. user participation is adequate in the process. - CORRECT ANSWER a. contract is reviewed and approved by the legal counsel before it is signed. An organization is implementing an enterprise resource planning application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? a. Project sponsor b. System development project team c. Project steering committee d. User project team - CORRECT ANSWER c. Project steering committee An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? a. Advise on the adoption of application controls to the new database software. b. Provide future estimates of the licensing expenses to the project team. c. Recommend to the project manager how to improve the efficiency of the migration. d. Review the acceptance test case documentation - CORRECT ANSWER d. Review the acceptance test case documentation before the tests are carried out. When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: a. project be discontinued. b. business case be updated and possible corrective actions be identified. c. project be returned to the project sponsor for reapproval. d. project be completed and the business case be updated later. - CORRECT ANSWER b. business case be updated and possible corrective actions be identified. An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: a. conclude that the project is progressing as planned because dates are being met. b. question the project manager further to identify whether overtime costs are being tracked accurately. c. conclude that the programmers are intentionally working slowly to earn ex - CORRECT ANSWER d. investigate further to determine whether the project plan may not be accurate. Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? a. System owners b. System users c. System designers d. System builders - CORRECT ANSWER a. System owners An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: a. certain project iterations produce proof-of-concept deliverables and unfinished code. b. application features and development processes are not extensively documented. c. software development teams continually re-plan each step of their major projects. d. project managers do not manage project resources, leaving that to proj - CORRECT ANSWER a. certain project iterations produce proof-of-concept deliverables and unfinished code. While reviewing an ongoing project, the IS auditor notes that the development team has spent eight hours of activity on the first day against a budget of 24 hours (over three days). The projected time to complete the remainder of the activity is 20 hours. The IS auditor should report that the project: a. is behind schedule. b. is ahead of schedule. c. is on schedule. d. cannot be evaluated until the activity is completed. - CORRECT ANSWER a. is behind schedule. Which of the following is MOST relevant to an