ISACA CISA v2021-08-09 q147

ISACA.CISA.v2021-08-09.
q147
Exam Code: CISA

Exam Name: Certified Information Systems Auditor
Certification Provider: ISACA
Free Question Number: 147
Version: v2021-08-09
# of views: 105
# of Questions views: 1470
https://www.freecram.com/torrent/ISACA.CISA.v2021-08-09.q147.html
NEW QUESTION: 1
An auditor is creating an audit program in which the objective is to establish the adequacy
of personal data privacy controls in a payroll process. Which of the following would be
MOST important to include?
A. Segregation of duties controls
B. Audit logging of administrative user activity
C. User access provisioning
D. Approval of data changes
Answer: B (LEAVE A REPLY)
NEW QUESTION: 2
An IS auditor is conducting a pre-implementation review to determine a new system's
production readiness. The auditor's PRIMARY concern should be whether:
A. users were involved in the quality assurance (QA) testing.
B. benefits realization has been evidenced
C. the project adhered to the budget and target date.
D. there are unresolved high-risk items
Answer: D (LEAVE A REPLY)
NEW QUESTION: 3
Due to budget restraints, an organization is postponing the replacement of an in-house
developed mission critical application. Which of the following represents the GREATEST
risk?
A. Eventual replacement may be more expensive
B. Inability to align to changing business needs
C. Inability to virtualize the server
D. Maintenance costs may rise
Answer: (SHOW ANSWER)
NEW QUESTION: 4
Which of the following would an IS auditor PRIMARILY review to understand key drivers of
a project?
A. IT strategy and objectives
B. Earned value analysis (EVA)
C. Project risk matrix
D. Business case
NEW QUESTION: 5
Which type of control is in place when an organization requires new employees to
complete training on applicable privacy and data protection regulations?
A. Preventive control
B. Directive control
C. Corrective control
D. Detective control
NEW QUESTION: 6
Which of the following should be an IS auditor's PRIMARY focus when developing a risk-
banned IS audit program?
A. IT strategic plans
B. Business plans
C. Business processes
D. Portfolio management
Answer: C (LEAVE A REPLY)
NEW QUESTION: 7
Which of the following is the MOST significant risk associated with peer-to-peer networking
technology?
A. Reduction in staff productivity
B. Loss of information during transmission
C. Lack of reliable internet network connections
D. Lack of central monitoring
NEW QUESTION: 8
Compared to developing a system in-house, acquiring a software package means that the
need for testing by end users is:
A. eliminated.
B. increased.
C. reduced.
D. unchanged.
NEW QUESTION: 9
When deciding whether a third party can be used in resolving a suspected security breach,
which of the following should be the MOST important consideration for IT management?
A. Audit approval
B. Incident priority rating
C. Third-party cost
D. Data sensitivity
NEW QUESTION: 10
Which of the following is the BEST way to achieve high availability and fault tolerance for
an e-business system?
A. Storage area network
B. Network diversity
C. Robust systems architecture
D. Secure offsite backup storage
NEW QUESTION: 11
Which of the following is the BEST way to ensure payment transaction data is restricted to
the appropriate users?
A. Restricting access to transactions using network security software
B. Implementing two-factor authentication
C. Implementing role-based access at the application level
D. Using a single menu for sensitive application transactions
NEW QUESTION: 12
Which of the following is the PRIMARY concern when negotiating a contract for a hot site?
A. Availability of the site in the event of multiple disaster declarations
B. Reciprocal agreements with other organizations
C. Complete testing of the recovery plan
D. Coordination with the site staff in the event of multiple disaster declarations
Answer: A (LEAVE A REPLY)
NEW QUESTION: 13
An IS auditor notes that application super-user activity was not recorded in system logs.
What is the auditor's BEST course of action?
A. Investigate the reason for the lack of logging
B. Recommend activation of super user activity logging
C. Recommend a least privilege access model
D. Report the issue to the audit manager
NEW QUESTION: 14
During an audit of a data classification policy, an IS auditor finds that many documents are
inappropriately classified as confidential. Which of the following is the GREATEST
concern?
A. Information may be underprotected.
B. Data integrity issues may occur.
C. Information may generally be overprotected.
D. Industry security best practices are violated.
NEW QUESTION: 15
An IS auditor is reviewing environmental controls and finds extremely high levels of
humidity in the data center. Which of the following is the PRIMARY risk to computer
equipment from this condition?
A. Brownout
B. Fire
C. Corrosion
D. Static electricity
NEW QUESTION: 16
An internal audit department recently established a quality assurance (QA) program as
part of its overall audit program. Which of the following activities is MOST important to
include as part of the QA program requirements?
A. Reporting OA program results to the audit committee
B. Conducting long-term planning for internal audit staffing
C. Analyzing user satisfaction reports from business lines
D. Benchmarking the QA framework to international standards
Valid CISA Dumps shared by Fast2test.com for Helping Passing CISA Exam!
Fast2test.com now offer the newest CISA exam dumps, the Fast2test.com CISA exam
questions have been updated and answers have been corrected get the newest
Fast2test.com CISA dumps with Test Engine here: https://www.fast2test.com/CISA-
practice-test.html (613 Q&As Dumps, 40%OFF Special Discount: freecram)
NEW QUESTION: 17
When an organization introduces virtualization into its architecture, which of the following
should be an IS auditor's PRIMARY area of focus to verify adequate protection?
A. Shared storage space
B. Multiple versions of the same operating system
C. Maintenance cycles
D. Host operating system configuration
NEW QUESTION: 18
Which of the following is the GREATEST benefit of implementing an incident management
process?
A. Reduction in the business impact of incidents
B. Opportunity for frequent reassessment of incidents
C. Reduction of cost by the efficient use of resources
D. Reduction in security threats
NEW QUESTION: 19
Which of the following attacks would MOST likely result in the interception and modification
of traffic for mobile phones connecting to potentially insecure public Wi-Fi networks?
A. Vishing
B. Man-in-the-middle
C. Phishing
D. Brute force
NEW QUESTION: 20
Which of the following should be the FIRST step to help ensure the necessary regulatory
requirements are addressed in an organization's cross-border data protection policy?
A. Perform a business impact analysis (BIA).
B. Conduct stakeholder interviews.
C. Conduct a risk assessment.
D. Perform a gap analysis.
NEW QUESTION: 21
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the
following should be the auditor s NEXT course of action?
A. Report the security posture of the organization.
B. Determine the risk of not replacing the firewall
C. Determine the value of the firewall.
D. Report the mitigating control
NEW QUESTION: 22
An organization is in the process of deciding whether to allow a bring your own device
(BYOD) program. If approved, which of the following should be the FIRST control required
before implementation''
A. Device registration
B. An acceptable use policy
C. Device baseline configurations
D. An awareness program
NEW QUESTION: 23
Following the discovery of inaccuracies in a data warehouse, an organization has
implemented data profiling, cleansing, and handling filters to enhance the quality of data
obtained from c
A. Corrective control
B. Detective control
C. Compensating control
D. Directive control
NEW QUESTION: 24
An IS auditor has obtained a large complex data set for analysis. Which of the following
activities will MOST improve the output from the use of data analytics tools?
A. Data preparation
B. Data anonymization
C. Data masking
D. Data classification
NEW QUESTION: 25
To protect information assets, which of the following should be done FIRST?
A. Restrict access to data.
B. Classify data.
C. Back up data.
D. Encrypt data.
NEW QUESTION: 26
Which of the following is the MOST important step in the development of an effective IT
governance action plan?
A. Conducting a business impact analysis (BIA)
B. Setting up an IT governance framework for the process
C. Measuring IT governance key performance indicators (KPIs)
D. Preparing a statement of sensitivity
NEW QUESTION: 27
An organization wants to replace its suite of legacy applications with a new, in-house
developed solution. Which of the following is the BEST way to address concerns
associated with migration of all mission-critical business functionality?
A. Strengthen governance by hiring certified and qualified project managers for the
migration.
B. Increase testing efforts so that all possible combinations of data have been tested prior
to go-live.
C. Plan multiple releases to gradually migrate subsets of functionality to reduce production
risk.
D. Expedite go-live by migrating in a single release to allow more time for testing in
production.
NEW QUESTION: 28
When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor
should FIRST review:
A. the IT governance framework.
B. Information security procedures.
C. the most recent audit results.
D. the IT processes and procedures.
NEW QUESTION: 29
An internal audit department recently established a quality assurance (QA) program.
Which of the following activities is MOST important to include as part of the OA program
requirements?
A. Analysis of user satisfaction reports from business lines
B. Long-term internal audit resource planning
C. Feedback from internal audit staff
D. Ongoing monitoring of the audit activities
NEW QUESTION: 30
In a database management system (DBMS) normalization is used to:
A. standardize data names
B. reduce data redundancy
C. reduce access time
D. eliminate processing deadlocks
NEW QUESTION: 31
Which of the following implementation strategies for new applications presents the
GREATEST risk during data conversion and migration from an old system to a new
system?
A. Direct cutover
B. Pilot implementation
C. Phased implementation
D. Parallel simulation
NEW QUESTION: 32
Which of the following should occur EARLIEST in a business continuity management
lifecycle?
A. Defining business continuity procedures
B. Identifying critical business processes
C. Developing a training and awareness program
D. Carrying out a threat and risk assessment
NEW QUESTION: 33
Which of the following audit procedures would be MOST conclusive in evaluating the
effectiveness of an e-commerce application system's edit routine?
A. Review of program documentation
B. Review of source code
C. Interviews with knowledgeable users
D. Use of test transactions
NEW QUESTION: 34
Which of the following will BEST help to ensure that an in-house application in the
production environment is current?
A. Production access control
B. Change management
C. Quality assurance
D. Version control procedures
NEW QUESTION: 35
Which of the following network management toots should an IS auditor use to review the
type of packets flowing along a monitored link'?
A. Protocol analyzers
B. Online monitors
C. Network monitors
D. Response time reports
NEW QUESTION: 36
Which of the following would BEST facilitate the detection of internal fraud perpetrated by
an individual?
A. Mandatory leave
B. Flexible time
C. Segregation of duties
D. Corporate fraud hotline
NEW QUESTION: 37
Due to a global pandemic, a health organization has instructed its employees to work from
home as much as possible. The employees communicate using instant messaging Which
of the following is the GREATEST risk in this situation?
A. Employees may exchange patient information through less secure methods.
B. Employee productivity may decrease when working from home.
C. Home office setups may not be compliant with workplace health and safety
requirements.
D. The capacity of servers may not allow all users to connect simultaneously
NEW QUESTION: 38
An organization is deciding whether to outsource its customer relationship management
systems to a provider located in another country. Which of the following should be the
PRIMARY influence in the outsourcing decision?
A. Cross-border privacy laws
B. The service provider's disaster recovery plan
C. Current geopolitical conditions
D. Time zone differences
NEW QUESTION: 39
An audit has identified that business units have purchased cloud-based applications
without ITs support. What is [he GREATEST risk associated with this situation?
A. The applications could be modified without advanced notice.
B. The application purchases did not follow procurement policy.
C. The applications are not included in business continuity plans (BCPs).
D. The applications may not reasonably protect data.
NEW QUESTION: 40
When evaluating the recent implementation of an intrusion detection system (IDS), an IS
auditor should be MOST concerned with inappropriate:
A. patching
B. tuning
C. encryption
D. training
NEW QUESTION: 41
What is the BEST justification for allocating more funds to implement a control for an IT
asset than the actual cost of the IT asset?
A. To maintain the residual value of the asset
B. To avoid future audit findings
C. To protect the associated intangible business value
D. To comply with information security best practices
NEW QUESTION: 42
internal IS auditor recommends that incoming accounts payable payment files be
encrypted. Which type of control is the auditor recommending?
A. Directive
B. Preventive
C. Corrective
D. Detective
NEW QUESTION: 43
Spreadsheets are used to calculate project cost estimates Totals for each cost category
are then keyed into the job-costing system. What is the BIST control to ensure that data
are accurately entered into the system?
A. Reasonableness checks for each cost type
B. Validity checks preventing entry of character data
C. Reconciliation total amounts by project
D. Display back of project detail after entry
NEW QUESTION: 44
An IS auditor previously worked in an organization s IT department and was involved with
the design of the business continuity plan (BCP). The IS auditor has now been asked to
review this same BCP. The auditor should FIRST.
A. communicate the conflict of interest to the audit manager prior to starting the
assignment.
B. communicate the conflict of interest to the audit committee prior to starting the
assignment
C. document the conflict in the audit report.
D. decline the audit assignment.
NEW QUESTION: 45
The GREATEST benefit of using a prototyping approach in software development is that it
helps to:
A. decrease the time allocated for user testing and review
B. improve efficiency of quality assurance (QA) testing.
C. conceptualize and clarify requirements
D. minimize scope changes to the system
NEW QUESTION: 46
An IT organization's incident response plan is which type of control?
A. Preventive
B. Corrective
C. Directive
D. Detective
NEW QUESTION: 47
Which of the following observations should be of GREATEST concern to an IS auditor
reviewing a large organization's virtualization environment?
A. An unused printer has been left connected to the host system.
B. Host inspection capabilities have been disabled
C. A rootkit was found on the host operating system
D. Guest tools have been installed without sufficient access control,
NEW QUESTION: 48
During an audit, the client learns that the IS auditor has recently completed a similar
security review at a competitor. The client inquires about the competitor's audit results.
What is the BEST way for the auditor to address this inquiry?
A. Explain that it would be inappropriate to discuss the results of another audit client
B. Discuss the results of the audit omitting specifics related to names and products.
C. Obtain permission from the competitor to use the audit results as examples for future
clients.
D. Escalate the question to the audit manager for further action.
NEW QUESTION: 49
An IT governance framework provides an organization with:
A. a basis for directing and controlling IT.
B. assurance that there are surplus IT investments
C. assurance that there will be IT cost reductions
D. organizational structures to enlarge the market share through IT
NEW QUESTION: 50
Which of the following should be done FIRST when planning a penetration test?
A. Obtain management consent for the testing
B. Determine reporting requirements for vulnerabilities
C. Execute nondisclosure agreements (NDAs).
D. Define the testing scope.
NEW QUESTION: 51
servDuring an internal audit review of a human resources (HR) recruitment system
implementation the IS auditor notes that several defects were unresolved at the time the
system went live Which of the following is the auditor's MOST important task prior to
formulating an audit opinion?
A. Confirm the seventy of the identified defects.
B. Review the user acceptance test (UAT) results for defects
C. Review the initial implementation plan for timelines.
D. Confirm the project plan was approved.
NEW QUESTION: 52
In an environment where most IT services have been outsourced, continuity planning is
BEST controlled by:
A. continuity planning specialists.
B. IT management,
C. outsourced service provider management
D. business management.
NEW QUESTION: 53
Which of the following is MOST important to include in a contract to outsource data
processing that involves customer personally identifiable information (Pit)?
A. The vendor must provide an independent report of its data processing facilities.
B. The vendor must compensate the organization if nonperformance occurs.
C. The vendor must sign a nondisclosure agreement with the organization.
D. The vendor must comply with the organization is legal and regulatory requirement.
NEW QUESTION: 54
Both statistical and nonstatistical sampling techniques:
A. provide each item an equal opportunity of being selected.
B. permit the auditor to quantity the probability of error,
C. require judgment when defining population characteristics
D. permit the auditor to quantify and fix the level of risk
NEW QUESTION: 55
Which of the following is the BEST recommendation to prevent fraudulent electronic funds
transfers by accounts payable employees?
A. Independent reconciliation
B. Periodic vendor reviews
C. Dual control
D. Re-keying of monetary amounts
NEW QUESTION: 56
Which of the following presents the GREATEST concern when implementing data flow
across borders?
A. Political unrest
B. Equipment incompatibilities
C. Software piracy laws
D. National privacy laws
NEW QUESTION: 57
Which of the following would provide the BEST evidence of the effectiveness of mandated
annual security awareness training?
A. Number of security incidents
B. Results of a third-party penetration test
C. Surveys completed by randomly selected employees
D. Trending of social engineering test results
NEW QUESTION: 58
Segregation of duties would be compromised if:
A. operations staff modified batch schedules.
B. application programmers accessed test data.
C. database administrators (DBAs) modified the structure of user tables.
D. application programmers moved programs into production.
NEW QUESTION: 59
To BEST evaluate the effectiveness of a disaster recovery plan, the IS auditor should
review the:
A. hardware and software inventory.
B. plans and procedures in the business continuity plan
C. capacity of backup facilities.
D. test plan and results of past tests.
NEW QUESTION: 60
A software development organization with offshore personnel has implemented a third-
party virtual workspace to allow the teams to collaborate. Which of the following should be
of GREATEST concern?
A. Team collaboration sessions are not monitored.
B. Exfiltration of data could occur through the virtual workspace.
C. The virtual workspace is configured to interface with other applications.
D. The team's work products are not properly classified as intellectual property.
NEW QUESTION: 61
The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. determine if all incidents and problems are reported
B. assign responsibility for problems.
C. identify the causes of recurring incidents and problems.
D. assess help desk performance
NEW QUESTION: 62
An IS auditor reviewing a purchase accounting system notices several duplicate payments
made for the services rendered. Which of the following is the auditor's BEST
recommendation for preventing duplicate payments?
A. Implement a system control that determines if there are corresponding invoices for
purchase orders.
B. Request vendors to attach service acknowledgment notices to purchase orders.
C. Implement a configuration control to enable sequential numbering of invoices.
D. Perform additional supervisory reviews prior to the invoice payments.
NEW QUESTION: 63
Which of the following should be included in emergency change control procedures?
A. Use an emergency ID to move production programs into development.
B. Obtain user management approval before implementing the changes.
C. Update production source libraries to reflect changes.
D. Request that the help desk make the changes.
NEW QUESTION: 64
Post-implementation testing is an example of which of the following control types?
A. Deterrent
B. Preventive
C. Detective
D. Directive
NEW QUESTION: 65
During a review of an application system, an IS auditor identifies automated controls
designed to prevent the entry of duplicate transactions. What is the BEST way to verify that
the controls work as designed?
A. Enter duplicate transactions in a copy of the live system.
B. Use generalized audit software for seeking data corresponding to duplicate
transactions.
C. Implement periodic reconciliations.
D. Review quality assurance (QA) test results.
NEW QUESTION: 66
Which of the following is the BEST way for an IS auditor to reduce sampling risk when
performing audit sampling to verify the adequacy of an organization's internal controls?
A. Outsource the sampling process.
B. Decrease the sampling size
C. Lower the sample standard deviation
D. Use a statistical sampling method
NEW QUESTION: 67
Which of the following is the PRIMARY objective of implementing privacy-related controls
within an organization"?
A. To provide options to individuals regarding use of their data
B. To prevent confidential data loss
C. To identify data at rest and data in transit for encryption
D. To comply with legal and regulatory requirements
NEW QUESTION: 68
A month after a company purchased and implemented system and performance
monitoring software reports were too large and therefore were not reviewed or acted upon
The MOST effective plan of action would be to
A. use analytical tools to produce exception reports from the system and performance
monitoring software
B. evaluate replacement systems and performance monitoring software
C. re-install the system and performance monitoring software
D. restrict functionality of system monitoring software to security-related events
NEW QUESTION: 69
An IS auditor conducting a follow-up audit learns that previously funded recommendations
have not been implemented due to recent budget restrictions. Which of the following
should the
A. Close the audit recommendations in the tracking register
B. Report the matter to the chief financial officer (CFO) and recommend funding be
reinstated
C. Report to the audit committee that the recommendations are still open
D. Start an audit of the project funding allocation process
NEW QUESTION: 70
An audit of the quality management system (QMS) begins with an evaluation of the:
A. QMS document control procedures
B. sequence and interaction of QMS processes
C. organization's QMS policy
D. QMS processes and their application
NEW QUESTION: 71
An organization has recently converted its infrastructure to a virtualized environment. The
GREATEST benefit related to disaster recovery is that virtualized servers:
A. decrease the recovery time objective (RTO).
B. reduce the time it takes to successfully create backups.
C. eliminate the manpower necessary to restore the server.
D. can be recreated on similar hardware faster than restoring from backups.
NEW QUESTION: 72
Which of the following will MOST likely compromise the control provided by a digital
signature created using RSA encryption?
A. Deciphering the receiver's public key
B. Altering the plaintext message
C. Obtaining the sender's private key
D. Reversing the hash function using the digest
NEW QUESTION: 73
Which of the following BEST guards against the risk of attack by hackers?
A. Message validation
B. Encryption
C. Tunneling
D. Firewalls
NEW QUESTION: 74
Which of the following technologies has the SMALLEST maximum range for data
transmission between devices?
A. Near-field communication (NFC)
B. Bluetooth
C. Long-term evolution (LTE)
D. Wi-Fi
NEW QUESTION: 75
An IS auditor attempts to sample for variables in a population of items with wide
differences in values but determines that an unreasonably large number of sample items
must be selected to produce the desired confidence level. In this situation, which of the
following is the BEST audit decision?
A. Select a stratified sample
B. Lower the desired confidence level
C. Select a judgmental sample
D. Allow more time and test the required sample
NEW QUESTION: 76
When developing metrics to measure the contribution of IT to the achievement of business
goals, the MOST important consideration is that the metrics:
A. measure the effectiveness of IT controls in the achievement of IT strategy.
B. are used by similar industries to measure the effect of IT on business strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.
NEW QUESTION: 77
An organization developed a comprehensive three-year IT strategic plan Halfway into the
plan a major legislative change impacting the organization is enacted Which oi the
following should be management's NEXT course of action?
A. Develop specific procedural documentation related to the changed legislation
B. Perform a risk assessment of the legislative changes
C. Assess the legislation to determine whether changes are required to the strategic
D. IT plan Develop a new IT strategic plan that encompasses the new legislation
NEW QUESTION: 78
Which of the following BEST minimizes performance degradation of servers used to
authenticate users of an e-commerce website?
A. Configure each authentication server as belonging to a cluster of authentication servers.
B. Configure a single server as a primary authentication server and a second server as a
secondary authentication server.
C. Configure each authentication server and ensure that each disk of its RAID is attached
to the primary controller.
D. Configure each authentication server and ensure that the disks of each server form part
of a duplex.
NEW QUESTION: 79
An IS auditor is reviewing an enterprise database platform. The review involves statistical
methods. Benford analysis, and duplicate checks. Which of the following computer-
assisted audit technique (CAAT) tools would be MOST useful for this review''
A. Audit hooks
B. Continuous and intermittent simulation (CIS)
C. Integrated test facility (ITF)
D. Generalized audit software (GAS)
NEW QUESTION: 80
During an exit interview senior management disagrees with some of the facts presented in
the draft audit report and wants them removed from the report Which of the following would
be the auditor's BEST course of action?
A. Escalate the issue to audit management
B. Gather evidence to analyze senior management's objections
C. Revise the assessment based on senior management's objections.
D. Finalize the draft audit report without changes
NEW QUESTION: 81
Of the following, who should approve a release to a critical application that would make the
application inaccessible for 24 hours?
A. Project manager
B. Chief information security officer (CISO)
C. Data custodian
D. Business process owner
NEW QUESTION: 82
Which of the following practices BEST ensures that archived electronic information of
permanent importance is accessible over time?
A. Acquire applications that emulate old software.
B. Regularly migrate data to current technology.
C. Periodically test the integrity of the information.
D. Periodically backup the archived data.
NEW QUESTION: 83
Which of the following focus areas is a responsibility of IT management rather than IT
governance?
A. Risk optimization
B. IT controls implementation
C. IT resource optimization
D. Benefits realization
NEW QUESTION: 84
Which of the following is the client organization's responsibility in a Software as a Service
(SaaS) environment?
A. Detecting unauthorized access
B. Ensuring that users are properly authorized
C. Preventing insertion of malicious code
D. Ensuring the data is available when needed
NEW QUESTION: 85
An IS auditor is reviewing the installation of a new server. The IS auditor's PRIMARY
objective is to ensure that
A. security parameters are set in accordance with the manufacturer's standards
B. a detailed business case was formally approved prior to the purchase.
C. security parameters are set in accordance with the organizations policies
D. the procurement project invited tenders from at least three different suppliers.
NEW QUESTION: 86
Which of the following is MOST likely to result from compliance testing?
A. Comparison of data with physical counts
B. Identification of errors due to processing mistakes
C. Discovery of controls that have not been applied
D. Confirmation of data with outside sources
NEW QUESTION: 87
Reconciliations have identified data discrepancies between an enterprise data warehouse
and a revenue system for key financial reports. What is the GREATEST risk to the
organization in this situation?
A. Financial reports may be delayed.
B. Undetected fraud may occur.
C. Decisions may be made based on incorrect information
D. The key financial reports may no longer be produced.
NEW QUESTION: 88
Which of the following IS functions can be performed by the same group or individual while
still providing the proper segregation of duties?
A. Application programming and systems analysis
B. Security administration and application programming
C. Computer operations and application Multiple versions of the same operating system
programming
D. Database administration and computer operations
NEW QUESTION: 89
Which of the following is MOST important for an IS auditor to examine when reviewing an
organization's privacy policy?
A. Whether there is explicit permission from regulators to collect personal data
B. Whether sharing of personal information with third-party service providers is prohibited
C. The encryption mechanism selected by the organization for protecting personal data
D. The organization's legitimate purpose for collecting personal data
NEW QUESTION: 90
Which of the following BEST demonstrates that IT strategy is aligned with organizational
goals and objectives?
A. IT strategies are communicated to all business stakeholders
B. Business stakeholders are involved in approving the IT strategy.
C. The chief information officer (CIO) is involved in approving the organizational strategies
D. Organizational strategies are communicated to the chief information officer (CIO)
NEW QUESTION: 91
Which of the following is the BEST way to mitigate the risk associated with a document
storage application that has a syncing feature that could allow malware to spread to other
machines in the network?
A. All files should be scanned when they are uploaded to and downloaded from the
application.
B. Content inspection technologies should be used to scan files for sensitive data.
C. User behavior modeling and analysis should be performed to discover anomalies in
user behavior.
D. An audit should be conducted to detect shadow data and shadow IT in the network.
NEW QUESTION: 92
A bank is relocating its servers to a vendor that provides data center hosting services to
multiple clients. Which of the following controls would restrict other clients from physical
access to the bank servers?
A. Locking server cages
B. Biometric access at all data center entrances
C. 24-hour security guards
D. Closed-circuit television camera
NEW QUESTION: 93
The BEST way to preserve data integrity through all phases of application containerization
is to ensure which of the following?
A. Segregation of duties is developed and maintained in the application container
environment.
B. The development team performs regular patching of application containers.
C. Developers are educated about how their roles relate to application security best
practices.
D. Information security roles are defined and communicated in the information security
policy.
NEW QUESTION: 94
Which of the following should be of concern to an IS auditor performing a software audit on
virtual machines?
A. Applications have not been approved by the chief financial officer (CFO) .
B. Software has been installed on virtual machines by privileged users.
C. Software licensing does not support virtual machines
D. Multiple users can access critical applications
NEW QUESTION: 95
Code changes are compiled and placed in a change folder by the developer. An
implementation learn migrates changes to production from the change folder. Which of the
following BEST indicates separation of duties is in place during the migration process?
A. The developer approves changes prior to moving them to the change folder.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. A second individual performs code review before the change is released to production.
NEW QUESTION: 96
An organization seeks to control costs related to storage media throughout the information
life cycle while still meeting business and regulatory requirements. Which of the following is
the BEST way to achieve this objective?
A. Perform periodic tape backups.
B. Utilize solid state memory.
C. Stream backups to the cloud.
D. Implement a data retention policy.
NEW QUESTION: 97
Which of the following is an example of a preventative control in an accounts payable
system?
A. The system produces daily payment summary reports that staff use to compare against
invoice totals.
B. The system only allows payments to vendors who are included in the system's master
vendor list.
C. Policies and procedures are clearly communicated to all members of the accounts
payable department.
D. Backups of the system and its data are performed on a nightly basis and tested
periodically.
NEW QUESTION: 98
A warehouse employee of a retail company has been able to conceal the theft of inventory
items by entering adjustments of either damaged or lost stock items to the inventory
system Which control would have BEST prevented this type of fraud in a retail
environment?
A. Unscheduled audits of lost stock lines
B. Separate authorization for input of transactions
C. An edit check for the validity of the inventory transaction
D. Statistical sampling of adjustment transactions
NEW QUESTION: 99
Audit management has just completed the annual audit plan for the upcoming year, which
consists entirely of high-risk processor. However it is determined that there are insufficient
resources to execute the plan. What should be done NEXT?
A. Reduce the scope of the audit to better match the number of resources available
B. Remove audit from the annual plan to better match the number of resources available.
C. Present the annual plan to the audit committee and ask for more resources
D. Review the audit plan and defer some audits to the subsequent year
NEW QUESTION: 100

Which of the following is the MAIN advantage of using one-time passwords?
A. The user does not need to remember passwords
B. Passwords are hardware/software generated.
C. An intercepted password would be of no use
D. They are suitable for e-commerce authentication
NEW QUESTION: 101

Which of the following should an IS auditor expect to see in a network vulnerability
assessment?
A. Malicious software and spyware
B. Misconfiguration and missing updates
C. Security design flaws
D. Zero-day vulnerabilities
NEW QUESTION: 102

An IS auditor wants to understand the collective effect of the preventive, detective, and
corrective controls for a specific business process. Which of the following should the
auditor focus on FIRST?
A. Whether segregation of duties is in place when two controls are applied simultaneously
B. Whether the existence of preventive controls causes corrective controls to become
unnecessary
C. The various points in the process where controls are exercised
D. The formal documentation of the process and how adherence is measured
NEW QUESTION: 103

The CIO of an organization is concerned that the information security policies may not be
comprehensive. Which of the following should an IS auditor recommend be performed
FIRST?
A. Determine if there is j process to handle exceptions to the policies
B. Obtain a copy of their competitor's policies
C. Compare the policies against an industry framework.
D. Establish a governance board to track compliance with the policies
NEW QUESTION: 104

Which of the following is MOST important for an IS auditor to verify when reviewing a
critical business application that requires high availability?
A. There is no single point of failure.
B. Service level agreements (SlAs) are monitored.
C. Algorithms are reviewed to resolve process ineffictencies.
D. Users participate in offsite business continuity testing.
NEW QUESTION: 105

Which of the following is the GREATEST benefit of utilizing data analytics?
A. Higher-quality audit evidence due to more representative audit sampling
B. Improved communication with management due to more confidence with data results
C. Expedient audit planning due to early identification of problem areas and incomplete
data
D. Better risk assessments due to the identification of anomalies and trends
NEW QUESTION: 106

Which of the following provides the MOST assurance over the completeness and accuracy
of loan application processing with respect to the implementation of a new system?
A. Running historical transactions through the new system
B. Loading balance and transaction data to the new system
C. Comparing code between old and new systems
D. Reviewing quality assurance (QA) procedures
NEW QUESTION: 107

Which of the following is MOST important for an IS auditor to consider when reviewing
documentation for an organization's forensics policy?
A. Notification processes
B. Assigned roles and responsibilities
C. Evidence preservation
D. Access controls
NEW QUESTION: 108

An organization's business function wants to capture customer data and must comply with
global data protection regulations. Which of the following should be considered FIRST?
A. The encryption method for the data
B. The legal basis for collecting the data
C. The attributes of collected data
D. The location of data storage
NEW QUESTION: 109

Which of the following is the role of audit leadership in ensuring the quality of audit and
engagement performance?
A. Ensuring the scope of peer quality assurance (QA) reviews is sufficient to address
board concerns
B. Reviewing key performance results to ensure process improvements are implemented
C. Reviewing identified risks to ensure associated processes are included in the audit
program
D. Ensuring audit customers remain highly satisfied with the quality of audit performance
NEW QUESTION: 110

An IS auditor is assigned to review the development of a specific application. Which of the
following would be the MOST significant step following the feasibility study?
A. Review functional design to determine that appropriate controls are planned.
B. Assist users in the design of proper acceptance-testing procedures.
C. Attend project progress meetings to monitor timely implementation of the application.
D. Follow up with project sponsor for project's budgets and actual costs.
NEW QUESTION: 111

What is the MOST critical finding when reviewing an organization's information security
management?
A. No dedicated security officer
B. No periodic assessments to identify threats and vulnerabilities
C. No official charter for the information security management system
D. No employee awareness training and education program
NEW QUESTION: 112

Which of the following is the BEST way to minimize the impact of a ransomware attack?
A. Grant system access based on least privilege.
B. Perform more frequent system backups.
C. Maintain a regular schedule for patch updates.
D. Provide user awareness training on ransomware attacks.
NEW QUESTION: 113

Upon completion of audit work, an IS auditor should:
A. distribute a summary of general findings to the members of the auditing team.
B. provide a report to senior management prior to discussion with the auditee.
C. review the working papers with the auditee.
D. provide a report to the auditee stating the initial findings.
NEW QUESTION: 114

During data migration, which of the following BEST prevents integrity issues when multiple
processes within the migration program are attempting to write to the same table in the
databases?
A. Concurrency controls
B. Database limit controls
C. Normalization controls
D. Authentication controls
NEW QUESTION: 115

What information within change records would provide an IS auditor with the MOST
assurance that configuration management is operating effectively?
A. Configuration management plan and operating procedures
B. Post-implementation review documentation
C. Implementation checklist for release management
D. Affected configuration items and associated impacts
NEW QUESTION: 116

Which control type would provide the MOST useful input to a root cause analysis?
A. Detective
B. Compensating
C. Directive
D. Corrective
NEW QUESTION: 117

Which of the following is the BEST way to ensure that business continuity plans (BCPs)
will work effectively in the event of a major disaster?
A. Make senior managers responsible for their plan sections.
B. Regularly update business impact assessments
C. Involve staff at all levels in periodic paper walk-through exercises
D. Prepare detailed plans for each business function.
NEW QUESTION: 118

A financial institution is launching a mobile banking service utilizing multi-factor
authentication. This access control is an example of which of the following?
A. Corrective control
B. Directive control
C. Detective control
D. Preventive control
NEW QUESTION: 119

While reviewing similar issues in an organization s help desk system, an IS auditor finds
that they were analyzed independently and resolved differently This situation MOST likely
indicates a deficiency in:
A. IT service level management
B. change management
C. problem management
D. configuration management
NEW QUESTION: 120

Which of the following is MOST important for an IS auditor to verify when evaluating an
organization's firewall?
A. Insider attacks are being controlled.
B. Logs are being collected in a separate protected host.
C. Automated alerts are being sent when a risk is detected.
D. Access to configuration files is restricted.
NEW QUESTION: 121

Which of the following is the MOST effective way to minimize the risk of a SQL injection
attack?
A. Reconfiguring content filtering settings
B. Implementing an intrusion detection tool
C. Using secure coding practices
D. Performing activity monitoring
NEW QUESTION: 122

Which of the following is the MAIN purpose of data classification?
A. Defining parameter requirements for security labels
B. Ensuring the segregation of duties
C. Applying the appropriate protective measures
D. Ensuring integrity of sensitive information
NEW QUESTION: 123

Which of the following would be a result of utilizing a top-down maturity model process?
A. A means of benchmarking the effectiveness of similar processes with peers
B. Identification of processes with the most improvement opportunities
C. A means of comparing the effectiveness of other processes within the enterprise
D. Identification of older, more established processes to ensure timely review
NEW QUESTION: 124

Which of the following is the PRIMARY protocol for protecting outbound content from
tampering and eavesdropping?
A. Transport Layer Security (TLS)
B. Point-to-Point Protocol (PPP)
C. Internet Key Exchange (IKE)
D. Secure Shell (SSH)
NEW QUESTION: 125

Which of the following should be included in a business impact analysis (BIA)
A. Roles and responsibilities for the business continuity process
B. Support documentation for the recovery alternative
C. identification of IT resources that support key business processes
D. Recovery strategy for significant business interruptions
NEW QUESTION: 126

On a public-key cryptosystem when there is no previous knowledge between parties,
which of the following will BEST help to prevent one person from using a fictitious key to
impersonate someone else?
A. Send a certificate that can be verified by a certification authority with the public key
B. Send the public key to the recipient prior to establishing the connection
C. Encrypt the message containing the sender's public key using a private-key
D. cryptosystem 1 Encrypt the message containing the sender's public key. using the
recipient's public key
NEW QUESTION: 127

An IS auditor reviewing a high-risk business application has identified the need to
strengthen controls for reporting malfunctions to management Which of the following would
BEST facilitate timely reporting?
A. Security event logging
B. Incident management procedures
C. Change prioritization
D. Performance monitoring
NEW QUESTION: 128

Which of the following BEST measures project progress?
A. SWOT analysis
B. Gantt chart
C. Earned-value analysis (EVA)
D. Project plan
NEW QUESTION: 129

Which of the following BEST describes the relationship between vulnerability scanning and
penetration testing?
A. The scope of both is determined primarily by the likelihood of exploitation
B. For entities with regulatory drivers, the two tests must be the same.
C. Both are labor-intensive in preparation, planning and execution
D. Both utilize a risk-based analysis that considers threat scenarios
NEW QUESTION: 130

An IS auditor is reviewing the implementation of an international quality management
standard Which of the following provides the BEST evidence that quality management
objectives have been achieved?
A. Enhanced compliance with laws and regulations
B. Measurable processes
C. Reduction in risk profile
D. Quality assurance (QA) documentation
NEW QUESTION: 131

Which of the following is the MOST important consideration when incorporating data
analytics into an audit?
A. Availability and cost of the tools
B. Availability and quality of data
C. Complexity of the data and related audit process
D. Ability of the auditor to perform complex analysis
NEW QUESTION: 132

When evaluating database management practices, which of the following controls would
MOST effectively support data integrity?
A. User access controls
B. System edit checks
C. System processing output balanced to control totals
D. System-generated duplicate transaction reports
NEW QUESTION: 133

An organization's security policy mandates that all new employees must receive
appropriate security awareness training. Which of the following metrics would BEST
assure compliance with this policy?
A. Number of new hires who have violated enterprise security policies
B. Percentage of new hires that have completed the training .
C. Percentage of new hires who report incidents
D. Number of reported incidents by new hires
NEW QUESTION: 134

Capacity management enables organizations to:
A. establish the capacity of network communication links.
B. identify the extent to which components need to be upgraded.
C. determine business transaction volumes.
D. forecast technology trends.
NEW QUESTION: 135

A bank has implemented a new accounting system. Which of the following is the BEST
lime for an IS auditor to perform a post-implementation review?
A. One full year after go-live
B. After user acceptance testing (UAT) is completed
C. After the first reporting cycle
D. As close to go-live as possible
NEW QUESTION: 136

In assessing the priority given to systems covered in an organization's business continuity
plan (BCP), an IS auditor should FIRST:
A. Review the backup and restore process
B. Verify the criteria for disaster recovery site selection
C. Review results of previous business continuity plan (BCP) tests
D. Validate the recovery time objectives and recovery point objectives
NEW QUESTION: 137

Which of the following is the BEST way to enforce the principle of least privilege on a
server containing data with different security classifications?
A. Applying access controls determined by the data owner
B. Using scripted access control lists to prevent unauthorized access to the server
C. Limiting access to the data files based on frequency of use
D. Obtaining formal agreement by users to comply with the data classification policy
NEW QUESTION: 138

When determining which IS audits to conduct during the upcoming year, internal audit has
received a request from management for multiple audits of the contract division due to
fraud findings during the prior year Which of the following is the BEST basis for selecting
the audits to be performed?
A. Select audits based on management's suggestion
B. Select audits based on the skill sets of the IS auditors.
C. Select audits based on collusion risk
D. Select audits based on an organizational risk assessment.
NEW QUESTION: 139

Which of the following sampling techniques is BEST to use when verifying the operating
effectiveness of internal controls during an audit of transactions?
A. Attribute sampling
B. Statistical sampling
C. Judgmental sampling
D. Stop-or-go sampling
NEW QUESTION: 140

An IS auditor is reviewing the change management process in a large IT service
organization. Which of the following observations would be the GREATEST concern?
A. Emergency software releases are not fully documented after implementation
B. A senior developer has permanent access to promote code for emergency software
releases
C. User acceptance testing (UAT) can be waived in case of emergency software releases
D. Code is migrated manually into production during emergency software releases
NEW QUESTION: 141

The activation of a pandemic response plan has resulted in a remote workforce situation.
Which of the following technologies poses the GREATEST risk to data confidentiality?
A. On-premise employee workstations left unattended
B. BYOD devices without adequate endpoint protection
C. Rapid increase in the number of virtual private network (VPN) users
D. Remotely managed network switches
NEW QUESTION: 142

Which of the following would be MOST important to update once a decision has been
made to outsource a critical application to a cloud service provider?
A. Project portfolio
B. IT resource plan
C. Business impact analysis (BIA)
D. IT budget
NEW QUESTION: 143

A database audit reveals an issue with the way data ownership for client data is defined.
Which of the following roles should be accountable for this finding?
A. Privacy manager
B. Database administrator
C. Information security management
D. Business management
NEW QUESTION: 144

Which of the following would provide an IS auditor with the MOST assurance when
auditing the implementation of a new application system?
A. Sign-off by system owner
B. Substantive testing
C. Statistical sampling
D. Attribute sampling
NEW QUESTION: 145

Which of the following is the PRIMARY reason for an organization's procurement
processes to include an independent party who is not directly involved with business
operations and related decision-making'?
A. To ensure continuity of processes and procedures
B. To optimize use of business team resources
C. To ensure favorable price negotiations
D. To avoid conflicts of interest
NEW QUESTION: 146

Which of the following is the PRIMARY risk when business units procure IT assets without
IT involvement?
A. Data security requirements are not considered.
B. Corporate procurement standards are not followed
C. The business units want IT to be responsible for maintenance costs
D. System inventory becomes inaccurate.
NEW QUESTION: 147

What is BEST for an IS auditor to review when assessing the effectiveness of changes
recently made to processes and tools related to an organization's business continuity plan
(BCP)?
A. Updated Inventory of systems
B. Completed test plans
C. Full test results
D. Change management processes

ISACA CISA v2021-08-09 q147

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

ISACA CISA v2021-08-09 q147

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISACA CISA v2021-08-09 q147

Uploaded by

Copyright:

Available Formats

ISACA.CISA.v2021-08-09.

Exam Code: CISA

NEW QUESTION: 100

NEW QUESTION: 101

NEW QUESTION: 102

NEW QUESTION: 103

NEW QUESTION: 104

NEW QUESTION: 105

NEW QUESTION: 106

NEW QUESTION: 107

NEW QUESTION: 108

NEW QUESTION: 109

NEW QUESTION: 110

NEW QUESTION: 111

NEW QUESTION: 112

NEW QUESTION: 113

NEW QUESTION: 114

NEW QUESTION: 115

NEW QUESTION: 116

NEW QUESTION: 117

NEW QUESTION: 118

NEW QUESTION: 119

NEW QUESTION: 120

NEW QUESTION: 121

NEW QUESTION: 122

NEW QUESTION: 123

NEW QUESTION: 124

NEW QUESTION: 125

NEW QUESTION: 126

NEW QUESTION: 127

NEW QUESTION: 128

NEW QUESTION: 129

NEW QUESTION: 130

NEW QUESTION: 131

NEW QUESTION: 132

NEW QUESTION: 133

NEW QUESTION: 134

NEW QUESTION: 135

NEW QUESTION: 136

NEW QUESTION: 137

NEW QUESTION: 138

NEW QUESTION: 139

NEW QUESTION: 140

NEW QUESTION: 141

NEW QUESTION: 142

NEW QUESTION: 143

NEW QUESTION: 144

NEW QUESTION: 145

NEW QUESTION: 146

NEW QUESTION: 147

You might also like