IT GOVERNANCE

EXAMINATION-1
Exercise Question
QUESTION: 1

Which of the following reports can MOST effectively be used to analyze a systems performance problem?

A. Database usage log.

B. Synchronization report.
C. Console log.
D. Utilization report

Answer:

QUESTION: 2

Which of the following it BEST enabled by following a configuration management process for new applications?

A. Maintaining adequate control over changes to production.

B. Deploying approved emergence changes to production.
C. Ensuring proper testing of code before deployment.
D. Managing successful implementation of acquired software.

Answer:

QUESTION: 3

Which of the following is the BEST way to help ensure the security of privacy-related data stored by an
organization?

A. Publish the data classification scheme.

B. Classify privacy-related data as confidential.
C. Encrypt personally identifiable information.
D. Inform data owners of the purpose of collecting information.

Answer:

QUESTION: 4

Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets
into the core finance system?

A. Undocumented code formats data and transmits directly to the database.

B. The department data protection policy has not been reviewed or updated for two years.
C. There is not a complete inventory of spreadsheets, and file naming is inconsistent.
D. Spreadsheets are accessible by all members of the finance department.

Answer:

QUESTION: 5

A recent audit identified duplicate software licenses and technologies which of the following would be MOST
helpful to prevent this type of duplication in the future?

A. Centralizing IT procurement and approval practices.

B. Conducting periodic inventory reviews.
C. Establishing a project management office.
D. Updating IT procurement policies and procedures.
Answer:
QUESTION: 6

Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end user
networking?

A. System-to-system.
B. Client-to-server.
C. Peer-to-peer.
D. Host-to-host.

Answer:

QUESTION: 7

An IS auditor is reviewing an organization's method to transport sensitive data between offices. Which of the
following would cause the auditor MOST concern?

A. The method relies exclusively on the use of public key infrastructure.

B. The method relies exclusively on the use of symmetric encryption algorithms.
C. The method relies exclusively on the use of digital signatures.
D. The method relies exclusively on the use of asymmetric encryption algorithms.

Answer:

QUESTION: 8

Audit software designed to detect invalid data, extreme values, or linear correlations between data elements can
be classified as which type of data analytics tool?

A. Predictive.
B. Descriptive.
C. Diagnostic.
D. Prescriptive.

Answer:

QUESTION: 9

A start-up company acquiring for its order-taking system is unable to predict the volume of transactions. Which of
the following is MOST important for the company to consider?

A. Compatibility.
B. Scalability.
C. Configuration.
D. Optimization.

Answer:

QUESTION: 10

An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy
controls in a payroll process. Which of the following would be MOST important to include?

A. User access provisioning.

B. Audit logging of administrative user activity.
C. Segregation of duties controls.
D. Approval of data changes.

Answer:
QUESTION: 11

A recent audit concluded that an organization's information security system was weak and that monitoring would
likely fail to detect penetration. Which of the following would be the MOST appropriate recommendation?

A. Identify and periodically remove sensitive data that is no longer needed.

B. Look continually for new criminal behavior and attacks on sensitive data.
C. Encrypt sensitive data while strengthening the system.
D. Establish a clear policy related to security and the handling of sensitive data.

Answer:

QUESTION: 12

A post-implementation review of a system implementation has identified that the defined objectives were changed
several times without the approval of the project board. What would the IS auditor do NEXT?

A. Determine whether the revised objectives are appropriate.

B. Notify the project sponsor and request that the project be reopened.
C. Notify the project management office and raise a finding.
D. Ask management to obtain retrospective approvals.

Answer:

QUESTION: 13

An IS auditor learns that after each scheduled batch process runs, management performs a reconciliation between
upstream and downstream data. Which of the following is MOST important for the auditor to investigate?

A. Job failure resolution controls.

B. Access to the job scheduler.
C. Results of user acceptance testing.
D. Change management over job scheduling.

Answer:

QUESTION: 14

Of the following procedures for testing a disaster recovery plan (DRP), which should be used MOST frequently?

A. Review of documented backup and recovery procedures.

B. Preplanned shutdown of the computing facility during an off-peak period.
C. Unannounced shutdown of the primary computing facility.
D. Testing at a secondary site using offsite data backups.
Answer:

QUESTION: 15

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A
preliminary investigation revealed that the discrepancies were caused problems with the organization's data
quality. Management has directed the data quality team to enhance their program. The audit committee has asked
internal audit to be visors to the process. After the data quality team identifies the system data at fault which of
the following should internal audit recommend as the NEXT step m the process?

A. Identity the source data owners.

B. Develop an improvement plan.
C. Create business rules that validate data quality.
D. Identify the root cause of data quality problems.
Answer:
QUESTION: 16

Which of the following should be restricted from a network administrator's privileges in an adequately segregated
environment?

A. Changing existing configurations for applications.

B. Ensuring transmission protocols are functioning correctly.
C. Opening and closing network ports.
D. Monitoring network traffic and detecting anomalies.

Answer:

QUESTION: 17

An IS auditor reviewing a new application for compliance with information privacy principles should be MOST
concerned with:

A. collection limitation.
B. nonrepudiation.
C. awareness.
D. availability.

Answer:

QUESTION: 18

Which of the following is MOST likely to improve the portability of an application connected to a database?

A. Analyzing stored procedures and triggers.

B. Using a structured query language (SQL).
C. Optimizing the database physical schema.
D. Verifying database import and export procedures.

Answer:

QUESTION: 19

An IS auditor reviewing a recently implemented virtual environment notices discrepancies among similar machine
setups. Which of the following should the auditor recommend to minimize configuration risks?

A. Implement network best practice recommendations.

B. Implement templates to manage rapid deployment of virtual machines.
C. Perform architectural vulnerability analysis to compare current system attributes to a.
D. Perform hypervisor software updates with available patches to minimize security weaknesses.

Answer:

QUESTION: 20

When introducing a maturity model to the IT management process, it is BEST to align the maturity level to a point
that reflects which of the following?

A. Ideal business production level.

B. Maximum risk tolerance level.
C. Industry standard practice level.
D. Minimum cost expenditure level.

Answer:
QUESTION: 21

Which of the following would BEST deter the theft of corporate information from a laptop?

A. Encrypt all data on the hard drive.

B. Protect files with passwords.
C. Encrypt the file allocation table (FAT).
D. Install biometric access controls.

Answer:

QUESTION: 22

During an audit of information security procedures of a large retailer s online store, an IS auditor notes that
operating system (OS) patches are automatically deployed upon -. Which of the following should be of GREATEST
concern to the auditor?

A. Patches are not reflected in the configuration management database.

B. Patches are in conflict with current licensing agreements.
C. Patches are pushed from the vendor increasing Internet traffic.
D. Patches are not tested before installation on critical servers.

Answer:

QUESTION: 23

Which the following is MOST critical for the effective implementation of IT governance?

A. Strong risk management practices.

B. Supportive corporate culture.
C. Documented policies.
D. Internal auditor commitment.

Answer:

QUESTION: 24

Which of the following is the MOST effective control for a utility program?

A. Installing the program on a separate server.

B. Allowing only authorized personnel to use the program.
C. Renaming the versions in the programmer’s libraries.
D. Storing the program in a production library.

Answer:

QUESTION: 25

Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve
the effectiveness of its IT processes?

A. The organization should use a capability maturity model to identify current maturity levels for each IT process.
B. IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
C. The organization should refer to poor audit reports to identify the specific IT processes to be improved.
D. IT management should include process improvement requirements in staff performance objectives.

Answer:
QUESTION: 26

Which of the following is the GREATEST risk associated with instant messaging?

A. Data logging is more difficult.

B. Data governance may become ineffective.
C. Data classification procedures may not be followed.
D. Data exfiltration is more likely to occur.

Answer:

QUESTION: 27

Which of the following is the PRIMARY reason for an IS auditor to map out the narrative of a business process?

A. To ensure alignment with organizational objectives.

B. To identify the resources required to perform the audit.
C. To verify the business process is as described in the engagement letter.
D. To gain insight into potential risks.

Answer:

QUESTION: 28

Based on the Guidance of internal audit, an IT steering committee is considering the use of a balanced scorecard
to evaluate its project management process. Which of the following is the GREATEST advantage to using this
approach?

A. Information is provided m a consistent and timely manner.

B. Projects will be prioritized based on value.
C. Performance is measured from different perspectives.
D. Project scheduled and budget management will improve.

Answer:

QUESTION: 29

While reviewing similar issues in an organization s help desk system, an IS auditor finds that they were analyzed
independently and resolved differently, this situation MOST likely indicates a deficiency in:

A. change management.
B. IT service level management.
C. problem management.
D. configuration management.

Answer:

QUESTION: 30

Before concluding that internal controls can be relied upon, the IS auditor should:

A. discuss the internal control weaknesses with the auditee.

B. document application controls.
C. conduct tests of compliance.
D. document the system of internal control.

Answer:
QUESTION: 31

Which of the following is the MOST important difference between end-user computing (EUC) applications and
traditional applications?

A. Traditional applications require periodic patching whereas EUC applications do not.

B. Traditional application input controls are typically more robust than EUC application input controls.
C. Traditional applications require roll-back procedures whereas EUC applications do not.
D. Traditional application documentation is typically less comprehensive than EUC application documentation.

Answer:

QUESTION: 32

Which of the following BEST ensures that only authorized software is moved into a production environment?

A. Restricting read/write access to production code to computer programmers only.

B. A librarian compiling source code into production after independent testing.
C. Assigning programming managers to transfer tested programs to production.
D. Requiring programming staff to move tested code into production.

Answer:

QUESTION: 33

Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll
fraud audit?

A. Observation of payment processing.

B. Substantive testing of payroll files.
C. Data analytics on payroll data.
D. Sample-based review of pay stubs.

Answer:

QUESTION: 34

Which of the following controls MOST effectively reduces the risk associated with use of instant messaging (IM) in
the workplace?

A. Blocking peer-to-peer (P2P) clients.

B. Session border controllers.
C. Network address translation.
D. Traffic encryption.

Answer:

QUESTION: 35

The demilitarized zone (DMZ) is the part of a network where servers that are placed are:

A. External to the organization.

B. Interacting with the public internet.
C. Running internal department applications.
D. Running-mission critical, non-web application.

Answer:
QUESTION: 36

When an intrusion into an organizations network is detected, which of the following should be performed FIRST?

A. Identify nodes that have been compromised.

B. Develop a response to the incident.
C. Protect information in the compromised systems.
D. Block all compromised network nodes.

Answer:

QUESTION: 37

An IT governance body wants to determine whether IT service delivery is based on consistently efficient and
effective processes. Which of the following would be the BEST approach?

A. Analyze current and future capacity.

B. Implement a balanced scorecard
C. Conduct a gap analysis.
D. Evaluate key performance indicators (KPis).

Answer:

QUESTION: 38

To protect information assets, which of the following should be done FIRST?

A. Back up data.
B. Classify data.
C. Restrict access to data.
D. Encrypt data.

Answer:

QUESTION: 39

Which of the following would BEST enable effective IT resource management?

A. Automating business processes.

B. Outsourcing IT processes and activities.
C. Assessing the risk associated with IT resources.
D. Establishing business priorities.

Answer:

QUESTION: 40

A PRIMARY benefit derived by an organization employing control self-assessment (CSA) techniques s that CSA:
A. Allow management to relinquish responsibilities of control.
B. Allows IS auditors 10 independently assess risk.
C. Can be used as a replacement for traditional audits.
D. Can identify high-risk areas for detailed review.

Answer:
QUESTION: 41

When planning for the implementation of a new system, an organization will opt for a parallel run PRIMARILY to:

A. facilitate the training of new personnel.

B. validate system processing.
C. ensure that the system meets required user response time.
D. verify that system interfaces were implemented.

Answer:

QUESTION: 42

Which of the following is the MOST likely cause of a successful firewall penetration?

A. Use of a Trojan to bypass the firewall.

B. Loophole m firewall vendor's code.
C. Virus infection.
D. Firewall misconfiguration by the administrator.

Answer:

QUESTION: 43

An IS auditor is evaluating the risks and controls associated with a virtualized environment. Which of the following
observations should be of GREATEST concern?

A. The hypervisor's security settings are not reviewed on a regular basis.

B. The hypervisor's partitioning resources have not been modified from its default settings.
C. Offline and dormant virtual machine Images are not patched on the same cycle as online ones.
D. The change management process has not been updated to include virtualized environments.

Answer:

QUESTION: 44

An IS auditor reviewing security incident processes realizes incidents are resolved and dosed, but root causes are
not investigated Which of the following should be the MAJOR concern with this situation?

A. Lessons earned have not been property documented.

B. Abuses by employees have not been reported.
C. Vulnerabilities have not been properly addressed.
D. Security incident policies are out of date.

Answer:

QUESTION: 45

To confirm integrity for a hashed message, the receiver should use

A. a different hashing algorithm from me sender s to create a binary image of the file.
B. the same hashing algorithm as the sender's to create a binary image of the file.
C. the same hashing algorithm as the tender s to create a numerical representation of the file.
D. a different hashing algorithm from the sender s to create a numerical representation of the file

Answer:
QUESTION: 46

Which of the following should be the MOST important consideration when establishing data classification
standards?

A. The standards comply with relevant regulations.

B. An education campaign is established upon rollout.
C. Management supports the newly developed standards.
D. Reporting metrics are established.

Answer:

QUESTION: 47

The GREATEST risk of database renormalization is:

A. Loss of database integrity.

B. Decreased performance.
C. Incorrect metadata.
D. Loss of data confidentiality.

Answer:

QUESTION: 48

Which of the following is the MOST important activity to undertake to avoid rework later in a project?

A. Phase review.
B. Control review.
C. Acceptance testing.
D. Risk assessment.

Answer:

QUESTION: 49

An organization with high security requirements is evaluating the effectiveness of biometric systems. Which of the
following performance indicators is MOST important?

A. False-rejection rate (FRR).

B. Equal-error rate (EER).
C. False-acceptance rate (FAR).
D. False-identification rate (FIR).

Answer:

QUESTION: 50

A new regulatory standard for data privacy requires an organization to protect personally identifiable information
(Pll). Which of the following is MOST important to include in the audit engagement plan to assess compliance with
the new standard?

A. Review of data protection procedures.

B. Review of data loss risk scenarios.
C. Identification of IT systems that host Pll.
D. Identification of unencrypted Pll.

Answer:
QUESTION:

A manufacturing company is implementing application software for its sales and distribution system. Which of the
following is the MOST important reason for the company to choose a centralized online database?

A. Enhanced integrity controls.

B. Elimination of multiple points of failure.
C. Enhanced data redundancy.
D. Elimination of the need for data normalization.

Answer: A

QUESTION:

Which of the following is the BEST method to assess the adequacy of security awareness in an organization?

A. Observing employee security behaviors.

B. Interviewing employees about security responsibility.
C. Confirming a security awareness program exists.
D. Administering security survey questionnaires.

Answer:

QUESTION: 53

To test the integrity of the data in the accounts receivable master file, an IS auditor particularly interested in
reviewing customers with balances over $400.000. the selection technique the IS auditor would use to obtain such
a sample is called:

A. Stratification.
B. Discovery sampling.
C. Systematic selection.
D. Random selection.

Answer:

QUESTION: 54

Which of the following is an advantage of using electronic data interchange (EDI)?

A. Contracts with the vendors are simplified.

B. Multiple inputs of the same document are allowed at different locations.
C. Transcription of information is reduced.
D. Data validation is provided by the service provider.

Answer:

QUESTION: 55

Mission-critical applications with a low recovery time objective (RTO). Which of the following is the BEST backup
strategy?

A. Frequent back-ups to tape.

B. Archiving to conventional disk.
C. Use of virtual tape libraries.
D. Mirroring.

Answer:
QUESTION: 56

Which of the following is the PRIMARY advantage of using virtualization technology for corporate applications?

A. Improved disaster recovery.

B. Stronger data security.
C. Increased application performance.
D. Better utilization of resources.

Answer:

QUESTION: 57

Which of the following would be the MOST effective control to mitigate unintentional misuse of authorized access?

A. Security awareness training.

B. Annual sign-off of acceptable use policy.
C. Regular monitoring of user access logs.
D. Formalized disciplinary action.

Answer:

QUESTION: 58

When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST

A. measure the effectiveness of IT controls in the achievement of IT strategy.

B. are used by similar industries to measure the effect of IT on business strategy.
C. provide quantitative measurement of IT initiatives in relation with business targets,
D. are expressed in terms of how IT risk impacts the achievement of business goals.

Answer:

QUESTION: 59

During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public facing web server used to
process online customer orders via credit card. The IS auditor could FIRST:

A. notify management.
B. redesign the customer order process.
C. suspend credit card processing.
D. document the finding in the report.

Answer:

QUESTION: 60

In an online application, which of the following would provide the information about the transaction audit trail?

A. File layouts.
B. Source code documentation.
C. System/process flowchart.
D. Data architecture.

Answer:
QUESTION: 61

The MOST efficient way to confirm that an ERP system being implemented satisfies business expectations is to
utilize which of the following types of testing?

A. Sociability.
B. Pilot.
C. Parallel.
D. Alpha.

Answer:

QUESTION: 62

During an audit of an organization s incident management process, an IS auditor teams that the security operations
team includes detailed reports of recent attacks in its communications to employees. Which of the following is the
GREATEST concern with this situation?

A. There is not a documented procedure to communicate the reports.

B. Employees may fail to understand the seventy of the threats.
C. The reports may be too complex for a nontechnical audience.
D. Employees may misuse the information in the reports.

Answer:

QUESTION: 63

Internal audit reports should be PRIMARILY written for and communicated to:

A. auditees, as they will eventually have to implement the recommendations.

B. senior management as they should be informed about the identified risks.
C. external auditors, as they provide an opinion on the financial statements.
D. audit management as they are responsible for the quality of the audit.

Answer:

QUESTION: 64

Which of the following is the MOST efficient solution for a multi-location healthcare organization that wants to be
able to access patient data wherever patients present themselves for care?

A. Infrastructure as a Service (laaS) provider.

B. Dynamic localization.
C. Network segmentation.
D. Software as a Service (SaaS) provider.

Answer:

QUESTION: 65

After the release of an application system, an IS auditor wants to verify that the system is providing value to the
organization. The auditor's BEST course of action would be to:

A. Review the results of compliance testing.

B. Confirm that risk has declined since the application system release.
C. Quantify improvements in client satisfaction.
D. Perform a gap analysis against the benefits defined in the business case.
Answer:
QUESTION: 66

What is the BEST population to select from when testing that programs are migrated to production with proper
approval?

A. Completed change request forms.

B. Change advisory board meeting minutes.
C. List of production programs.
D. List of changes provided by application programming managers.

Answer:

QUESTION: 67

What is the PRIMARY advantage of prototyping as part of systems development?

A. Eliminates the need for internal controls.

B. Increases accuracy in reporting.
C. Reduces the need for compliance testing.
D. Maximizes user satisfaction.

Answer:

QUESTION: 68

When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST
concerned with inappropriate:

A. Tuning.
B. Patching.
C. Training.
D. Encryption.

Answer:

QUESTION: 69

During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier
master file Which of the following controls would have BEST evented such an occurrence?

A. Referential integrity developed.

B. Logical relationship check.
C. Table look-ups.
D. Existence check.

Answer:

QUESTION: 70

Which of the following is the BEST point in time to conduct a post-implementation review (PIR)?

A. Immediately after deployment.

B. After a full processing cycle.
C. To coincide with annual PIR cycle.
D. Six weeks after deployment.

Answer:
QUESTION: 71

Which of the following is the BEST reason to utilize block chain technology to record accounting transactions?

A. Integrity of records.
B. Distribution of records.
C. Confidentiality of records.
D. Availability of records.

Answer:

QUESTION: 72

An IS auditor notes that help desk personnel are required to make critical decisions during major service
disruptions. Which of the following is the auditor's BEST recommendation to address this situation?

A. Implement an incident response plan.

B. Establish shared responsibility among business peers.
C. Provide historical incident response information for the help desk.
D. Introduce classification of disruptions by risk category.

Answer:

QUESTION: 73

Which of the following is MOST likely to be spoofed in an email transmission?

A. The path the message traveled through the Internet.

B. The identity of the sending host.
C. The identity of the sender.
D. The identity of the receiving host.

Answer:

QUESTION: 74

An IS auditor has discovered that unauthorized customer management software was installed on a workstation.
The auditor determines the software has been uploading customer ita to an external party. Which of the following
is the IS auditor's BEST course of action?

A. Review other workstations to determine the extent of the incident.

B. Notify the incident response team.
C. Present the issue at the next audit progress meeting.
D. Determine the number of customer records that were uploaded.

Answer:

QUESTION: 75

Which of the following audit procedures would assist an IS auditor in determining the effectiveness of a business
continuity plan (BCP)?

A. Performing an assessment of BCP test documentation.

B. Performing a maturity assessment of BCP methodology against industry standards.
C. Participating in BCP meetings held with user department managers.
D. Observing tests of the BCP performed at the alternate processing site.

Answer:
QUESTION: 76

An IS auditor is performing a post-implementation review of a system deployed two years ago. Which of the
following findings should be of MOST concern to the auditor?

A. Workarounds due to remaining defects had to be used longer than anticipated.

B. Benefits as stated in the business case have not been realized.
C. The system has undergone several change requests to further extend functionality.
D. Maintenance costs were not included in the project lifecycle costs.

Answer:

QUESTION: 77

Which of the following are BEST suited for continuous auditing?

A. Manual transactions.
B. Low-value transactions.
C. Irregular transactions.
D. Real-time transactions.

Answer:

QUESTION: 78

Which of the following would provide management with the MOST reasonable assurance that a new data
warehouse will meet the needs of the organization?

A. Appointing data stewards to provide effective data governance.

B. Facilitating effective communication between management and developers.
C. Integrating data requirements into the system development life cycle (SDLC).
D. Classifying data quality issues by the severity of their impact to the organization.

Answer:

QUESTION: 79

Which of the following is the GREATEST risk associated with in-house program development and customization?

A. The lack of a quality assurance function.

B. The lack of a test environment.
C. The lack of secure coding expertise.
D. The lack of documentation for programs developed.

Answer:

QUESTION: 80

An IS auditor is evaluating the access controls at a multinational company with a shared network infrastructure.
Which of the following is MOST important?

A. Remote network administration.

B. Simplicity of end-to-end communication paths.
C. Common security policies.
D. Logging of network information at user level.

Answer:
QUESTION: 81

An organization has outsourced its data processing function to a service provider. Which of the following would
BEST determine whether the service provider continues to meet the organization s objectives?

A. Adequacy of the service provider's insurance.

B. Review of performance against service level agreements (SLAs).
C. Assessment of the personnel training processes of the provider.
D. Periodic audits of controls by an independent auditor.

Answer:

QUESTION: 82

Which of the following would be MOST important for an IS auditor to review during an audit of an automated
continuous monitoring process being used by the finance department.

A. Management sign-off of test documentation.

B. Resiliency of the monitoring service.
C. Configuration of the monitoring tool.
D. Dual control and approvals embedded in processes.

Answer:

QUESTION: 83

Which of the following is the MOST effective way to assess whether an outsourcer's controls are following the
service level agreement (SLA)?

A. Review the outsourcer's monthly service reports.

B. Perform an onsite review of the outsourcer.
C. Perform a review of penalty clauses for non-performance.
D. Review an internal audit report from the outsourcer's auditor.

Answer:

QUESTION: 84

Which of the following should be the PRIMARY consideration when developing an IT strategy?

A. Alignment with overall business objectives.

B. IT key performance indicators based on business objectives.
C. Short and long-term plans for the enterprise IT architecture.
D. Alignment with the IT investment portfolio.

Answer:

QUESTION: 85

Which of the following is MOST important to ensure when planning a black box penetration test?

A. The management of the client organization is aware of the testing.

B. The test results will be documented and communicated to management.
C. Diagrams of the organization s network architecture are available.
D. The environment and penetration test scope have been determined.

Answer:
QUESTION: 86

-------Implementing which of the following would BEST address issues relating to the aging of IT systems?

A. IT project management
B. Release management
C. Application portfolio management
D. Configuration management

Answer:

QUESTION: 87

An organization with high availability resource requirements is selecting a provider for cloud computing.

Which of the following would cause the GREATEST concern to an IS auditor? The provider:

A. deploys patches automatically without testing.

B. does not store backup media offsite.
C. hosts systems for the organization's competitor.
D. is not internationally certified for high availability.

Answer:

QUESTION: 88

Which of the following is the BEST way to help ensure new IT implementations align with enterprise architecture
principles and requirements?

A. Document the security view as part of the enterprise architecture.

B. Conduct enterprise architecture reviews as part of the change advisory board.
C. Perform mandatory post-implementation reviews of IT implementations.
D. Consider stakeholder concerns when defining the enterprise architecture.

Answer:

QUESTION: 89

Privileged account access is require to start an ad hoc batch job. Which of the following would MOST effectively
detect unauthorized job execution?

A. Introducing job execution request procedures.

B. Executing the job through two-factor authentication.
C. Requiring manual approval by an authorized users.
D. Reconciling user activity logs against authorization.

Answer:

QUESTION: 90

Which of the following is a detective control?

A. A router rule restricting a service.

B. Programmed edit checks.
C. Procedures for authorizing transactions.
D. Echo checks m telecommunications.

Answer:
QUESTION: 91

Loading of illegal software packages onto a network by an employee is MOST effectively detected by:

A. regular scanning of hard drives.

B. diskless workstations.
C. maintaining current antivirus software.
D. logging of activity on network drives.

Answer:

QUESTION: 92

Which of the following would be considered a corrective control when designing the security of a data center?

A. Security guards.
B. Fire extinguisher.
C. Closed-circuit television (CCTV).
D. Perimeter fence.

Answer:

QUESTION: 93

An IS audit manager finds that data manipulation logic developed by the audit analytics team leads to incorrect
conclusions This inaccurate logic is MOST likely an indication of lich of the following?

A. Poor change controls over data sets collected from the business.
B. Incompatibility between data volume and analytics processing capacity.
C. Poor security controls that grant inappropriate access to analysis produced.
D. The team's poor understanding of the business process being analyzed.

Answer:

QUESTION: 94

The MAIN objective of incident management is to:

A. permit the incident to go on and follow the trail back to the beginning.
B. have an external computer security incident response team assess damage.
C. keep the business going while the response is occurring.
D. test for readiness to respond when facing an incident.

Answer:

QUESTION: 95

An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has
ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?

A. Threat risk assessment.

B. Compliance testing.
C. Vulnerability assessment.
D. Penetration testing.

Answer:
QUESTION: 96

Stress testing should ideally be carried out under a:

A. production environment with production workloads.

B. test environment with production workloads.
C. production environment with test data.
D. test environment with test data.

Answer:

QUESTION: 97

An internal audit has revealed a large number of incidents for which root cause analysis has not been performed.
Which of the following is MOST important for the IS auditor to verify to determine whether there is an audit issue?

A. Frequency of the incidents.

B. Cost of resolving the incidents.
C. Time required to resolve the incidents.
D. Severity level of the incidents.

Answer:

QUESTION: 98

Due to cost restraints, a company defers the replacement of hardware supporting core applications. Which of the
following represents the GREATEST risk?

A. Maintenance costs may rise.

B. future upgrades may not be possible.
C. Systems availability may suffer.
D. Eventual replacement may be more expensive.

Answer:

QUESTION: 99

The information security function in a large organization is MOST effective when:

A. partnered with the IS development team to determine access rights.

B. decentralized as close to the user as possible.
C. established at a corporate-wide level.
D. the function reports directly to the IS operations manager.

Answer:

QUESTION: 100

An IS auditor is conducting a review of an organization s information systems and discovers data that is no longer
needed by business applications. Which of the following would b IS auditor's BEST recommendation?

A. Ask the data custodian to remove it after confirmation from the business user.
B. Assess the data according to the retention policy.
C. Keep the data and protect it using a data classification policy.
D. Back up the data to removable media and store in a secure area.

Answer:
QUESTION: 101

An organization allows employees to use personally owned mobile devices to access customer's personal
information. An IS auditor's GREATEST concern should be whether

A. Devices have adequate storage and backup capabilities.

B. Devices have the capability to segregate business and personal data.
C. Mobile device security policies have been implemented.
D. Mobile devices are compatible with company infrastructure.

Answer:

QUESTION: 102

An IS auditor identifies key controls that have been overridden by management. The next step the IS auditor should
take is to

A. Perform procedures to quantify the irregularities.

B. Withdraw from the engagement.
C. Recommend compensating controls.
D. Report the absence of key controls to regulators.

Answer:

QUESTION: 103

Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

A. Number of false negatives.

B. Number of false positives.
C. Legitimate traffic blocked by the system.
D. Reliability of IDS logs.

Answer:

QUESTION: 104

Which of the following would provide the BEST evidence for use in a forensic investigation of an employee's hard
drive?
A. Memory dump to an external hard drive.
B. Bit-stream copy of the hard drive.
C. A file level copy of the hard drive.
D. Prior backups.

Answer:

QUESTION: 105

Which of the following would be the MOST appropriate reason for an organization to purchase fault-tolerant
hardware?

A. Minimizing business loss.

B. Improving system performance.
C. Reducing hardware maintenance costs.
D. Compensating for the lack of contingency planning.

Answer:
QUESTION: 106

Documentation of workaround processes to keep a business function operational during recovery of IT systems is
a core part of a:

A. business continuity plan.

B. threat and risk assessment
C. business impact analysis.
D. disaster recovery plan

Answer:

QUESTION: 107

Due to the small size of the payroll department, an organization is unable to segregate the employee setup and
payroll processing functions. Which of the following would be the BEST compensating control for the lack of
segregation of duties?

A. A review is conducted to verity that terminated employees, are removed from the employee master file.
B. A payroll variance report is reviewed tor anomalies every pay period.
C. The system is configured to require secondary approval for changes to the employee master file
D. An independent payroll disbursement review is conducted.

Answer:

QUESTION: 108

During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be MOST
concerned with the:

A. allocation of resources during an emergency.

B. differences in IS policies and procedures.
C. maintenance of hardware and software compatibility.
D. frequency of system testing.

Answer:

QUESTION: 109

Which of the following control? MOST efficiently ensures that orders transmitted from a sales office to a production
warehouse are received accurately and completely?

A. Transaction totals and record counts should be sent and reconciled before transaction processing.
B. Continuity of numerical sequences for all sales orders should be checked.
C. Data should be sent back to the originating site and compared to what was sent to production.
D. Parity checking should be incorporated into all data transmissions.

Answer:

QUESTION: 110

Which of the following should an IS auditor expect to find in an organization s information security policies?

A. Asset provisioning lifecycle.

B. Authentication requirements.
C. Security configuration settings.
D. Secure coding procedures.
Answer:
QUESTION: 111

Which of the following observations noted during a review of the organization s social media practices should be
of MOST concern to the IS auditor?

A. The organization does not have a documented social media policy.

B. The organization does not require approval for social media posts.
C. More than one employee is authorized to publish on social media on behalf of the organization.
D. Not all employees using social media have attended the security awareness program.

Answer:

QUESTION: 112

Which of the following is the BEST way to reduce the risk of vulnerabilities during the rapid deployment of
container-based applications to a hybrid cloud?

A. Conduct a post-deployment security audit to identify vulnerabilities.

B. Review development and operations (DevOps) policies and procedures.
C. Conduct security auditing during the development life cycle.
D. Review a sample of historical production changes to identify abnormalities.

Answer:

QUESTION: 113

An IS auditor is reviewing an organization's implementation of a bring your own device (BYOD) program. Which of
the following would be the BEST recommendation to help ensure sensitive data is protected if a device is in the
possession of an unauthorized individual?

A. Enable remote wiping of critical data.

B. Enable the location service feature on devices.
C. Authenticate device users when accessing the corporate network.
D. Encrypt data on devices including storage media.

Answer:

QUESTION: 114

An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

A. evaluate physical access control.

B. review reciprocal agreements.
C. analyze system restoration procedures.
D. review logical access controls.

Answer:

QUESTION: 115

During the procurement process which of the following would be the BEST indication that prospective vendors will
meet the organization's needs?

A. service catalog is documented.

B. An account transition manager has been identified.
C. Expected service levels are defined.
D. The vendor's subcontractors have been identified.
Answer:
QUESTION: 116

An organization's audit charter should:

A. detail the audit objectives.

B. define the auditors' right to access information.
C. include the IS audit plan.
D. set the enterprise strategic direction.

Answer:

QUESTION: 117

The BEST data backup strategy for mobile users is to:

A. synchronize data directories automatically over the network.

B. mirror all data to a portable storage device.
C. have them regularly go to branch offices to perform backups.
D. have them regularly back up data directories onto CD and courier the backups to the head office.

Answer:

QUESTION: 118

When auditing the effectiveness of a biometric system, which of the following indicators would be MOST important
to review?

A. False acceptance rate.

B. False negatives.
C. System response time.
D. Failure to enroll rate.

Answer:

QUESTION: 119

During the evaluation of a firm's newly established whistleblower system, an auditor notes several findings. Which
of the following should be the auditor's GREATEST concern?

A. The whistleblower system does not track the time and date of submission.
B. The whistleblower's privacy is not protected.
C. The whistleblower system is only available during business hours.
D. New employees have not been informed of the whistleblower policy.

Answer:

QUESTION: 120

Which of the following is the BEST way for an IT forensics investigator to detect evidence of steganography?

A. Identify and analyze emergent properties within a file system's metadata.

B. Recover deleted files from a suspected hard drive utilizing forensics software.
C. Scan computer operating systems using administrative tools.
D. Compare file hashes between original and modified image files.

Answer:
QUESTION: 121

Which of the following requires a consensus by key stakeholders on IT strategic goals and objectives?

A. Benchmarking.
B. Balanced scorecards.
C. Maturity models.
D. Peer reviews.

Answer:

QUESTION: 122

After an external IS audit, which of the following should be IT management's MAIN consideration when determining
the prioritization of follow-up activities?

A. The availability of the external auditors.

B. The amount of time since the initial audit was completed.
C. The materiality of the reported findings.
D. The scheduling of major changes in the control environment.

Answer:

QUESTION: 123

Which of the following would represent an acceptable test of an organization s business continuity plan?

A. Paper test involving functional areas.

B. Benchmarking the plan against similar organizations.
C. Walk-through of the plan with technology suppliers.
D. Full test of computer operations at an emergency site.

Answer:

QUESTION: 124

Which of the following is a directive control?

A. Implementing an information security policy.

B. Configuring data encryption software.
C. Establishing an information security operations team.
D. Updating data loss prevention software.

Answer:

QUESTION: 125

Which of the following types of controls would BEST facilitate a root cause analysis for an information security
incident?

A. Detective.
B. Corrective.
C. Preventive.
D. Directive.

Answer:
QUESTION: 126

Which of the following is the BEST source for describing the objectives of an organization s information systems?

A. Business process owners.

B. IT management.
C. End users.
D. Information security management.

Answer:

QUESTION: 127

An organization is replacing a mission-critical system. Which of the following is the BEST implementation strategy
to mitigate and reduce the risk of system failure?

A. Stage.
B. Big-bang.
C. Phase.
D. Parallel.

Answer:

QUESTION: 128

An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have
not been taken and that the associated risk has been accepted by senior management. If the auditor disagrees with
management s decision what is the BEST way to address the situation?

A. Take no action since management s decision has been made.

B. Recommend new corrective actions to mitigate the accepted risk.
C. Report the issue to the chief audit executive for resolution.
D. Repeat the audit with audit scope only covering areas with accepted risks.

Answer:

QUESTION: 129

Which of the following controls is MOST appropriate against brute force attacks at login?

A. Locking the account after three invalid passwords.

B. Storing password files using one-way encryption.
C. Storing passwords under a one-way hash function.
D. Increasing the minimum password length to 10 characters.

Answer:

QUESTION: 130

During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry
of duplicate transactions. What is the BEST way to verify that the controls work as designed?

A. Enter duplicate transactions in a copy of the live system.

B. Review quality assurance (QA) test results.
C. Use generalized audit software for seeking data corresponding to duplicate transactions.
D. Implement periodic reconciliations.

Answer:
QUESTION: 131

Which of the following should be performed FIRST when preparing to deploy a major upgrade to a critical online
application?

A. Update the business impact analysis (BIA).

B. Review data backup procedures.
C. Update the disaster recovery process.
D. Test the rollback process.

Answer:

QUESTION: 132

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective
actions that are different from those originally discussed and agreed the audit function. In order to resolve the
situation, the IS auditor/, BEST course of action would be to:

A. determine whether the alternative controls sufficiently mitigate the risk and record the results.
B. reject the alternative controls and re-prioritize the original issue as high risk.
C. postpone follow-up activities and escalate the alternative controls to senior audit management.
D. schedule another audit due to the implementation of alternative controls.

Answer:

QUESTION: 133

When reviewing a disaster recovery plan (DRP) an IS auditor should examine the:

A. Offsite data file storage.

B. Access to the computer site by the backup staff.
C. Fire-fighting equipment.
D. Uninterruptible power supply (UPS).

Answer:

QUESTION: 134

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the
auditor s NEXT course of action?

A. Report the security posture of the organization.

B. Determine the risk of not replacing the firewall.
C. Determine the value of the firewall.
D. Report the mitigating control.

Answer:

QUESTION: 135

Which of the following is the MOST important consideration when developing an online business architecture and
recovery strategy?

A. Vendors financial stability.

B. Immediate problem resolution.
C. Vendors network security.
D. Single points of failure.
Answer:
QUESTION: 136

Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of
duties conflict?

A. Systems analyst.
B. Security administrator.
C. Quality assurance.
D. Application end user.

Answer:

QUESTION: 137

Which of the following is MOST helpful in preventing a systems failure from occurring when an application is
replaced using the abrupt changeover technique?

A. Comprehensive documentation.
B. Change management.
C. Comprehensive testing.
D. Threat and risk assessment.

Answer:

QUESTION: 138

An IS auditor observed that most users do not comply with physical access controls. The business manager has
explained that the control design is inefficient. What is the auditor's BEST course of action?

A. Recommend changing the access control process to increase efficiency.

B. Work with management to design and implement a better control.
C. Redesign and retest the physical access control.
D. Identify the impact of control failure and report the finding with a risk rating.

Answer:

QUESTION: 139

An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence.
What is the MOST significant risk from this observation'

A. Daily schedules may not be accurate.

B. The job may not have run to completion.
C. The job completes with invalid data.
D. Previous jobs may have failed.

Answer:

QUESTION: 140

A new regulation in one country of a global organization has recently prohibited cross border transfer of personal
data. An IS auditor has been asked to determine the organization's level of exposure in the affected country. Which
of the following would be MOST helpful in making this assessment?

A. Identifying data security threats in the affected jurisdiction.

B. Identifying business processes associated with personal data exchange with the affected jurisdiction.
C. Developing an inventory of all business entities that exchange personal data with the affected jurisdiction.
D. Reviewing data classification procedures associated with the affected jurisdiction.
Answer:
QUESTION: 141

Which of the following should be of GREATEST concern to an IS auditor conducting an audit of incident response
procedures?

A. End users have not completed security awareness training.

B. Senior management is not involved in the incident response process.
C. Critical incident response events are not recorded in a centralized repository.
D. There is no procedure in place to learn from previous security incidents.

Answer:

QUESTION: 142

An IT service desk has recorded several incidents related to server downtime following the failure of a network
time protocol (NTP) server. Which of the following is the BEST methodology to help identify the root cause?

A. Cause-and-effect diagram.
B. Data flow diagram.
C. Server architecture diagram.
D. Crow-functional diagram.

Answer:

QUESTION: 143

In attribute sampling, what is the relationship between expected error rate and sample size?

A. The sample size is not affected by expected error rate.

B. The greater the expected error rate, the smaller the sample size.
C. The greater the sample size, the tower the expected error rate.
D. The greater the expected error rate. The greater the sample size.

Answer:

QUESTION: 144

Which of the following would provide the MOST assurance that an application will work in a live environment?

A. Processing of test data to prove that data can passed between individual programs.
B. Walking through the programs to view the results of processing copies of production data.
C. Walking through the programs to view the results of error processing.
D. Processing of valid and erroneous data in an acceptance test environment.

Answer:

QUESTION: 145

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's initiative to
adopt an enterprise governance framework?

A. The organization has not identified the business drivers for adopting the framework.
B. The organization's security department has not been involved with the initiative.
C. The organization has not provided employees with formal training on the framework.
D. The organization has tried to adopt the entire framework at once.

Answer:
QUESTION: 146

Which of the following would be the MOST effective method to address software license violations on employee
workstations?

A. Restricting administrative rights on employee workstations.

B. Required automated installation of software.
C. Implementing real-time monitoring software on employee workstations.
D. Scanning of workstation daily for unauthorized software use.

Answer:

QUESTION: 147

Which of the following is MOST important for an IS auditor to consider when determining an appropriate sample
size in situations where selecting the entire population is not feasible?

A. Data integrity.
B. Tolerable error.
C. Responsiveness of the auditee.
D. Accessibility of the data.

Answer:

QUESTION: 148

Which of the following control checks would utilize data analytics?

A. Evaluating configuration settings for the credit card application system.

B. Reviewing credit card applications submitted in the past month for blank data fields.
C. Attempting to submit credit card applications with blank data fields.
D. Reviewing the business requirements document for the credit card application system.

Answer:

QUESTION: 149

Which of the following is the BEST indication that an information security program is effective?

A. The security team has performed a risk assessment to understand the organization's risk appetite.

B. The security team is knowledgeable and uses the best available tools.

C. The number of reported and confirmed security incidents has increased after awareness training.

D. The security awareness program was developed following industry best practices.

Answer:

QUESTION: 150

To create a digital signature in a message using asymmetric encryption, it is necessary to:

A. encrypt the authentication sequence using a public key.

B. transmit the actual digital signature in unencrypted clear text.
C. First use a symmetric algorithm for the authentication sequence.
D. encrypt the authentication sequence using a private key.

Answer: