When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion? A. Reviewing a sample of system-generated backup logs B. Evaluating the backup policies and procedures C. Interviewing key personnel evolved In the backup process
D. Observing the execution of a daily backup run Which of the following is a concern associated with virtualization? A. Processing capacity may be shared across multiple operating systems. B. Performance issues with the host could impact the guest operating systems. C. The physical footprint of servers could
decrease within the data center. D. One host may have multiple versions of the same operating system. Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review? A. Perform a business impact analysis (BIA). B. Determine which databases will be in scope.
C. Evaluate the types of databases being used D. Identify the most critical database controls. Which of the following is the PRIMARY advantage of parallel processing for a new system implementation? A. Significant cost savings over other system implemental or approaches B. Assurance that the new system meets
functional requirements C. Assurance that the new system meets performance requirements D. More time for users to complete training for the new system Which of the following BEST guards against the risk of attack by hackers? A. Firewalls B. Message validation C.
Encryption D. Tunneling A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether: A. the provider adheres to the company's data retention policies. B. the provider has alternate service locations. C. the provider's
information security controls are aligned with the company's. D. the contract includes compensation for deficient service levels. Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center? A. Segregation of duties between staff ordering and staff receiving information assets
B. Knowledge of the IT staff regarding data protection requirements C. Complete and accurate list of information assets that have been deployed D. Availability and testing of onsite backup generators What should an IS auditor do FIRST when management responses A. Determine the resources required to make the control The
PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk? A. Control risk B. Detection risk C. Technology risk D. Inherent risk Which of the following is a challenge in developing a service level agreement (SLA) for network services? A.
Establishing a well-designed framework for network servirces. B. Finding performance metrics that can be measured properly C. Ensuring that network components are not modified by the client D. Reducing the number of entry points into the network Which of the following is MOST important for an effective control self-assessment (CSA)
program? A. Performing detailed test procedures B. Evaluating changes to the risk environment C. Understanding the business process D. Determining the scope of the assessment Which of the following would be the MOST useful metric for management to consider when reviewing a project portfolio? A.
Net present value (NPV) of the portfolio B. Cost of projects divided by total IT cost C. Total cost of each project D. Expected return divided by total project cost Which of the following findings should be of GREATEST concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization? A.
Insufficient processes to lest for version control B. Insufficient processes to track ownership of each EUC application? C. Lack of awareness training for EUC users D. Lack of defined criteria for EUC applications Which of the following security risks can be reduced by a property configured network firewall? A.
SQL injection attacks B. Phishing attacks C. Insider attacks D. Denial of service (DoS) attacks While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation,
the IS auditor's BEST course of action would be to: A. schedule a follow-up audit in the next audit cycle. B. re-prioritize the original issue as high risk and escalate to senior management. C. determine whether the alternative controls sufficiently mitigate the risk. D. postpone follow-up activities and escalate the alternative controls to senior audit
management. During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action? A. Confirm the resolution time of the incidents. B. Validate whether all incidents have been actioned. C. Determine if a root
cause analysis was conducted. D. Document the finding and present it to management. Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall? A. Use of stateful firewalls with default configuration B. Misconfiguration of the firewall rules C.
Ad hoc monitoring of firewall activity D. Potential back doors to the firewall software An information systems security officer's PRIMARY responsibility for business process applications is to: A. approve the organization's security policy B. authorize secured emergency access C. create role-based
rules for each business process D. ensure access rules agree with policies Which of the following would be the BEST criteria for monitoring an IT vendor's service levels? A. Interview with vendor B. Service auditor's report C. Surprise visit to vendor D. Performance
metrics A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?
to an in-person internal control questionnaire indicate a key
internal
control is no longer effective?
effective. B. Validate the overall effectiveness of the internal control. C. Ascertain the existence of other compensating controls. D. Verify the impact of the control no longer being effective.
A. Utilize new system development tools to improve productivity. B. Implement overtime pay and bonuses for all development staff. C. Deliver only the core functionality on the initial target date. D. Recruit IS staff to expedite system development.
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
A. Risk avoidance B. Risk reduction C. Risk acceptance D. Risk transfer
During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor's BEST course of action?
A. Request management wait until a final report is ready for discussion. B. Review working papers with the auditee. C. Request the auditee provide management responses. D. Present observations for discussion only.
Which of the following MOST effectively minimizes downtime during system conversions?
A. Parallel run B. Phased approach C. Pilot study D. Direct cutover
An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?
A. Development B. Staging C. Testing D. Integration
Which of the following methods will BEST reduce the risk associated with the transition to a new system using technologies that are not compatible with the old system?
A. Pilot operation B. Phased operation C. Modular changeover D. Parallel changeover
The PRIMARY purpose of a configuration management system is to:
A. standardize change approval. B. track software updates. C. define baselines for software. D. support the release procedure.
An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?
A. The database entity relationships within the legacy system B. The data flows between the components to be used by the redesigned system C. The proposed network topology to be used by the redesigned system D. The current business capabilities delivered by the legacy system
Which of the following is a PRIMARY responsibility of an IT steering committee?
A. Reviewing periodic IT risk assessments B. Prioritizing IT projects in accordance with business requirements C. Validating and monitoring the skill sets of IT department staff D. Establishing IT budgets for the business
Which of the following provides IS audit professionals with the BEST source of direction for performing audit functions?
A. Audit charter B. Audit best practices C. Information security policy D. IT steering committee
Which of the following security measures will reduce the risk of propagation when a cyberattack occurs?
A. Web application firewall B. Data loss prevention (DLP) system C. Network segmentation D. Perimeter firewall
Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?
A. The IT strategy is approved by executive management. B. The IT strategy has significant impact on the business strategy C. The IT strategy is based on IT operational best practices. D. The IT strategy is modified in response to organizational change.
Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?
A. Management approved the PIR report. B. Lessons learned were implemented. C. The review was performed by an external provider. D. Project outcomes have been realized.
IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?
A. Performance monitoring tools B. Periodic table link checks C. Concurrent access controls D. More frequent data backups
During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A. incorporate changes to relevant laws. B. include new systems and corresponding process changes. C. reflect current practices. D. be subject to adequate quality assurance (QA).
Which of the following is MOST important to consider when scheduling follow-up audits?
A. The impact if corrective actions are not taken B. The amount of time the auditee has agreed to spend with auditors C. The efforts required for independent verification with new auditors D. Controls and detection risks related to the observations
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?
A. Data center environmental controls not aligning with new configuration B. Vulnerability in the virtualization platform affecting multiple hosts C. Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications D. System documentation not being updated to reflect changes in the environment
If enabled within firewall rules, which of the following services would present the GREATEST risk?
A. Simple mail transfer protocol (SMTP) B. File transfer protocol (FTP) C. Hypertext transfer protocol (HTTP) D. Simple object access protocol (SOAP)
An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country.
What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?
A. Per-unit cost charged by the hosting services provider for storage B. Data center physical access controls whore the application is hosted C. Privacy regulations affecting the organization D. Financial regulations affecting the organization