CERTIFIED INFORMATION SYSTEMS AUDIT

(CISA)
Practice Test 2025

Compiled by Storm Chaser

Question 1
Which of the following should be of GREATEST concern to an IS auditor reviewing
an organization's business continuity plan (BCP)?
A. The BCP has not been tested since it was first issued.
B. The BCP is not version-controlled.
C. The BCP's contact information needs to be updated.
D. The BCP has not been approved by senior management.
Correct Answer: A – The BCP has not been tested since it was first
issued
Explanation: Regular testing of the BCP is critical to ensure that the plan is
practical, effective, and executable in a real emergency. An untested plan may fail
when it's needed most.
Incorrect Answers:
B. Lack of version control is an issue, but not as critical as not testing the plan.
C. Contact information is important, but outdated contacts can be updated quickly.
D. While approval is necessary, an untested plan poses a greater operational risk.

Question 2
Which of the following would be MOST useful when analyzing computer
performance?
A. Tuning of system software to optimize resource usage
B. Operations report of user dissatisfaction with response time
C. Statistical metrics measuring capacity utilization
D. Report of off-peak utilization and response time
Correct Answer: C – Statistical metrics measuring capacity utilization
Explanation: Statistical metrics provide objective and quantifiable data to analyze
system performance, making them the most reliable for performance assessments.
Incorrect Answers:
A. Tuning is a solution, not an analytical method.
B. User reports are subjective and less precise.
D. Off-peak reports might not reflect typical system loads.

Question 3
Which of the following is the GREATEST risk if two users have concurrent access to
the same database record?
A. Entity integrity
B. Availability integrity
C. Referential integrity
D. Data integrity
Correct Answer: D – Data integrity
Explanation: Concurrent access to the same record can cause inconsistent updates,
leading to corrupted or lost data—violating data integrity.
Incorrect Answers:
A. Entity integrity ensures primary keys are unique, not related to concurrency.
B. Availability isn't directly impacted.
C. Referential integrity relates to relationships between tables.

Question 4
Which of the following is the MOST effective way for an organization to help ensure
agreed-upon action plans from an IS audit will be implemented?
A. Ensure ownership is assigned.
B. Test corrective actions upon completion.
C. Ensure sufficient audit resources are allocated.
D. Communicate audit results organization-wide.
Correct Answer: A – Ensure ownership is assigned
Explanation: Assigning clear ownership ensures accountability for implementing
audit recommendations.
Incorrect Answers:
B. Testing is important after implementation, not for ensuring implementation.
C. Audit resources don’t enforce implementation.
D. Communication is useful, but lacks enforcement.

Question 5
Which of the following issues associated with a data center's closed circuit television
(CCTV) surveillance cameras should be of MOST concern to an IS auditor?
A. CCTV recordings are not regularly reviewed.
B. CCTV records are deleted after one year.
C. CCTV footage is not recorded 24 x 7.
D. CCTV cameras are not installed in break rooms.
Correct Answer: A – CCTV recordings are not regularly reviewed
Explanation: Without regular reviews, suspicious activities could go unnoticed,
defeating the purpose of surveillance.
Incorrect Answers:
B. A year-long retention is often acceptable.
C. 24x7 recording is ideal, but less critical than review.
D. Monitoring break rooms may raise privacy concerns.

Question 6
An IS auditor has been asked to audit the proposed acquisition of new computer
hardware. The auditor's PRIMARY concern is that:
A. a clear business case has been established.
B. the new hardware meets established security standards.
C. a full, visible audit trail will be included.
D. the implementation plan meets user requirements.
Correct Answer: A – A clear business case has been established
Explanation: The most fundamental requirement is that the acquisition is justified
by a solid business need.
Incorrect Answers:
B. Security standards are secondary to the justification of purchase.
C. Audit trails relate to usage, not acquisition.
D. User requirements are addressed later in the process.

Question 7
To confirm integrity for a hashed message, the receiver should use:
A. the same hashing algorithm as the sender's to create a binary image of the file.
B. a different hashing algorithm from the sender's to create a numerical
representation of the file.
C. a different hashing algorithm from the sender's to create a binary image of the
file.
D. the same hashing algorithm as the sender's to create a numerical representation of
the file.
Correct Answer: D – the same hashing algorithm as the sender's to
create a numerical representation of the file
Explanation: Integrity is verified by comparing the sender's and receiver's hash
values, which requires using the same algorithm.
Incorrect Answers:
A/C. Binary image creation is not part of hash verification.
B. A different algorithm would produce a different hash value.

Question 8
An organization is implementing a new system that supports a month-end business
process. Which of the following implementation strategies would be MOST efficient
to decrease business downtime?
A. Cutover
B. Phased
C. Pilot
D. Parallel
Correct Answer: D – Parallel
Explanation: Running old and new systems in parallel ensures continuity and
minimizes downtime during the transition.
Incorrect Answers:
A. Cutover is faster but riskier.
B. Phased takes more time.
C. Pilot affects only a small user group initially.

Question 9
Which of the following should be the FIRST step in managing the impact of a
recently discovered zero-day attack?
A. Estimating potential damage
B. Identifying vulnerable assets
C. Evaluating the likelihood of attack
D. Assessing the impact of vulnerabilities
Correct Answer: B – Identifying vulnerable assets
Explanation: You must first determine what is at risk before taking protective or
corrective measures.
Incorrect Answers:
A. Damage estimation comes after identifying scope.
C. Zero-day implies unknown threat—likelihood is moot.
D. Impact assessment follows asset identification.

Question 10
Which of the following is the BEST way to ensure that an application is performing
according to its specifications?
A. Pilot testing
B. System testing
C. Integration testing
D. Unit testing
Correct Answer: B – System testing
Explanation: System testing verifies that the complete and integrated application
meets the defined requirements.
Incorrect Answers:
A. Pilot testing assesses usability, not performance specs.
C. Integration testing checks inter-module interaction.
D. Unit testing focuses on individual components.

Question 11
Which of the following would be MOST effective to protect information assets in a
data center from theft by a vendor?
A. Conceal data devices and information labels.
B. Issue an access card to the vendor.
C. Monitor and restrict vendor activities.
D. Restrict use of portable and wireless devices.
 Correct Answer: C – Monitor and restrict vendor activities
Explanation: Active monitoring and access restrictions directly reduce the risk of
unauthorized actions and data theft.
Incorrect Answers:
A. Concealment is insufficient without monitoring.
B. Issuing access cards without monitoring increases risk.
D. Device restrictions help, but aren’t as effective alone.

Question 12
An employee loses a mobile device resulting in loss of sensitive corporate data. Which
of the following would have BEST prevented data leakage?
A. Data encryption on the mobile device
B. The triggering of remote data wipe capabilities
C. Awareness training for mobile device users
D. Complex password policy for mobile devices
Correct Answer: A – Data encryption on the mobile device
Explanation: Encryption ensures that data remains unreadable even if the device is
lost or stolen.
Incorrect Answers:
B. Remote wipe is reactive and may not occur before access.
C. Training doesn’t prevent actual data access.
D. Strong passwords help, but can be bypassed.

Question 13
During the evaluation of controls over a major application development project, the
MOST effective use of an IS auditor's time would be to review and evaluate:
A. cost-benefit analysis.
B. acceptance testing.
C. application test cases.
D. project plans.
Correct Answer: B – Acceptance testing
Explanation: Acceptance testing confirms that the application meets business and
functional requirements before implementation.
Incorrect Answers:
A. Cost-benefit is useful early in the project, not for control review.
C. Test cases are technical and may not reflect final functionality.
D. Plans alone don’t show whether requirements are met.

Question 14
Upon completion of audit work, an IS auditor should:
A. provide a report to the auditee stating the initial findings.
B. provide a report to senior management prior to discussion with the auditee.
C. distribute a summary of general findings to the members of the auditing team.
D. review the working papers with the auditee.
Correct Answer: A – provide a report to the auditee stating the initial
findings
Explanation: Auditors should present findings to the auditee first to ensure
accuracy and allow for clarification or response.
Incorrect Answers:
B. Reporting to senior management should follow auditee review.
C. Team summaries are internal steps, not a primary requirement.
D. Working papers are not typically reviewed by the auditee.

Question 15
During an IT general controls audit of a high-risk area where both internal and
external audit teams are reviewing the same areas simultaneously, which of the
following is the BEST approach to optimize resources?
A. Leverage the work performed by external audit for the internal audit testing.
B. Ensure both the internal and external auditors perform the work simultaneously.
C. Roll forward the general controls audit to the subsequent audit year.
D. Request that the external audit team leverage the internal audit work.
Correct Answer: A – Leverage the work performed by external audit
for the internal audit testing
Explanation: This avoids duplication of effort and improves audit efficiency through
collaboration.
Incorrect Answers:
B. Simultaneous work may waste resources.
C. Postponing audits in high-risk areas is not recommended.
D. Internal teams should validate external work, not rely solely on it.

Question 16
The GREATEST benefit of using a prototyping approach in software development is
that it helps to:
A. improve efficiency of quality assurance (QA) testing.
B. conceptualize and clarify requirements.
C. decrease the time allocated for user testing and review.
D. minimize scope changes to the system.
Correct Answer: B – conceptualize and clarify requirements
Explanation: Prototypes help users visualize the system early, allowing better
feedback and clearer requirements.
Incorrect Answers:
A. QA efficiency is not the primary benefit.
C. Prototyping may increase time for user involvement.
D. Scope changes are still likely with evolving requirements.

Question 17
After an employee termination, a network account was removed, but the application
account remained active. To keep this issue from recurring, which of the following is
the BEST recommendation?
A. Integrate application accounts with network single sign-on.
B. Perform periodic access reviews.
C. Retrain system administration staff.
D. Leverage shared accounts for the application.
Correct Answer: A – Integrate application accounts with network
single sign-on
Explanation: Centralized account management ensures that all associated access is
removed simultaneously.
Incorrect Answers:
B. Reviews are periodic and may not prevent immediate issues.
C. Training is helpful but not a technical control.
D. Shared accounts reduce accountability and increase risk.

Question 18
During an IT governance audit, an IS auditor notes that IT policies and procedures
are not regularly reviewed and updated. The GREATEST concern to the IS auditor
is that policies and procedures might not:
A. reflect current practices.
B. be subject to adequate quality assurance (QA).
C. include new systems and corresponding process changes.
D. incorporate changes to relevant laws.
Correct Answer: A – reflect current practices
Explanation: Outdated policies can result in misalignment with actual operational
practices, increasing risk.
Incorrect Answers:
B. QA is important but not the primary concern.
C. This is a subset of reflecting current practices.
D. Legal compliance is important but less broad in scope.

Question 19
Management receives information indicating a high level of risk associated with
potential flooding near the organization's data center within the next few years. As a
result, a decision has been made to move data center operations to another facility
on higher ground. Which approach has been adopted?
A. Risk reduction
B. Risk acceptance
C. Risk transfer
D. Risk avoidance
Correct Answer: D – Risk avoidance
Explanation: Moving the facility eliminates the threat exposure entirely, which is a
form of risk avoidance.
Incorrect Answers:
A. Risk reduction would involve mitigation, not elimination.
B. Risk acceptance involves taking no action.
C. Risk transfer involves shifting risk to another party.

Question 20
An emergency power-off switch should:
A. not be in the computer room.
B. not be identified
C. be protected.
D. be illuminated.
Correct Answer: C – be protected
Explanation: The switch must be protected to prevent accidental activation, which
could cause unintended downtime.
Incorrect Answers:
A. It must be accessible in emergencies, often in the room.
B. It should be clearly marked for emergency use.
D. Illumination is useful but secondary to protection.

Question 21
Which of the following is the PRIMARY role of the IS auditor in an organization's
information classification process?
A. Securing information assets in accordance with the classification assigned
B. Validating that assets are protected according to assigned classification
C. Ensuring classification levels align with regulatory guidelines
D. Defining classification levels for information assets within the organization
Correct Answer: B – Validating that assets are protected according to
assigned classification
Explanation: The IS auditor's primary role is to validate that the organization is
applying controls based on the classification levels, not to define or assign them.
Incorrect Answers:
A. Securing assets is management's responsibility, not the auditor’s.
C. Ensuring alignment is part of management's policy role.
D. Defining classification is not the auditor’s duty.

Question 22
When evaluating whether the expected benefits of a project have been achieved, it is
MOST important for an IS auditor to review:
A. the project schedule.
B. quality assurance (QA) results.
C. post-implementation issues.
D. the business case
Correct Answer: D – the business case
Explanation: The business case outlines expected benefits and serves as the baseline
for evaluating if those benefits were delivered.
Incorrect Answers:
A. Schedule tracks timing, not value delivery.
B. QA focuses on product quality, not benefits.
C. Issues may highlight problems but not measure benefits.

Question 23
Which of the following is the MOST important reason for IS auditors to perform
post-implementation reviews for critical IT projects?
A. To determine whether vendors should be paid for project deliverables
B. To provide the audit committee with an assessment of project team performance
C. To provide guidance on the financial return on investment (ROI) of projects
D. To determine whether the organization's objectives were met as expected
Correct Answer: D – To determine whether the organization's
objectives were met as expected
Explanation: The purpose of post-implementation reviews is to ensure that the
project outcomes align with organizational goals.
Incorrect Answers:
A. Payment decisions are handled by project managers.
B. Performance reviews are HR-related.
C. ROI is part of the business evaluation, not the main audit concern.

Question 24
Which of the following BEST indicates that an incident management process is
effective?
A. Decreased number of calls to the help desk
B. Increased number of incidents reviewed by IT management
C. Decreased time for incident resolution
D. Increased number of reported critical incidents
 Correct Answer: C – Decreased time for incident resolution
Explanation: Faster resolution indicates that the incident management process is
effective and well-coordinated.
Incorrect Answers:
A. Fewer help desk calls may mean underreporting.
B. Reviewing more incidents doesn't ensure effectiveness.
D. More critical incidents may indicate problems elsewhere.

Question 25
Which of the following MOST effectively minimizes downtime during system
conversions?
A. Phased approach
B. Parallel run
C. Direct cutover
D. Pilot study
Correct Answer: B – Parallel run
Explanation: A parallel run allows the old and new systems to operate
simultaneously, reducing risk and minimizing downtime.
Incorrect Answers:
A. Phased can be slow and complex.
C. Cutover is quicker but riskier.
D. A pilot affects only a small group, not the entire system.

Question 26
Which of the following would MOST effectively ensure the integrity of data
transmitted over a network?
A. Message encryption
B. Steganography
C. Certificate authority (CA)
D. Message digest
Correct Answer: D – Message digest
Explanation: Message digests (hash functions) help detect any changes to data
during transmission, ensuring integrity.
Incorrect Answers:
A. Encryption protects confidentiality, not integrity.
B. Steganography hides data, not verify it.
C. CAs verify identities, not message integrity directly.

Question 27
Which of the following would be MOST useful to an IS auditor assessing the
effectiveness of IT resource planning?
A. Budget execution status
B. A capacity analysis of IT operations
C. A succession plan for key IT personnel
D. A list of new applications to be implemented
Correct Answer: B – A capacity analysis of IT operations
Explanation: Capacity analysis shows if IT resources are aligned with demand,
which is crucial for effective planning.
Incorrect Answers:
A. Budget execution shows spending, not planning effectiveness.
C. Succession plans are more relevant to HR audits.
D. Application lists show goals, not capacity.

Question 28
An IS auditor is evaluating controls for monitoring the regulatory compliance of a
third party that provides IT services to the organization. Which of the following
should be the auditor's GREATEST concern?
A. A gap analysis against regulatory requirements has not been conducted.
B. The third-party disclosed a policy-related issue of noncompliance.
C. The organization has not reviewed the third party's policies and procedures.
D. The organization has not communicated regulatory requirements to the third
party.
Correct Answer: D – The organization has not communicated
regulatory requirements to the third party
Explanation: Without communication, the third party cannot ensure compliance,
making it the most critical risk.
Incorrect Answers:
A. Gap analysis is useful but comes after requirements are known.
B. Disclosures can be addressed if requirements were communicated.
C. Review is important but ineffective without initial communication.

Question 29
Which of the following is an audit reviewer's PRIMARY role with regard to
evidence?
A. Ensuring appropriate statistical sampling methods were used
B. Ensuring evidence is labeled to show it was obtained from an approved source
C. Ensuring unauthorized individuals do not tamper with evidence after it has been
captured
D. Ensuring evidence is sufficient to support audit conclusions
Correct Answer: D – Ensuring evidence is sufficient to support audit
conclusions
Explanation: The core responsibility of the auditor is to ensure conclusions are
backed by adequate and relevant evidence.
Incorrect Answers:
A. Sampling is part of audit design, not evidence evaluation.
B. Labeling supports chain of custody but is not the main role.
C. Tamper prevention is more a security function.

Question 30
When an intrusion into an organization's network is detected, which of the following
should be done FIRST?
A. Contact law enforcement.
B. Identify nodes that have been compromised.
C. Block all compromised network nodes.
D. Notify senior management
Correct Answer: B – Identify nodes that have been compromised
Explanation: Identifying affected systems is crucial before taking further action,
such as containment or escalation.
Incorrect Answers:
A. Law enforcement is contacted after internal assessment.
C. Blocking may disrupt operations and should be informed by analysis.
D. Management is notified after initial triage and assessment.

Question 31
An IS auditor is reviewing processes for importing market price data from external
data providers. Which of the following findings should the auditor consider MOST
critical?
A. The quality of the data is not monitored.
B. The transfer protocol does not require authentication.
C. Imported data is not disposed frequently.
D. The transfer protocol is not encrypted.
Correct Answer: A – The quality of the data is not monitored
Explanation: Poor or unmonitored data quality can result in incorrect pricing,
financial errors, and major business impact—making it the most critical concern.
Incorrect Answers:
B. Lack of authentication is a security concern but secondary to data accuracy.
C. Infrequent disposal may be a compliance or storage concern, not critical.
D. Encryption protects confidentiality, not accuracy.

Question 32
In a controlled application development environment, the MOST important
segregation of duties should be between the person who implements changes into the
production environment and the:
A. application programmer.
B. quality assurance (QA) personnel.
C. computer operator.
D. systems programmer.
Correct Answer: A – application programmer
Explanation: To prevent unauthorized or untested changes, programmers should
not have direct access to production deployment.
Incorrect Answers:
B. QA doesn’t make code changes.
C. Operators follow instructions and don’t alter code.
D. Systems programmers deal with infrastructure, not applications.

Question 33
A small startup organization does not have the resources to implement segregation of
duties. Which of the following is the MOST effective compensating control?
A. Rotation of log monitoring and analysis responsibilities
B. Additional management reviews and reconciliations
C. Mandatory vacations
D. Third-party assessments
Correct Answer: B – Additional management reviews and
reconciliations
Explanation: Management oversight is the most direct and continuous
compensating control for segregation of duties.
Incorrect Answers:
A. Rotation helps but lacks formal review.
C. Mandatory vacations are periodic and may not detect issues immediately.
D. Third-party reviews are infrequent.

Question 34
When planning an audit to assess application controls of a cloud-based system, it is
MOST important for the IS auditor to understand the:
A. availability reports associated with the cloud-based system.
B. architecture and cloud environment of the system.
C. policies and procedures of the business area being audited.
D. business process supported by the system.
Correct Answer: D – business process supported by the system
Explanation: Understanding the business process ensures the auditor evaluates the
controls in the context of risk and impact.
Incorrect Answers:
A. Availability is a component, not the whole picture.
B. Architecture is technical and secondary to process understanding.
C. Policies are relevant but less important during planning.

Question 35
Which of the following data would be used when performing a business impact
analysis (BIA)?
A. Projected impact of current business on future business
B. Expected costs for recovering the business
C. Cost of regulatory compliance
D. Cost-benefit analysis of running the current business
Correct Answer: B – Expected costs for recovering the business
Explanation: BIA involves estimating downtime impact and recovery costs to
prioritize critical processes.
Incorrect Answers:
A. Forward-looking projections don’t support BIA.
C. Regulatory compliance is important but indirect.
D. Cost-benefit analysis is used in investment decisions.

Question 36
Which of the following is the BEST indicator of the effectiveness of an organization's
incident response program?
A. Number of successful penetration tests
B. Percentage of protected business applications
C. Number of security vulnerability patches
D. Financial impact per security event
Correct Answer: D – Financial impact per security event
Explanation: Lower financial impact suggests the response program effectively
contains and mitigates incidents.
Incorrect Answers:
A. Pen tests test prevention, not response.
B. Protection does not measure response effectiveness.
C. Patching is a preventive activity.

Question 37
An organization recently implemented a cloud document storage solution and
removed the ability for end users to save data to their local workstation hard drives.
Which of the following findings should be the IS auditor's GREATEST concern?
A. Mobile devices are not encrypted.
B. Users are not required to sign updated acceptable use agreements.
C. The business continuity plan (BCP) was not updated.
D. Users have not been trained on the new system.
 Correct Answer: A – Mobile devices are not encrypted
Explanation: Without encryption, sensitive documents accessed via cloud could be
exposed if the mobile device is lost or compromised.
Incorrect Answers:
B. Acceptable use agreements are important but less urgent.
C. BCP updates are strategic but less immediate.
D. Training is important but doesn’t mitigate data exposure.

Question 38
Which of the following security measures will reduce the risk of propagation when a
cyberattack occurs?
A. Data loss prevention (DLP) system
B. Perimeter firewall
C. Network segmentation
D. Web application firewall
Correct Answer: C – Network segmentation
Explanation: Segmentation limits movement within the network, reducing the
spread of an attack.
Incorrect Answers:
A. DLP prevents data exfiltration, not lateral movement.
B. Firewalls protect perimeter, not internal spread.
D. WAFs protect web apps, not internal network layers.

Question 39
An IS auditor notes that the previous year's disaster recovery test was not completed
within the scheduled time frame due to insufficient hardware allocated by a third-
party vendor. Which of the following provides the BEST evidence that adequate
resources are now allocated to successfully recover the systems?
A. Hardware change management policy
B. An up-to-date RACI chart
C. Vendor memo indicating problem correction
D. Service level agreement (SLA)
Correct Answer: D – Service level agreement (SLA)
Explanation: A formal SLA outlines the vendor's commitment and responsibilities,
providing enforceable assurance of resource availability.
Incorrect Answers:
A. Policy does not confirm availability.
B. RACI defines roles but not capabilities.
C. Memos are informal and lack enforcement.

Question 40
When implementing Internet Protocol security (IPsec) architecture, the servers
involved in application delivery:
A. channel access only through the public-facing firewall.
B. channel access through authentication.
C. communicate via Transport Layer Security (TLS).
D. block authorized users from unauthorized activities.
Correct Answer: B – channel access through authentication
Explanation: IPsec ensures data is transmitted securely through mutual
authentication and encryption.
Incorrect Answers:
A. Firewalls control perimeter traffic, not IPsec channels.
C. TLS is different from IPsec (used for application-level encryption).
D. Blocking users is part of access control, not IPsec’s main function.

Question 41
During audit fieldwork, an IS auditor learns that employees are allowed to connect
their personal devices to company-owned computers. How can the auditor BEST
validate that appropriate security controls are in place to prevent data loss?
A. Verify the data loss prevention (DLP) tool is properly configured by the
organization.
B. Review compliance with data loss and applicable mobile device user acceptance
policies.
C. Verify employees have received appropriate mobile device security awareness
training.
D. Conduct a walk-through to view results of an employee plugging in a device to
transfer confidential data.
Correct Answer: A – Verify the data loss prevention (DLP) tool is
properly configured by the organization
Explanation: DLP tools actively prevent unauthorized data transfers, making
configuration validation the best technical control for preventing data loss.
Incorrect Answers:
B. Policy compliance reviews are helpful but indirect.
C. Awareness helps, but doesn’t ensure enforcement.
D. Walk-throughs are reactive and limited in scope.

Question 42
Management has requested a post-implementation review of a newly implemented
purchasing package to determine to what extent business requirements are being met.
Which of the following is MOST likely to be assessed?
A. Implementation methodology
B. Test results
C. Purchasing guidelines and policies
D. Results of live processing
Correct Answer: D – Results of live processing
Explanation: Live processing results directly show how well the system performs in
the real environment, revealing whether business needs are met.
Incorrect Answers:
A. Methodology concerns the development phase.
B. Test results are pre-production indicators.
C. Policies don’t assess actual system performance.

Question 43
Which of the following is an advantage of using agile software development
methodology over the waterfall methodology?
A. Quicker end user acceptance
B. Clearly defined business expectations
C. Quicker deliverables
D. Less funding required overall
Correct Answer: C – Quicker deliverables
Explanation: Agile enables iterative and incremental delivery, allowing faster
deployment of functional software.
Incorrect Answers:
A. End user acceptance depends on usability, not methodology.
B. Waterfall often has clearer expectations from the start.
D. Agile doesn't inherently reduce funding requirements.

Question 44
In an online application, which of the following would provide the MOST information
about the transaction audit trail?
A. File layouts
B. Data architecture
C. System/process flowchart
D. Source code documentation
Correct Answer: C – System/process flowchart
Explanation: Flowcharts help auditors understand the movement and
transformation of data, critical for assessing audit trail completeness.
Incorrect Answers:
A. File layouts show structure, not flow.
B. Data architecture defines relationships, not transaction paths.
D. Source code is too granular and lacks visual clarity.

Question 45
On a public-key cryptosystem when there is no previous knowledge between parties,
which of the following will BEST help to prevent one person from using a fictitious
key to impersonate someone else?
A. Send a certificate that can be verified by a certification authority with the public
key.
B. Encrypt the message containing the sender's public key, using the recipient's
public key.
C. Send the public key to the recipient prior to establishing the connection.
D. Encrypt the message containing the sender's public key, using a private-key
cryptosystem.
Correct Answer: A – Send a certificate that can be verified by a
certification authority with the public key
Explanation: Certificates from trusted authorities verify identity, preventing
impersonation through key spoofing.
Incorrect Answers:
B/C/D. These do not ensure the legitimacy of the sender’s identity without a trusted
third party.

Question 46
The IS quality assurance (QA) group is responsible for:
A. monitoring the execution of computer processing tasks.
B. designing procedures to protect data against accidental disclosure.
C. ensuring that program changes adhere to established standards.
D. ensuring that the output received from system processing is complete.
Correct Answer: C – ensuring that program changes adhere to
established standards
Explanation: QA’s role includes verifying adherence to quality and development
standards throughout the lifecycle.
Incorrect Answers:
A. Monitoring is typically operations’ responsibility.
B. Procedure design is a security or control function.
D. Output validation is more related to operational control.

Question 47
Which of the following approaches will ensure recovery time objectives (RTOs) are
met for an organization's disaster recovery plan (DRP)?
A. Performing a full interruption test
B. Performing a parallel test
C. Performing a tabletop test
D. Performing a cyber-resilience test
 Correct Answer: A – Performing a full interruption test
Explanation: A full interruption test simulates a real disaster, providing the most
accurate validation of RTO achievement.
Incorrect Answers:
B. Parallel testing is safer but doesn’t simulate full outage.
C. Tabletop tests are hypothetical.
D. Cyber-resilience tests focus more on security impact than full recovery.

Question 48
Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Agile auditing
B. Continuous auditing
C. Risk-based auditing
D. Outsourced auditing
Correct Answer: C – Risk-based auditing
Explanation: Risk-based auditing focuses efforts on high-risk areas, ensuring
optimal use of time and resources.
Incorrect Answers:
A. Agile improves responsiveness, but not necessarily resource use.
B. Continuous auditing increases frequency but may require more resources.
D. Outsourcing is about staffing, not audit scope efficiency.

Question 49
Which of the following would provide the MOST important input during the
planning phase for an audit on the implementation of a bring your own device
(BYOD) program?
A. Results of a risk assessment
B. Policies including BYOD acceptable use statements
C. Findings from prior audits
D. An inventory of personal devices to be connected to the corporate network
Correct Answer: A – Results of a risk assessment
Explanation: A risk assessment identifies threats and vulnerabilities, guiding audit
objectives and scope.
Incorrect Answers:
B. Policies are reviewed later during control evaluation.
C. Prior findings are useful but not the primary input.
D. Inventory supports evidence but not planning.

Question 50
An IS auditor concludes that logging and monitoring mechanisms within an
organization are ineffective because central servers are not included within the central
log repository. Which of the following audit procedures would have MOST likely
identified this exception?
A. Comparing all servers included in the current central log repository with the
listing used for the prior-year audit
B. Inspecting a sample of alerts generated from the central log repository
C. Comparing a list of all servers from the directory server against a list of all servers
present in the central log repository
D. Inspecting a sample of alert settings configured in the central log repository
Correct Answer: C – Comparing a list of all servers from the directory
server against a list of all servers present in the central log repository
Explanation: This comparison reveals gaps in coverage and ensures all servers are
monitored, highlighting missing logs.
Incorrect Answers:
A. Prior-year comparisons might not reflect new servers.
B. Reviewing alerts doesn’t detect unlogged systems.
D. Alert settings don’t show unmonitored infrastructure.

Question 51
An IS auditor learns the organization has experienced several server failures in its
distributed environment. Which of the following is the BEST recommendation to
limit the potential impact of server failures in the future?
A. Failover power
B. Clustering
C. Parallel testing
D. Redundant pathways
Correct Answer: B – Clustering
Explanation: Clustering allows multiple servers to work together so that if one fails,
another can take over seamlessly—minimizing downtime.
Incorrect Answers:
A. Failover power addresses power failure, not server failure.
C. Parallel testing is for implementation testing, not failover.
D. Redundant pathways relate to networking, not server uptime.

Question 52
During an ongoing audit, management requests a briefing on the findings to date.
Which of the following is the IS auditor's BEST course of action?
A. Request management wait until a final report is ready for discussion.
B. Request the auditee provide management responses.
C. Review working papers with the auditee.
D. Present observations for discussion only.
 Correct Answer: D – Present observations for discussion only
Explanation: Sharing preliminary observations without conclusions helps
management understand issues without bypassing the formal audit process.
Incorrect Answers:
A. Delaying may reduce responsiveness.
B. Auditee responses come after findings are finalized.
C. Working papers are internal documents, not for general discussion.

Question 53
Which of the following BEST demonstrates that IT strategy is aligned with
organizational goals and objectives?
A. IT strategies are communicated to all business stakeholders.
B. Organizational strategies are communicated to the chief information officer (CIO).
C. The chief information officer (CIO) is involved in approving the organizational
strategies.
D. Business stakeholders are involved in approving the IT strategy.
Correct Answer: D – Business stakeholders are involved in approving
the IT strategy
Explanation: Involvement of business stakeholders ensures IT strategy supports
business goals and reflects organizational priorities.
Incorrect Answers:
A/B/C. Communication and involvement are important, but approval ensures
alignment.

Question 54
An accounting department uses a spreadsheet to calculate sensitive financial
transactions. Which of the following is the MOST important control for maintaining
the security of data in the spreadsheet?
A. A separate copy of the spreadsheet is routinely backed up.
B. Access to the spreadsheet is given only to those who require access.
C. There is a reconciliation process between the spreadsheet and the finance system.
D. The spreadsheet is locked down to avoid inadvertent changes.
Correct Answer: B – Access to the spreadsheet is given only to those
who require access
Explanation: Limiting access is the most effective control to protect sensitive data
from unauthorized exposure.
Incorrect Answers:
A. Backups protect availability, not confidentiality.
C. Reconciliation ensures accuracy, not security.
D. Lockdown prevents changes, not access.
Question 55
Which of the following is the MOST important responsibility of user departments
associated with program changes?
A. Analyzing change requests
B. Providing unit test data
C. Updating documentation to reflect latest changes
D. Approving changes before implementation
Correct Answer: D – Approving changes before implementation
Explanation: User departments must ensure that changes meet business needs and
are acceptable before being deployed.
Incorrect Answers:
A. Analysis may be shared with developers.
B. Testing is typically supported by IT.
C. Documentation is important but not the key responsibility.

Question 56
Which of the following would be of GREATEST concern when reviewing an
organization's security information and event management (SIEM) solution?
A. SIEM reporting is ad hoc.
B. SIEM reporting is customized.
C. SIEM configuration is reviewed annually.
D. The SIEM is decentralized.
Correct Answer: D – The SIEM is decentralized
Explanation: Decentralized SIEMs can lead to data silos and gaps in security
visibility, which is a major concern for effective incident detection.
Incorrect Answers:
A. Ad hoc reporting may reduce insight but isn't as critical.
B. Customized reports may be beneficial if aligned with objectives.
C. Annual review is acceptable if risk is low.

Question 57
A manager identifies active privileged accounts belonging to staff who have left the
organization. Which of the following is the threat actor in this scenario?
A. Hacktivists
B. Deleted log data
C. Terminated staff
D. Unauthorized access
Correct Answer: C – Terminated staff
Explanation: The terminated staff represent a direct insider threat if their accounts
remain active.
Incorrect Answers:
A. Hacktivists are external actors.
B. Deleted logs are evidence, not actors.
D. Unauthorized access is a result, not an actor.

Question 58
An IS auditor is evaluating the access controls for a shared customer relationship
management (CRM) system. Which of the following would be the GREATEST
concern?
A. Audit logging is not enabled.
B. Single sign-on is not enabled.
C. Complex passwords are not required.
D. Security baseline is not consistently applied.
Correct Answer: A – Audit logging is not enabled
Explanation: Without audit logs, accountability and tracking of system misuse is
impossible.
Incorrect Answers:
B. SSO improves convenience but is not critical.
C. Weak passwords are a concern, but lack of logging prevents detection.
D. Security baselines are important but less urgent than monitoring.

Question 59
Which of the following findings from an IT governance review should be of
GREATEST concern?
A. IT value analysis has not been completed.
B. All IT services are provided by third parties.
C. IT supports two different operating systems.
D. The IT budget is not monitored.
Correct Answer: D – The IT budget is not monitored
Explanation: Lack of budget monitoring may lead to misallocation of resources and
lack of accountability.
Incorrect Answers:
A. Value analysis can be scheduled.
B. Outsourcing is not inherently risky.
C. Multiple OSes may increase complexity, but not risk directly.

Question 60
What would be an IS auditor's BEST course of action when an auditee is unable to
close all audit recommendations by the time of the follow-up audit?
A. Ensure the open issues are retained in the audit results.
B. Recommend compensating controls for open issues.
C. Evaluate the residual risk due to open issues.
D. Terminate the follow-up because open issues are not resolved.
Correct Answer: C – Evaluate the residual risk due to open issues
Explanation: The auditor should assess whether the unremediated issues present an
acceptable or critical level of residual risk.
Incorrect Answers:
A. Documentation is necessary but not the best course of action.
B. Recommending compensating controls is secondary to risk evaluation.
D. Termination is not appropriate without evaluation.

Question 61
Which of the following is the BEST performance indicator for the effectiveness of an
incident management program?
A. Incident alert meantime
B. Number of incidents reported
C. Average time between incidents
D. Incident resolution meantime
Correct Answer: D – Incident resolution meantime
Explanation: The mean time to resolve incidents is a direct measure of how quickly
the organization can handle and close incidents, indicating process effectiveness.
Incorrect Answers:
A. Alert timing measures detection, not resolution.
B. Incident count doesn't reflect resolution capability.
C. Time between incidents reflects frequency, not effectiveness.

Question 62
Backups will MOST effectively minimize a disruptive incident's impact on a business
if they are:
A. taken according to recovery point objectives (RPOs).
B. scheduled according to the service delivery objectives.
C. performed by automated backup software on a fixed schedule.
D. stored on write-once read-many media.
Correct Answer: A – taken according to recovery point objectives
(RPOs)
Explanation: RPO defines the maximum tolerable period in which data might be
lost; aligning backups to RPO minimizes data loss impact.
Incorrect Answers:
B. Scheduling to service delivery is less relevant than to recovery goals.
C. Automation helps but doesn't guarantee alignment with RPOs.
D. Media type matters less than backup timing.
Question 63
An IS audit reveals that an organization is not proactively addressing known
vulnerabilities. Which of the following should the IS auditor recommend the
organization do FIRST?
A. Ensure the intrusion prevention system (IPS) is effective.
B. Verify the disaster recovery plan (DRP) has been tested.
C. Assess the security risks to the business.
D. Confirm the incident response team understands the issue.
Correct Answer: C – Assess the security risks to the business
Explanation: Understanding the actual risk is the first step toward prioritizing and
addressing vulnerabilities appropriately.
Incorrect Answers:
A. IPS effectiveness is secondary to risk assessment.
B. DRP testing doesn’t address current vulnerabilities.
D. Awareness without risk analysis won’t drive action.

Question 64
An IS auditor has completed the fieldwork phase of a network security review and is
preparing the initial draft of the audit report. Which of the following findings should
be ranked as the HIGHEST risk?
A. Network penetration tests are not performed.
B. The network firewall policy has not been approved by the information security
officer.
C. Network firewall rules have not been documented.
D. The network device inventory is incomplete.
Correct Answer: A – Network penetration tests are not performed
Explanation: Without penetration testing, critical vulnerabilities may go
undetected, exposing the organization to severe threats.
Incorrect Answers:
B/C. Policies and documentation are important but less critical than testing.
D. Incomplete inventory is risky but not as urgent as missing testing.

Question 65
Which of the following is the PRIMARY advantage of parallel processing for a new
system implementation?
A. Assurance that the new system meets functional requirements
B. Significant cost savings over other system implementation approaches
C. More time for users to complete training for the new system
D. Assurance that the new system meets performance requirements
Correct Answer: A – Assurance that the new system meets functional
requirements
Explanation: Running both systems in parallel allows comparison and verification
of the new system’s functionality before full cutover.
Incorrect Answers:
B. Parallel is typically more costly.
C. Training time isn't guaranteed by implementation method.
D. Performance validation is possible, but functional testing is the core benefit.

Question 66
During an internal audit of automated controls, an IS auditor identifies that the
integrity of data transfer between systems has not been tested since successful
implementation two years ago. Which of the following should the auditor do NEXT?
A. Review previous system interface testing records.
B. Document the finding in the audit report.
C. Review relevant system changes.
D. Review IT testing policies and procedures.
Correct Answer: C – Review relevant system changes
Explanation: If systems have changed since the last test, it increases the risk of
integration failure—making this review critical before concluding.
Incorrect Answers:
A. Historical testing doesn’t address current risk.
B. Documentation comes after analysis.
D. Reviewing policies is procedural, not evidence-based.

Question 67
The MAIN benefit of using an integrated test facility (ITF) as an online auditing
technique is that it enables:
A. the integration of financial and audit tests.
B. auditors to test without impacting production data.
C. a cost-effective approach to application controls audit.
D. auditors to investigate fraudulent transactions.
Correct Answer: B – auditors to test without impacting production
data
Explanation: ITFs simulate transactions in live systems without affecting actual
data, providing safe and effective testing.
Incorrect Answers:
A. Integration isn’t a unique ITF benefit.
C. ITFs may increase cost depending on setup.
D. Fraud detection is not ITF’s main purpose.

Question 68
Which of the following should be the MOST important consideration when
conducting a review of IT portfolio management?
A. Adherence to best practice and industry approved methodologies
B. Frequency of meetings where the business discusses the IT portfolio
C. Assignment of responsibility for each project to an IT team member
D. Controls to minimize risk and maximize value for the IT portfolio
Correct Answer: D – Controls to minimize risk and maximize value for
the IT portfolio
Explanation: The main purpose of IT portfolio management is to align IT
investments with risk and value, ensuring optimal use of resources.
Incorrect Answers:
A/B/C. These are supporting factors, not primary objectives.

Question 69
Which of the following would BEST facilitate the successful implementation of an IT-
related framework?
A. Establishing committees to support and oversee framework activities
B. Documenting IT-related policies and procedures
C. Aligning the framework to industry best practices
D. Involving appropriate business representation within the framework
Correct Answer: D – Involving appropriate business representation
within the framework
Explanation: Business buy-in ensures the framework is relevant, practical, and
effectively adopted.
Incorrect Answers:
A. Oversight helps but isn’t enough without engagement.
B. Documentation supports implementation but doesn’t drive it.
C. Best practices are helpful but not tailored without input.

Question 70
What is the MAIN reason to use incremental backups?
A. To increase backup resiliency and redundancy
B. To reduce costs associated with backups
C. To improve key availability metrics
D. To minimize the backup time and resources
Correct Answer: D – To minimize the backup time and resources
Explanation: Incremental backups only store changes since the last backup,
reducing the time and space required.
Incorrect Answers:
A. Resiliency depends on backup strategy, not type.
B. Cost is affected, but time/resource savings is the main benefit.
C. Availability metrics relate to system uptime, not backup type.
Question 71
When auditing the security architecture of an online application, an IS auditor
should FIRST review the:
A. location of the firewall within the network.
B. firewall standards.
C. firmware version of the firewall.
D. configuration of the firewall.
Correct Answer: D – configuration of the firewall
Explanation: The configuration directly affects how the firewall controls access.
Reviewing this first ensures security controls are properly implemented.
Incorrect Answers:
A. Firewall location is important, but configuration impacts effectiveness more.
B. Standards provide guidance, but don't show current status.
C. Firmware version is a maintenance issue, not a first audit priority.

Question 72
An organization is planning an acquisition and has engaged an IS auditor to evaluate
the IT governance framework of the target company. Which of the following would be
MOST helpful in determining the effectiveness of the framework?
A. Recent third-party IS audit reports
B. Current and previous internal IS audit reports
C. IT performance benchmarking reports with competitors
D. Self-assessment reports of IT capability and maturity
Correct Answer: B – Current and previous internal IS audit reports
Explanation: These reports provide insights into internal control effectiveness and
recurring governance issues over time.
Incorrect Answers:
A. Third-party audits are useful but may not cover full scope.
C. Benchmarking provides external comparison, not effectiveness.
D. Self-assessments may lack objectivity.

Question 73
Due to limited storage capacity, an organization has decided to reduce the actual
retention period for media containing completed low-value transactions. Which of the
following is MOST important for the organization to ensure?
A. The policy includes a strong risk-based approach.
B. The retention period complies with data owner responsibilities.
C. The retention period allows for review during the year-end audit.
D. The total transaction amount has no impact on financial reporting.
Correct Answer: A – The policy includes a strong risk-based approach
Explanation: A risk-based approach ensures that data retention decisions account
for compliance, legal, and operational risks.
Incorrect Answers:
B. Data owner responsibilities matter but are secondary to overall risk.
C. Year-end audit is a point in time, not the full concern.
D. Financial reporting may be affected by low-value volume data.

Question 74
Which of the following should an IS auditor be MOST concerned with during a post-
implementation review?
A. The system does not have a maintenance plan.
B. The system contains several minor defects.
C. The system deployment was delayed by three weeks.
D. The system was over budget by 15%.
Correct Answer: A – The system does not have a maintenance plan
Explanation: Without a maintenance plan, the system may become unreliable or
insecure, affecting long-term operations.
Incorrect Answers:
B. Minor defects are normal and usually not critical.
C. Deployment delays are scheduling concerns.
D. Budget overages affect cost but not ongoing functionality.

Question 75
Which of the following is the PRIMARY basis on which audit objectives are
established?
A. Audit risk
B. Consideration of risks
C. Assessment of prior audits
D. Business strategy
Correct Answer: B – Consideration of risks
Explanation: Risk assessment determines what areas are most critical to examine
and forms the basis for audit objectives.
Incorrect Answers:
A. Audit risk is a consequence, not the starting point.
C. Prior audits support planning, not define objectives.
D. Business strategy is relevant but indirect.

Question 76
An IS auditor is following up on prior period items and finds management did not
address an audit finding. Which of the following should be the IS auditor's NEXT
course of action?
A. Note the exception in a new report as the item was not addressed by
management.
B. Interview management to determine why the finding was not addressed.
C. Recommend alternative solutions to address the repeat finding.
D. Conduct a risk assessment of the repeat finding.
Correct Answer: D – Conduct a risk assessment of the repeat finding
Explanation: Before taking further action, it's essential to assess whether the
unresolved finding presents a current or heightened risk.
Incorrect Answers:
A. Reporting is important but premature without re-evaluation.
B. Interviews support understanding but not risk validation.
C. Recommending solutions comes after assessment.

Question 77
The PRIMARY focus of a post-implementation review is to verify that:
A. enterprise architecture (EA) has been complied with.
B. user requirements have been met.
C. acceptance testing has been properly executed.
D. user access controls have been adequately designed.
Correct Answer: B – user requirements have been met
Explanation: Post-implementation reviews determine whether the system fulfills
intended business needs.
Incorrect Answers:
A. EA compliance is a design concern.
C. Testing ensures function, but review confirms outcome.
D. Access controls are part of the review, not the main focus.

Question 78
Which of the following BEST protects an organization's proprietary code during a
joint-development activity involving a third party?
A. Privacy agreement
B. Statement of work (SOW)
C. Nondisclosure agreement (NDA)
D. Service level agreement (SLA)
Correct Answer: C – Nondisclosure agreement (NDA)
Explanation: An NDA legally binds the third party to protect proprietary
information, including code.
Incorrect Answers:
A. Privacy agreements relate to personal data.
B. SOW outlines tasks but not confidentiality.
D. SLAs focus on service levels, not protection.

Question 79
During which process is regression testing MOST commonly used?
A. Unit testing
B. System modification
C. Stress testing
D. Program development
Correct Answer: B – System modification
Explanation: Regression testing ensures that new changes haven’t negatively
impacted existing functionality.
Incorrect Answers:
A. Unit testing validates small code blocks.
C. Stress testing evaluates system limits.
D. Program development includes testing but not focused on regression.

Question 80
Which of the following should be of GREATEST concern to an IS auditor reviewing
a network printer disposal process?
A. Business units are allowed to dispose printers directly to authorized vendors.
B. Inoperable printers are stored in an unsecured area.
C. Disposal policies and procedures are not consistently implemented.
D. Evidence is not available to verify printer hard drives have been sanitized prior to
disposal.
Correct Answer: D – Evidence is not available to verify printer hard
drives have been sanitized prior to disposal
Explanation: Printers may store sensitive data. Lack of evidence of proper
sanitization is a serious data leakage risk.
Incorrect Answers:
A. Vendor use is acceptable with controls.
B. Unsecured storage is risky but less critical.
C. Inconsistent policies matter but do not directly imply data exposure.

Question 81
Which of the following activities provides an IS auditor with the MOST insight
regarding potential single person dependencies that might exist within the
organization?
A. Reviewing vacation patterns
B. Interviewing senior IT management
C. Mapping IT processes to roles
D. Reviewing user activity logs
Correct Answer: C – Mapping IT processes to roles
Explanation: Process-to-role mapping directly shows which processes depend on
individual employees, helping identify single points of failure.
Incorrect Answers:
A. Vacation patterns may suggest dependency but lack completeness.
B. Interviews may not provide objective insights.
D. Activity logs reflect behavior, not structure.

Question 82
Which of the following metrics is the BEST indicator of the performance of a web
application?
A. Server thread count
B. Server uptime
C. HTTP server error rate
D. Average response time
Correct Answer: D – Average response time
Explanation: Response time is a direct measure of user experience and performance
of a web application.
Incorrect Answers:
A. Thread count indicates load, not performance.
B. Uptime reflects availability, not responsiveness.
C. Error rates reflect issues but not speed or usability.

Question 83
An IS auditor suspects an organization's computer may have been used to commit a
crime. Which of the following is the auditor's BEST course of action?
A. Contact the incident response team to conduct an investigation.
B. Advise management of the crime after the investigation.
C. Examine the computer to search for evidence supporting the suspicions.
D. Notify local law enforcement of the potential crime before further investigation.
Correct Answer: A – Contact the incident response team to conduct
an investigation
Explanation: The incident response team is trained to handle such events properly,
ensuring evidence is preserved and the investigation follows protocol.
Incorrect Answers:
B. Waiting delays appropriate response.
C. Auditors must not investigate independently due to evidence contamination risk.
D. Law enforcement should only be involved through proper channels.

Question 84
An IS auditor follows up on a recent security incident and finds the incident response
was not adequate. Which of the following findings should be considered MOST
critical?
A. The attack could not be traced back to the originating person.
B. The attack was not automatically blocked by the intrusion detection system
(IDS).
C. Appropriate response documentation was not maintained.
D. The security weakness facilitating the attack was not identified.
Correct Answer: D – The security weakness facilitating the attack was
not identified
Explanation: Without identifying the root cause, the same vulnerability remains
unaddressed, increasing risk of recurrence.
Incorrect Answers:
A. Traceability is helpful but not always feasible.
B. IDS response is automated and may not stop novel attacks.
C. Documentation is important but not as critical as fixing the issue.

Question 85
Which of the following is the MOST important prerequisite for the protection of
physical information assets in a data center?
A. Knowledge of the IT staff regarding data protection requirements
B. Complete and accurate list of information assets that have been deployed
C. Segregation of duties between staff ordering and staff receiving information assets
D. Availability and testing of onsite backup generators
Correct Answer: B – Complete and accurate list of information assets
that have been deployed
Explanation: Without knowing what assets exist, it is impossible to protect them
effectively.
Incorrect Answers:
A. Knowledge is important but secondary.
C. Segregation aids process integrity, not asset protection.
D. Backup power ensures continuity, not asset inventory.

Question 86
During an audit of a reciprocal disaster recovery agreement between two companies,
the IS auditor would be MOST concerned with the:
A. allocation of resources during an emergency.
B. maintenance of hardware and software compatibility.
C. differences in IS policies and procedures.
D. frequency of system testing.
Correct Answer: B – Maintenance of hardware and software
compatibility
Explanation: If systems aren’t compatible, recovery efforts will fail despite the
agreement.
Incorrect Answers:
A. Allocation is important but depends on compatibility.
C. Policy differences can be addressed post-compatibility.
D. Testing frequency matters, but incompatibility undermines all tests.

Question 87
Which of the following BEST indicates the effectiveness of an organization's risk
management program?
A. Residual risk is minimized.
B. Inherent risk is eliminated.
C. Control risk is minimized.
D. Overall risk is quantified.
Correct Answer: A – Residual risk is minimized
Explanation: Effective risk management means that, after controls are applied, the
remaining risk (residual) is within acceptable levels.
Incorrect Answers:
B. Inherent risk cannot be eliminated.
C. Control risk focuses on failure of controls but not overall risk.
D. Quantification is helpful but not an indicator of effectiveness.

Question 88
Providing security certification for a new system should include which of the
following prior to the system's implementation?
A. End-user authorization to use the system in production
B. Testing of the system within the production environment
C. An evaluation of the configuration management practices
D. External audit sign-off on financial controls
Correct Answer: C – An evaluation of the configuration management
practices
Explanation: Configuration management ensures system settings and changes are
controlled, which is vital for security certification.
Incorrect Answers:
A. Authorization is part of go-live, not certification.
B. Testing in production introduces risks.
D. Audit sign-off isn’t part of system security certification.

Question 89
Which of the following should be the FIRST step when developing a data loss
prevention (DLP) solution for a large organization?
A. Create the DLP policies and templates.
B. Conduct a threat analysis against sensitive data usage.
C. Conduct a data inventory and classification exercise.
D. Identify approved data workflows across the enterprise.
 Correct Answer: C – Conduct a data inventory and classification
exercise
Explanation: Before protecting data, the organization must understand what data
exists and how sensitive it is.
Incorrect Answers:
A. Policies should follow classification.
B. Threat analysis requires understanding data first.
D. Workflow review comes after data identification.

Question 90
Which of the following activities would allow an IS auditor to maintain independence
while facilitating a control self-assessment (CSA)?
A. Implementing the remediation plan
B. Developing the remediation plan
C. Developing the CSA questionnaire
D. Partially completing the CSA
Correct Answer: C – Developing the CSA questionnaire
Explanation: Creating tools for the assessment maintains independence, as long as
the auditor doesn’t participate in executing controls.
Incorrect Answers:
A/B/D. These involve implementation or execution, compromising independence.

Question 91
Which of the following is MOST important for an IS auditor to confirm when
reviewing an organization's plans to implement robotic process automation (RPA) to
automate routine business tasks?
A. A benchmarking exercise of industry peers who use RPA has been completed.
B. The end-to-end process is understood and documented.
C. A request for proposal (RFP) has been issued to qualified vendors.
D. Roles and responsibilities are defined for the business processes in scope.
Correct Answer: B – The end-to-end process is understood and
documented
Explanation: Before implementing automation, it is critical to understand the full
process to avoid automating flawed procedures.
Incorrect Answers:
A. Benchmarking is useful, but not foundational.
C. Issuing an RFP is a procurement step, not an audit priority.
D. Defining roles is important but comes after understanding the process.

Question 92
Which of the following BEST facilitates the legal process in the event of an incident?
A. Right to perform e-discovery
B. Preserving the chain of custody
C. Results of a root cause analysis
D. Advice from legal counsel
Correct Answer: B – Preserving the chain of custody
Explanation: A documented chain of custody ensures evidence is admissible in legal
proceedings by proving it hasn't been tampered with.
Incorrect Answers:
A. E-discovery rights are important but depend on evidence integrity.
C. Root cause analysis is for remediation, not legal action.
D. Legal advice is helpful but cannot substitute proper procedures.

Question 93
Cross-site scripting (XSS) attacks are BEST prevented through:
A. secure coding practices.
B. use of common industry frameworks.
C. a three-tier web architecture.
D. application firewall policy settings.
Correct Answer: A – secure coding practices
Explanation: XSS exploits vulnerabilities in input handling; proper input validation
and encoding through secure coding prevent it.
Incorrect Answers:
B. Frameworks help but must be configured properly.
C. Architecture can’t prevent XSS alone.
D. Firewalls can detect but not fully prevent XSS.

Question 94
Prior to a follow-up engagement, an IS auditor learns that management has decided
to accept a level of residual risk related to an audit finding without remediation. The
IS auditor is concerned about management's decision. Which of the following should
be the IS auditor's NEXT course of action?
A. Present the issue to executive management.
B. Report the disagreement to the board.
C. Accept management's decision and continue the follow-up.
D. Report the issue to IS audit management.
Correct Answer: D – Report the issue to IS audit management
Explanation: The auditor should escalate the issue internally before external
reporting, allowing the audit function to assess the situation.
Incorrect Answers:
A/B. Involve executive stakeholders only if internal escalation fails.
C. Concerns must be addressed before accepting management’s decision.
Question 95
An IS auditor observes that a bank's web page address is prefixed "https://". The
auditor would be correct to conclude that:
A. the bank has established a virtual private network (VPN).
B. transactions are encrypted.
C. the bank has a restricted Internet protocol (IP) address.
D. the customer is connected to the bank's intranet.
Correct Answer: B – transactions are encrypted
Explanation: HTTPS indicates that communications between the browser and the
web server are encrypted using SSL/TLS.
Incorrect Answers:
A. VPNs are separate from HTTPS.
C. IP addresses are unrelated to HTTPS.
D. HTTPS is used on the internet, not intranets specifically.

Question 96
Which of the following is the BEST control to mitigate attacks that redirect Internet
traffic to an unauthorized website?
A. Utilize a network-based firewall.
B. Conduct regular user security awareness training.
C. Enforce a strong password policy meeting complexity requirements.
D. Perform domain name system (DNS) server security hardening.
Correct Answer: D – Perform domain name system (DNS) server
security hardening
Explanation: DNS spoofing or poisoning is a common method to redirect traffic;
hardening DNS prevents such attacks.
Incorrect Answers:
A. Firewalls do not filter DNS queries.
B. Awareness helps but doesn’t prevent redirection.
C. Passwords don’t protect DNS infrastructure.

Question 97
During a follow-up audit, an IS auditor learns that some key management personnel
have been replaced since the original audit, and current management has decided not
to implement some previously accepted recommendations. What is the auditor's
BEST course of action?
A. Retest the control.
B. Notify the audit manager.
C. Close the audit finding.
D. Notify the chair of the audit committee
 Correct Answer: B – Notify the audit manager
Explanation: The audit manager should be informed to assess appropriate next
steps, especially when recommendations are being overridden.
Incorrect Answers:
A. Retesting is secondary to addressing decision changes.
C. Closing the finding prematurely may hide unresolved risk.
D. Escalating to the audit committee is not the first step.

Question 98
An organization wants to classify database tables according to its data classification
scheme. From an IS auditor's perspective, the tables should be classified based on
the:
A. specific functional contents of each single table.
B. frequency of updates to the table.
C. number of end users with access to the table.
D. descriptions of column names in the table.
Correct Answer: A – specific functional contents of each single table
Explanation: Classification is based on the sensitivity and criticality of the data
content, not technical or usage aspects.
Incorrect Answers:
B. Update frequency is irrelevant to classification.
C. Access levels follow classification, not define it.
D. Column names are metadata, not classification criteria.

Question 99
Management is concerned about sensitive information being intentionally or
unintentionally emailed as attachments outside the organization by employees. What
is the MOST important task before implementing any associated email controls?
A. Provide notification to employees about possible email monitoring.
B. Develop an information classification scheme.
C. Develop an acceptable use policy for end-user computing (EUC).
D. Require all employees to sign nondisclosure agreements (NDAs).
Correct Answer: B – Develop an information classification scheme
Explanation: Without classification, the organization cannot identify which data is
sensitive and requires protection.
Incorrect Answers:
A. Notification is required later for compliance.
C. Acceptable use defines behavior but not protection.
D. NDAs don’t control data flows or enforce technical controls.

Question 100
While auditing a small organization's data classification processes and procedures, an
IS auditor noticed that data is often classified at the incorrect level. What is the
MOST effective way for the organization to improve this situation?
A. Conduct awareness presentations and seminars for information classification
policies.
B. Use automatic document classification based on content.
C. Have IT security staff conduct targeted training for data owners.
D. Publish the data classification policy on the corporate web portal.
Correct Answer: B – Use automatic document classification based on
content
Explanation: Automation reduces human error and ensures consistency in
classification based on content patterns and rules.
Incorrect Answers:
A. Presentations raise awareness but may not change behavior.
C. Targeted training helps, but automation is more scalable.
D. Publishing policies helps access, not performance.

Question 101
An IS auditor finds that a key Internet-facing system is vulnerable to attack and that
patches are not available. What should the auditor recommend be done FIRST?
A. Implement additional firewalls to protect the system.
B. Decommission the server.
C. Implement a new system that can be patched.
D. Evaluate the associated risk.
Correct Answer: D – Evaluate the associated risk
Explanation: Risk evaluation is the first step to understand the severity and impact
before deciding the most appropriate mitigation.
Incorrect Answers:
A. Firewalls might reduce risk but should follow proper assessment.
B. Decommissioning may be excessive without understanding the full context.
C. System replacement is costly and premature without evaluating alternatives.

Question 102
During a review of an organization's network threat response process, the IS auditor
noticed that the majority of alerts were closed without resolution. Management
responded that those alerts were unworkable due to lack of actionable intelligence,
and therefore the support team is allowed to close them. What is the BEST way for
the auditor to address this situation?
A. Further review closed unactioned alerts to identify mishandling of threats.
B. Reopen unactioned alerts and report to the audit committee.
C. Recommend that management enhance the policy and improve threat awareness
training.
D. Omit the finding from the report as this practice is in compliance with the current
policy.
Correct Answer: A – Further review closed unactioned alerts to
identify mishandling of threats
Explanation: Reviewing these alerts helps assess whether real threats are being
overlooked, which could expose the organization.
Incorrect Answers:
B. Reopening alerts and reporting without evidence may be premature.
C. Training may be useful later, but investigation comes first.
D. Ignoring the issue due to policy compliance risks missing critical failures.

Question 103
Which of the following BEST helps to ensure data integrity across system interfaces?
A. Reconciliations
B. Environment segregation
C. Access controls
D. System backups
Correct Answer: A – Reconciliations
Explanation: Reconciliation processes compare data between systems to detect and
correct errors during transfer.
Incorrect Answers:
B. Segregation prevents conflict of interest but not interface integrity.
C. Access controls protect data from unauthorized access, not transfer errors.
D. Backups restore data but don’t ensure integrity across systems.

Question 104
Due to system limitations, segregation of duties (SoD) cannot be enforced in an
accounts payable system. Which of the following is the IS auditor's BEST
recommendation for a compensating control?
A. Require written authorization for all payment transactions.
B. Review payment transaction history.
C. Reconcile payment transactions with invoices.
D. Restrict payment authorization to senior staff members.
Correct Answer: A – Require written authorization for all payment
transactions
Explanation: Written approvals provide accountability and oversight, compensating
for lack of SoD.
Incorrect Answers:
B. Reviewing after the fact doesn’t prevent unauthorized payments.
C. Reconciliation checks accuracy but not authorization.
D. Restricting to senior staff limits risk but doesn’t provide control.
Question 105
Spreadsheets are used to calculate project cost estimates. Totals for each cost
category are then keyed into the job-costing system. What is the BEST control to
ensure that data is accurately entered into the system?
A. Display back of project detail after entry
B. Reconciliation of total amounts by project
C. Reasonableness checks for each cost type
D. Validity checks, preventing entry of character data
Correct Answer: B – Reconciliation of total amounts by project
Explanation: Reconciliation validates data between the spreadsheet and the job-
costing system, ensuring accuracy.
Incorrect Answers:
A. Displaying entry data helps users, but doesn’t confirm correctness.
C. Reasonableness checks detect anomalies but may miss input errors.
D. Validity checks ensure format but not correct values.

Question 106
An organization plans to receive an automated data feed into its enterprise data
warehouse from a third-party service provider. Which of the following would be the
BEST way to prevent accepting bad data?
A. Purchase data cleansing tools from a reputable vendor.
B. Appoint data quality champions across the organization.
C. Obtain error codes indicating failed data feeds.
D. Implement business rules to reject invalid data.
Correct Answer: D – Implement business rules to reject invalid data
Explanation: Business rules prevent bad data from being accepted into the system,
reducing downstream errors.
Incorrect Answers:
A. Cleansing fixes data post-import, not prevention.
B. Champions raise awareness but don’t enforce rules.
C. Error codes signal issues but don’t block bad data.

Question 107
Which task should an IS auditor complete FIRST during the preliminary planning
phase of a database security review?
A. Determine which databases will be in scope.
B. Identify the most critical database controls.
C. Evaluate the types of databases being used.
D. Perform a business impact analysis (BIA).
Correct Answer: A – Determine which databases will be in scope
Explanation: Scoping defines the boundaries of the review and ensures focused,
efficient auditing.
Incorrect Answers:
B. Identifying controls comes after defining scope.
C. Evaluating database types supports review but isn’t first.
D. BIA is helpful but not the initial task in this context.

Question 108
Which of the following is an IS auditor's GREATEST concern when an organization
does not regularly update software on individual workstations in the internal
environment?
A. The organization may not be in compliance with licensing agreements.
B. System functionality may not meet business requirements.
C. The system may have version control issues.
D. The organization may be more susceptible to cyber-attacks.
Correct Answer: D – The organization may be more susceptible to
cyber-attacks
Explanation: Outdated software often contains known vulnerabilities that hackers
can exploit.
Incorrect Answers:
A. Licensing issues are legal, but not as severe as security risk.
B. Functionality may be affected, but that’s not the biggest threat.
C. Version control is a maintenance issue, not a primary security concern.

Question 109
An organization has assigned two new IS auditors to audit a new system
implementation. One of the auditors has an IT-related degree, and one has a business
degree. Which of the following is MOST important to meet the IS audit standard for
proficiency?
A. The standard is met as long as a supervisor reviews the new auditors' work.
B. The standard is met as long as one member has a globally recognized audit
certification.
C. Team member assignments must be based on individual competencies.
D. Technical co-sourcing must be used to help the new staff.
Correct Answer: C – Team member assignments must be based on
individual competencies
Explanation: IS audit standards require auditors to be assigned based on their
ability to carry out the work competently.
Incorrect Answers:
A. Supervision doesn’t replace competency.
B. Certification helps but doesn’t replace experience.
D. Co-sourcing is an option but not required if competencies exist.
Question 110
Which of the following is a social engineering attack method?
A. A hacker walks around an office building using scanning tools to search for a
wireless network to gain access.
B. An employee is induced to reveal confidential IP addresses and passwords by
answering questions over the phone.
C. An unauthorized person attempts to gain access to secure premises by following
an authorized person through a secure door.
D. An intruder eavesdrops and collects sensitive information flowing through the
network and sells it to third parties.
Correct Answer: B – An employee is induced to reveal confidential IP
addresses and passwords by answering questions over the phone
Explanation: Social engineering manipulates people into revealing confidential
information.
Incorrect Answers:
A. Wireless scanning is a technical attack.
C. Physical tailgating is a physical security breach, not social manipulation.
D. Eavesdropping is a passive technical attack.

Question 111
Which of the following will BEST ensure that a proper cutoff has been established to
reinstate transactions and records to their condition just prior to a computer system
failure?
A. Rotating backup copies of transaction files offsite
B. Ensuring bisynchronous capabilities on all transmission lines
C. Maintaining system console logs in electronic format
D. Using a database management system (DBMS) to dynamically back-out partially
processed transactions
Correct Answer: D – Using a database management system (DBMS)
to dynamically back-out partially processed transactions
Explanation: A DBMS with rollback capabilities allows the system to return to a
consistent state before failure.
Incorrect Answers:
A. Offsite backups are useful but don’t guarantee proper cutoff.
B. Bisynchronous lines improve transmission reliability but not data recovery.
C. Logs aid investigations but don’t restore transactional state.

Question 112
Which of the following fire suppression systems needs to be combined with an
automatic switch to shut down the electricity supply in the event of activation?
A. FM-200
B. Dry pipe
C. Carbon dioxide
D. Halon
Correct Answer: C – Carbon dioxide
Explanation: CO₂ displaces oxygen, posing a risk to people and electronics if the
power isn’t shut off.
Incorrect Answers:
A. FM-200 is safe for people and doesn't require immediate power cut.
B. Dry pipe systems are water-based and used in specific areas.
D. Halon is effective but has been phased out due to environmental concerns.

Question 113
Which of the following is the PRIMARY purpose of a post-implementation review?
A. To ensure project resources were optimized
B. To ensure project deliverables were provided on time
C. To determine whether expected benefits were realized from a project
D. To calculate a project's actual cost against the projected cost
Correct Answer: C – To determine whether expected benefits were
realized from a project
Explanation: The review assesses if the project met its business goals and delivered
value.
Incorrect Answers:
A. Resource usage is a secondary consideration.
B. Timeliness is important but not the core purpose.
D. Cost comparison is part of evaluation, but not the main goal.

Question 114
An organization's security policy mandates that all new employees must receive
appropriate security awareness training. Which of the following metrics would BEST
assure compliance with this policy?
A. Number of new hires who have violated enterprise security policies
B. Percentage of new hires that have completed the training
C. Number of reported incidents by new hires
D. Percentage of new hires who report incidents
Correct Answer: B – Percentage of new hires that have completed the
training
Explanation: Completion rate directly measures compliance with the training
requirement.
Incorrect Answers:
A. Violations indicate issues but don’t measure policy compliance.
C. Incident reports may reflect awareness but not training completion.
D. Reporting indicates participation, not formal completion.
Question 115
Which of the following business continuity activities prioritizes the recovery of critical
functions?
A. Business impact analysis (BIA)
B. Risk assessment
C. Business continuity plan (BCP) testing
D. Disaster recovery plan (DRP) testing
Correct Answer: A – Business impact analysis (BIA)
Explanation: BIA identifies critical processes and the impact of their disruption,
enabling prioritization.
Incorrect Answers:
B. Risk assessment identifies threats, not priorities.
C. BCP testing validates recovery strategies.
D. DRP testing is more technical and specific to systems.

Question 116
An IS auditor found that a company executive is encouraging employee use of social
networking sites for business purposes. Which of the following recommendations
would BEST help to reduce the risk of data leakage?
A. Requiring policy acknowledgment and nondisclosure agreements (NDAs) signed by
employees
B. Monitoring employees' social networking usage
C. Establishing strong access controls on confidential data
D. Providing education and guidelines to employees on use of social networking sites
Correct Answer: D – Providing education and guidelines to employees
on use of social networking sites
Explanation: Training helps employees understand how to avoid disclosing sensitive
information online.
Incorrect Answers:
A. NDAs are helpful but don’t change behavior.
B. Monitoring detects issues after they occur.
C. Access control protects data, not how it’s discussed externally.

Question 117
Which of the following is the MOST efficient way to assess the controls in a service
provider's environment?
A. Review testing performed by the service provider's internal audit department
B. Require the service provider to conduct control self-assessments (CSAs)
C. Review the service provider's master service agreement (MSA)
D. Obtain an independent auditor's report from the service provider
Correct Answer: D – Obtain an independent auditor's report from the
service provider
Explanation: Reports like SOC 1/2 provide objective, efficient assessments of
internal controls.
Incorrect Answers:
A. Internal audits lack independence.
B. CSAs are subjective.
C. MSAs state expectations but don’t confirm implementation.

Question 118
The PRIMARY focus of audit follow-up reports should be to:
A. Assess if new risks have developed
B. Determine if audit recommendations have been implemented
C. Determine if past findings are still relevant
D. Verify the completion date of the implementation
Correct Answer: B – Determine if audit recommendations have been
implemented
Explanation: Follow-ups ensure that findings are addressed and that risks are
mitigated as planned.
Incorrect Answers:
A. New risks are reviewed in separate assessments.
C. Relevance supports reporting but isn’t the primary goal.
D. Dates are useful, but implementation is the priority.

Question 119
Which of the following is the BEST way to mitigate the risk associated with
technology obsolescence?
A. Create tactical and strategic IS plans
B. Make provisions in the budgets for potential upgrades
C. Invest in current technology
D. Create a technology watch team that evaluates emerging trends
Correct Answer: A – Create tactical and strategic IS plans
Explanation: Strategic planning anticipates obsolescence and guides proactive
upgrades.
Incorrect Answers:
B. Budgeting is important but must align with planning.
C. Investing without planning may not address risk.
D. Watching trends helps, but planning ensures action.

Question 120
Which of the following is MOST important to ensure when reviewing a global
organization's controls to protect data held on its IT infrastructure across all of its
locations?
A. The capacity of underlying communications infrastructure in the host locations is
sufficient
B. The threat of natural disasters in each location hosting infrastructure has been
accounted for
C. Relevant data protection legislation and regulations for each location are adhered
to
D. Technical capabilities exist in each location to manage the data and recovery
operations
Correct Answer: C – Relevant data protection legislation and
regulations for each location are adhered to
Explanation: Compliance with local laws is critical for avoiding legal penalties and
ensuring lawful data handling.
Incorrect Answers:
A. Communication capacity is a performance concern, not compliance.
B. Natural disasters impact BCP but not data protection compliance.
D. Technical capabilities support operations but don’t ensure legality.

Question 121
An organization is planning to re-purpose workstations that were used to handle
confidential information. Which of the following would be the IS auditor's BEST
recommendation to dispose of this information?
A. Overwrite the disks with random data.
B. Reformat the disks.
C. Erase the disks by degaussing.
D. Delete the disk partitions.
Correct Answer: C – Erase the disks by degaussing
Explanation: Degaussing eliminates magnetic fields and completely removes all data
from storage media, ensuring confidentiality.
Incorrect Answers:
A. Overwriting helps, but degaussing is more thorough.
B. Reformatting does not securely erase data.
D. Deleting partitions leaves data recoverable.

Question 122
External experts were used on a recent IT audit engagement. While assessing the
external experts' work, the internal audit team found some gaps in the evidence that
may have impacted their conclusions. What is the internal audit team's BEST course
of action?
A. Engage another expert to conduct the same testing.
B. Report a scope limitation in their conclusions.
C. Recommend the external experts conduct additional testing.
D. Escalate to senior management.
 Correct Answer: B – Report a scope limitation in their conclusions
Explanation: If the evidence is incomplete, the most appropriate course of action is
to report a scope limitation to maintain audit integrity.
Incorrect Answers:
A. Engaging another expert adds cost and delay.
C. Recommending more testing doesn’t resolve the original evidence gap.
D. Escalation may be premature without documenting the limitation.

Question 123
The practice of periodic secure code reviews is which type of control?
A. Compensating
B. Detective
C. Preventive
D. Corrective
Correct Answer: B – Detective
Explanation: Secure code reviews identify vulnerabilities after code is written,
making them detective controls.
Incorrect Answers:
A. Compensating controls are substitutes, not detection mechanisms.
C. Preventive controls avoid issues before they occur.
D. Corrective controls address issues after they’re found.

Question 124
Which of the following is the PRIMARY role of key performance indicators (KPIs) in
supporting business process effectiveness?
A. To analyze workflows in order to optimize business processes and eliminate tasks
that do not provide value
B. To evaluate the cost-benefit of tools implemented to monitor control performance
C. To enable conclusions about the performance of the processes and target variances
for follow-up analysis
D. To assess the functionality of a software deliverable based on business processes
Correct Answer: C – To enable conclusions about the performance of
the processes and target variances for follow-up analysis
Explanation: KPIs help measure and evaluate whether processes meet performance
expectations, supporting decision-making.
Incorrect Answers:
A. Workflow analysis is broader and not the KPI’s primary role.
B. Cost-benefit evaluation is separate from performance tracking.
D. Software functionality assessment is not the core KPI purpose.
Question 125
Which of the following would BEST enable an organization to address the security
risks associated with a recently implemented bring your own device (BYOD)
strategy?
A. Mobile device testing program
B. Mobile device upgrade program
C. Mobile device awareness program
D. Mobile device tracking program
Correct Answer: C – Mobile device awareness program
Explanation: Educating users on secure practices is key in mitigating BYOD risks.
Incorrect Answers:
A. Testing doesn’t address end-user behavior.
B. Upgrades improve performance but not user knowledge.
D. Tracking helps monitor use, but doesn’t prevent risky behavior.

Question 126
An organization has outsourced the development of a core application. However, the
organization plans to bring the support and future maintenance of the application
back in-house. Which of the following findings should be the IS auditor's
GREATEST concern?
A. The data model is not clearly documented.
B. The vendor development team is located overseas.
C. The cost of outsourcing is lower than in-house development.
D. A training plan for business users has not been developed.
Correct Answer: A – The data model is not clearly documented
Explanation: Without proper documentation, it will be difficult to maintain or
modify the application.
Incorrect Answers:
B. Offshore development can be managed with oversight.
C. Cost is a business decision, not an audit risk.
D. Lack of user training is a concern but not the biggest risk.

Question 127
An employee has accidentally posted confidential data to the company's social media
page. Which of the following is the BEST control to prevent this from recurring?
A. Establish two-factor access control for social media accounts.
B. Implement a moderator approval process.
C. Require all updates to be made by the marketing director.
D. Perform periodic audits of social media updates.
Correct Answer: B – Implement a moderator approval process
Explanation: Pre-post review by a moderator can prevent inappropriate or
accidental disclosures.
Incorrect Answers:
A. Two-factor authentication protects account access, not content.
C. Centralizing control limits flexibility and may not prevent errors.
D. Audits are reactive, not preventive.

Question 128
Which of the following is MOST important to include in a contract with a software
development service provider?
A. A list of key performance indicators (KPIs)
B. Service level agreement (SLA)
C. Ownership of intellectual property
D. Explicit contract termination requirements
Correct Answer: C – Ownership of intellectual property
Explanation: IP ownership ensures the client can use and maintain the software
after the contract ends.
Incorrect Answers:
A. KPIs support performance but not rights.
B. SLAs cover service but not legal ownership.
D. Termination clauses are important but secondary to IP rights.

Question 129
An IS auditor is reviewing the perimeter security design of a network. Which of the
following provides the GREATEST assurance that both incoming and outgoing
internet traffic is controlled?
A. Load balancer
B. Security information and event management (SIEM) system
C. Intrusion detection system (IDS)
D. Stateful firewall
Correct Answer: D – Stateful firewall
Explanation: Stateful firewalls track and filter traffic based on session state,
ensuring both directions are monitored and controlled.
Incorrect Answers:
A. Load balancers manage traffic flow, not security.
B. SIEM systems monitor events but don’t enforce controls.
C. IDS detects but doesn’t block traffic.

Question 130
An organization needs to comply with data privacy regulations forbidding the display
of personally identifiable information (PII) on customer bills or receipts. However, it
is a business requirement to display at least one attribute so that customers can
verify the bills or receipts are intended for them. What is the BEST
recommendation?
A. Data sanitization
B. Data masking
C. Data encryption
D. Data tokenization
Correct Answer: B – Data masking
Explanation: Data masking allows partial display (e.g., last 4 digits of a credit
card) to maintain usability while protecting PII.
Incorrect Answers:
A. Sanitization removes data, making it unusable.
C. Encryption protects data at rest or in transit, not on display.
D. Tokenization is useful internally, not for customer-facing verification.

Question 131
Which of the following development practices would BEST mitigate the risk
associated with theft of user credentials transmitted between mobile devices and the
corporate network?
A. Enforce the validation of digital certificates used in the communication sessions.
B. Release mobile applications in debugging mode to allow for easy troubleshooting.
C. Embed cryptographic keys within the mobile application source code.
D. Allow persistent sessions between mobile applications and the corporate network.
Correct Answer: A – Enforce the validation of digital certificates used
in the communication sessions
Explanation: Validating certificates ensures secure, encrypted connections and
prevents man-in-the-middle attacks.
Incorrect Answers:
B. Debug mode exposes sensitive information and should never be used in
production.
C. Embedded keys can be extracted and misused.
D. Persistent sessions increase exposure to credential theft.

Question 132
Which of the following is MOST useful for determining whether the goals of IT are
aligned with the organization's goals?
A. Enterprise architecture (EA)
B. Key performance indicators (KPIs)
C. Balanced scorecard
D. Enterprise dashboard
Correct Answer: C – Balanced scorecard
Explanation: A balanced scorecard links business goals to IT objectives and
measures performance across strategic areas.
Incorrect Answers:
A. EA helps structure systems but doesn’t assess alignment.
B. KPIs measure performance but don’t show alignment.
D. Dashboards present metrics but don’t establish strategic relationships.

Question 133
Which of the following cloud deployment models would BEST meet the needs of a
startup software development organization with limited initial capital?
A. Community
B. Hybrid
C. Private
D. Public
Correct Answer: D – Public
Explanation: Public cloud is cost-effective and scalable, ideal for startups that
require flexible and low-cost infrastructure.
Incorrect Answers:
A. Community cloud is shared but less flexible.
B. Hybrid models require more complex integration and cost.
C. Private cloud is expensive to set up and maintain.

Question 134
Which of the following is MOST effective in detecting an intrusion attempt?
A. Using packet filter software
B. Using smart cards with one-time passwords
C. Installing biometrics-based authentication
D. Analyzing system logs
Correct Answer: D – Analyzing system logs
Explanation: Log analysis helps identify suspicious activities and unauthorized
access attempts.
Incorrect Answers:
A. Packet filters only control basic traffic and are not effective in detection.
B. Smart cards prevent unauthorized access but don’t detect attempts.
C. Biometrics restrict access but do not detect ongoing attacks.

Question 135
The MOST important reason why an IT risk assessment should be updated on a
regular basis is to:
A. Utilize IT resources in a cost-effective manner.
B. React to changes in the IT environment.
C. Comply with data classification changes.
D. Comply with risk management policies.
Correct Answer: B – React to changes in the IT environment
Explanation: New threats, technologies, and processes require reassessment to keep
the risk profile current.
Incorrect Answers:
A. Resource usage is secondary to risk awareness.
C. Data classification changes are part of, not the driver of, risk assessments.
D. Policies should prompt updates, but the reason is environmental change.

Question 136
An organization's strategy to source certain IT functions from a software as a service
(SaaS) provider should be approved by the:
A. IT steering committee.
B. Chief financial officer (CFO).
C. IT operations manager.
D. Chief risk officer (CRO).
Correct Answer: A – IT steering committee
Explanation: The IT steering committee ensures that IT sourcing decisions align
with overall strategy and business goals.
Incorrect Answers:
B. CFO reviews budget but not strategic alignment.
C. IT operations manager executes tasks, not strategic oversight.
D. CRO focuses on risk but doesn’t approve sourcing decisions.

Question 137
An organization experienced a domain name system (DNS) attack caused by default
user accounts not being removed from one of the servers. Which of the following
would have been the BEST way to mitigate the risk of this DNS attack?
A. Require all employees to attend training for secure configuration management.
B. Have a third party configure the virtual servers.
C. Configure the servers from an approved standard configuration.
D. Configure the intrusion prevention system (IPS) to identify DNS attacks.
Correct Answer: C – Configure the servers from an approved standard
configuration
Explanation: Using a hardened, approved configuration reduces the risk of
vulnerabilities like default accounts.
Incorrect Answers:
A. Training is good but doesn’t enforce secure configs.
B. Outsourcing doesn’t guarantee secure configuration.
D. IPS detects attacks but doesn’t prevent weak setups.

Question 138
The BEST indicator of an optimized quality management system (QMS) is that it:
A. Is endorsed by senior management
B. Aligns with an industry recognized framework
C. Is integrated and enforced in all IT activities
D. Defines and monitors all IT QMS activities
Correct Answer: C – Is integrated and enforced in all IT activities
Explanation: Full integration of QMS ensures consistency, control, and optimization
of quality throughout IT.
Incorrect Answers:
A. Endorsement is supportive, not an indicator of effectiveness.
B. Alignment helps but doesn’t ensure implementation.
D. Definition and monitoring are essential but not proof of optimization.

Question 139
When developing customer-facing IT applications, in which stage of the system
development life cycle (SLC) is it MOST beneficial to consider data privacy
principles?
A. User acceptance testing (UAT)
B. Systems design and architecture
C. Requirements definition
D. Software selection and acquisition
Correct Answer: C – Requirements definition
Explanation: Data privacy must be built into system requirements to ensure it is
considered throughout development.
Incorrect Answers:
A. UAT is too late for effective privacy integration.
B. Design implements what’s defined in requirements.
D. Acquisition depends on prior requirement identification.

Question 140
An organization is shifting to a remote workforce. In preparation, the IT department
is performing stress and capacity testing of remote access infrastructure and systems.
What type of control is being implemented?
A. Directive
B. Detective
C. Preventive
D. Compensating
Correct Answer: C – Preventive
Explanation: Stress testing anticipates issues and ensures infrastructure can handle
remote load, preventing service failures.
Incorrect Answers:
A. Directive controls guide behavior, not prevent failure.
B. Detective controls identify problems after they occur.
D. Compensating controls substitute for weaknesses in other areas.
Question 141
What is the BEST method for securing credit card numbers stored temporarily on a
file server prior to transmission to the downstream system for payment processing?
A. Masking the full credit card number
B. Encryption with strong cryptography
C. Truncating the credit card number
D. One-way hash with strong cryptography
Correct Answer: B – Encryption with strong cryptography
Explanation: Encryption protects sensitive data at rest and ensures that even if
unauthorized access occurs, the data remains unreadable.
Incorrect Answers:
A. Masking hides part of the number but doesn’t secure stored data.
C. Truncating reduces exposure but still reveals part of the data.
D. Hashing is irreversible and not appropriate if the data needs to be retrieved.

Question 142
When removing a financial application system from production, which of the
following is MOST important?
A. Media used by the retired system has been sanitized.
B. Software license agreements are retained.
C. End-user requests for changes are recorded and tracked.
D. Data retained for regulatory purposes can be retrieved.
Correct Answer: D – Data retained for regulatory purposes can be
retrieved
Explanation: Regulatory compliance requires that financial records be retained and
accessible even after system decommissioning.
Incorrect Answers:
A. Sanitization is important but secondary to compliance.
B. License records are administrative, not critical.
C. Change requests are irrelevant post-decommission.

Question 143
In a 24/7 processing environment, a database contains several privileged application
accounts with passwords set to "never expire." Which of the following
recommendations would BEST address the risk with minimal disruption to the
business?
A. Schedule downtime to implement password changes.
B. Introduce database access monitoring into the environment.
C. Modify the access management policy to make allowances for application
accounts.
D. Modify applications to no longer require direct access to the database.
Correct Answer: B – Introduce database access monitoring into the
environment
Explanation: Monitoring ensures visibility into privileged account usage and allows
continuous operations without immediate disruption.
Incorrect Answers:
A. Downtime is disruptive.
C. Policy modification addresses policy, not the risk.
D. Rewriting applications is costly and time-consuming.

Question 144
The risk of communication failure in an e-commerce environment is BEST minimized
through the use of:
A. Alternative or diverse routing
B. Compression software to minimize transmission duration
C. Functional or message acknowledgments
D. A packet filtering firewall to reroute messages
Correct Answer: A – Alternative or diverse routing
Explanation: Diverse routing provides redundancy in case of primary path failure,
ensuring continuity of operations.
Incorrect Answers:
B. Compression reduces size, not failure risk.
C. Acknowledgments confirm delivery but don’t prevent outages.
D. Firewalls don’t reroute messages.

Question 145
What is the PRIMARY benefit of an audit approach which requires reported findings
to be issued together with related action plans, owners, and target dates?
A. It establishes accountability for the action plans.
B. It enforces action plan consensus between auditors and auditees.
C. It facilitates easier audit follow-up.
D. It helps to ensure factual accuracy of findings.
Correct Answer: A – It establishes accountability for the action plans
Explanation: Assigning responsibility ensures that someone is accountable for
resolving each issue, improving remediation.
Incorrect Answers:
B. Consensus is helpful, but accountability is key.
C. Follow-up is improved by accountability, not format alone.
D. Accuracy is based on evidence, not format.

Question 146
An organization has made a strategic decision to split into separate operating entities
to improve profitability. However, the IT infrastructure remains shared between the
entities. Which of the following would BEST help to ensure that IS audit still covers
key risk areas within the IT environment as part of its annual plan?
A. Developing a risk-based plan considering each entity's business processes
B. Conducting an audit of newly introduced IT policies and procedures
C. Revising IS audit plans to focus on IT changes introduced after the split
D. Increasing the frequency of risk-based IS audits for each business entity
Correct Answer: A – Developing a risk-based plan considering each
entity's business processes
Explanation: A risk-based audit plan ensures comprehensive coverage tailored to
the specific risks of each new entity.
Incorrect Answers:
B. Policy review is limited in scope.
C. Focusing on changes may miss ongoing risks.
D. Audit frequency alone does not ensure appropriate coverage.

Question 147
The PRIMARY advantage of object-oriented technology is enhanced:
A. Grouping of objects into methods for data access.
B. Management of sequential program execution for data access.
C. Management of a restricted variety of data types for a data object.
D. Efficiency due to the re-use of elements of logic.
Correct Answer: D – Efficiency due to the re-use of elements of logic
Explanation: Object-oriented programming promotes code reuse through
inheritance, reducing development time and improving maintainability.
Incorrect Answers:
A. Grouping helps structure but isn’t the main benefit.
B. Sequential execution is unrelated to object orientation.
C. Object-oriented systems are flexible with data types.

Question 148
An IT governance body wants to determine whether IT service delivery is based on
consistently effective processes. Which of the following is the BEST approach?
A. Develop a maturity model
B. Evaluate key performance indicators (KPIs)
C. Conduct a gap analysis
D. Implement a control self-assessment (CSA)
Correct Answer: A – Develop a maturity model
Explanation: A maturity model assesses process standardization and effectiveness
over time, supporting continuous improvement.
Incorrect Answers:
B. KPIs monitor outcomes, not process maturity.
C. Gap analysis identifies issues but not consistency.
D. CSAs are internal and subjective.

Question 149
A warehouse employee of a retail company has been able to conceal the theft of
inventory items by entering adjustments of either damaged or lost stock items to the
inventory system. Which control would have BEST prevented this type of fraud in a
retail environment?
A. Statistical sampling of adjustment transactions
B. Separate authorization for input of transactions
C. An edit check for the validity of the inventory transaction
D. Unscheduled audits of lost stock lines
Correct Answer: B – Separate authorization for input of transactions
Explanation: Requiring a second party to approve transactions prevents employees
from making fraudulent adjustments unilaterally.
Incorrect Answers:
A. Sampling may miss fraudulent entries.
C. Edit checks don’t detect fraudulent intent.
D. Audits detect after the fact, not prevent.

Question 150
Which type of testing is MOST important to perform during a project audit to help
ensure business objectives are met?
A. Regression testing
B. Pilot testing
C. Functional testing
D. System testing
Correct Answer: C – Functional testing
Explanation: Functional testing ensures that the system meets defined business
requirements and delivers expected results.
Incorrect Answers:
A. Regression testing checks for side effects, not business alignment.
B. Pilot testing evaluates usability, not core functionality.
D. System testing is broader but may not cover detailed business functionality.

Question 151
Which of the following is MOST important for an IS auditor to review when
assessing the integrity of encryption controls for data at rest?
A. Protection of encryption keys
B. Encryption of test data
C. Frequency of encryption key changes
D. Length of encryption keys
 Correct Answer: A – Protection of encryption keys
Explanation: Protecting encryption keys is essential because compromised keys can
render the encryption useless and expose sensitive data.
Incorrect Answers:
B. Encryption of test data is a good practice but not critical for assessing integrity
controls.
C. Key rotation enhances security but is secondary to protecting the keys themselves.
D. Key length matters, but it cannot compensate for poor key protection.

Question 152
An IS audit manager finds that data manipulation logic developed by the audit
analytics team leads to incorrect conclusions. This inaccurate logic is MOST likely an
indication of which of the following?
A. The team's poor understanding of the business process being analyzed
B. Incompatibility between data volume and analytics processing capacity
C. Poor change controls over data sets collected from the business
D. Poor security controls that grant inappropriate access to analysis produced
Correct Answer: A – The team's poor understanding of the business process
being analyzed
Explanation: Misunderstanding business logic often results in flawed analytics,
leading to incorrect audit conclusions.
Incorrect Answers:
B. Capacity issues typically affect performance, not logic.
C. Poor change control might affect data versioning, not logic creation.
D. Security control issues could expose data but don’t explain flawed logic.

Question 153
Which of the following is the BEST control to mitigate the malware risk associated
with an instant messaging (IM) system?
A. Blocking external IM traffic
B. Blocking attachments in IM
C. Allowing only corporate IM solutions
D. Encrypting IM traffic
Correct Answer: C – Allowing only corporate IM solutions
Explanation: Using approved corporate IM platforms enables organizations to
enforce security policies and monitor communications.
Incorrect Answers:
A. Blocking all external IM may not be feasible and restricts communication.
B. Blocking attachments can help but doesn’t control other risks.
D. Encryption ensures confidentiality but not malware prevention.
Question 154
An IS auditor noted that a change to a critical calculation was placed into the
production environment without being tested. Which of the following is the BEST
way to obtain assurance that the calculation functions correctly?
A. Check regular execution of the calculation batch job.
B. Interview the lead system developer.
C. Obtain post-change approval from management.
D. Perform substantive testing using computer-assisted audit techniques (CAATs).
Correct Answer: D – Perform substantive testing using computer-assisted audit
techniques (CAATs)
Explanation: CAATs allow the auditor to verify calculation logic by testing large
datasets, ensuring the change works as intended.
Incorrect Answers:
A. Regular execution doesn’t confirm accuracy.
B. Interviews may confirm process, not functionality.
C. Management approval is administrative, not technical assurance.

Question 155
The use of cookies constitutes the MOST significant security threat when they are
used for:
A. obtaining a public key from a certification authority (CA).
B. forwarding email and Internet Protocol (IP) addresses.
C. authenticating using username and password.
D. downloading files from the host server.
Correct Answer: C – Authenticating using username and password
Explanation: Cookies used for authentication can be hijacked, enabling
unauthorized access without needing credentials.
Incorrect Answers:
A. Public key retrieval is a one-way secure action.
B. IP address forwarding poses privacy concerns, not critical threats.
D. File downloads are unrelated to cookie-based risks.

Question 156
To address issues related to privileged users identified in an IS audit, management
implemented a security information and event management (SIEM) system. Which
type of control is in place?
A. Directive
B. Detective
C. Preventive
D. Corrective
Correct Answer: B – Detective
Explanation: A SIEM system monitors and alerts on suspicious activity, making it
a detective control by identifying anomalies in privileged user behavior.
Incorrect Answers:
A. Directive controls guide behavior but do not monitor.
C. Preventive controls block actions, which SIEM does not do.
D. Corrective controls respond after an issue, not detect it.

Question 157
A new privacy regulation requires a customer's privacy information to be deleted
within 72 hours, if requested. Which of the following would be an IS auditor's
GREATEST concern regarding compliance to this regulation?
A. Outdated online privacy policies
B. End user access to applications with customer information
C. Incomplete backup and retention policies
D. Lack of knowledge of where customers' information is saved
Correct Answer: D – Lack of knowledge of where customers' information is saved
Explanation: Without knowing where data resides, the organization cannot ensure
complete deletion within the required time frame.
Incorrect Answers:
A. Outdated policies affect communication but not execution.
B. Access issues are important, but not the primary concern for deletion.
C. Backups are relevant, but location awareness comes first.

Question 158
A computer forensic audit is MOST relevant in which of the following situations?
A. Inadequate controls in the IT environment
B. Mismatches in transaction data
C. Data loss due to hacking of servers
D. Missing server patches
Correct Answer: C – Data loss due to hacking of servers
Explanation: Forensic audits are best applied in cybercrime situations, such as
breaches and hacking incidents, to collect and analyze evidence.
Incorrect Answers:
A. Inadequate controls are an audit concern, not a trigger for forensics.
B. Data mismatches indicate a processing issue, not a breach.
D. Missing patches are a vulnerability, not evidence of a crime.

Question 159
A month after a company purchased and implemented system and performance
monitoring software, reports were too large and therefore were not reviewed or acted
upon. The MOST effective plan of action would be to:
A. Evaluate replacement systems and performance monitoring software.
B. Use analytical tools to produce exception reports from the system and
performance monitoring software.
C. Re-install the system and performance monitoring software.
D. Restrict functionality of system monitoring software to security-related events.
Correct Answer: B – Use analytical tools to produce exception reports from the
system and performance monitoring software
Explanation: Exception reporting ensures that critical insights are highlighted for
review, improving usability without discarding the system.
Incorrect Answers:
A. Replacing software is costly and unnecessary.
C. Re-installation doesn’t address the core issue of volume.
D. Limiting to security events ignores performance monitoring needs.

Question 160
An organization seeks to control costs related to storage media throughout the
information life cycle while still meeting business and regulatory requirements. Which
of the following is the BEST way to achieve this objective?
A. Perform periodic tape backups.
B. Utilize solid state memory.
C. Stream backups to the cloud.
D. Implement a data retention policy
Correct Answer: D – Implement a data retention policy
Explanation: A retention policy ensures data is stored only as long as needed,
optimizing storage use and reducing compliance risk.
Incorrect Answers:
A. Tape backups help storage but don’t manage retention.
B. SSDs improve speed, not cost control over time.
C. Cloud streaming solves storage location, not retention duration.

Question 161
An IS auditor is reviewing a recent security incident and is seeking information about
the approval of a recent modification to a database system's security settings. Where
would the auditor MOST likely find this information?
A. Security incident and event management (SIEM) report
B. Change log
C. System event correlation report
D. Database log
Correct Answer: B – Change log
Explanation: A change log records system modifications, including approvals and
timestamps, making it the primary source to trace approved changes.
Incorrect Answers:
A. SIEM reports show events, not change approvals.
C. Correlation reports analyze patterns but not change authorizations.
D. Database logs show activity, not approval tracking.

Question 162
A review of an organization's IT portfolio revealed several applications that are not
in use. The BEST way to prevent this situation from recurring would be to
implement:
A. An information asset acquisition policy
B. Business case development procedures
C. A formal request for proposal (RFP) process
D. Asset life cycle management
Correct Answer: D – Asset life cycle management
Explanation: Asset life cycle management ensures applications are assessed
regularly, updated, or decommissioned to avoid unused assets.
Incorrect Answers:
A. Acquisition policies help selection, not lifecycle oversight.
B. Business cases justify projects but don’t manage long-term use.
C. RFP processes relate to procurement, not usage tracking.

Question 163
In an environment that automatically reports all program changes, which of the
following is the MOST efficient way to detect unauthorized changes to production
programs?
A. Periodically running and reviewing test data against production programs
B. Verifying user management approval of modifications
C. Reviewing the last compile date of production programs
D. Manually comparing code in production programs to controlled copies
Correct Answer: C – Reviewing the last compile date of production programs
Explanation: Reviewing compile dates can quickly flag unauthorized changes by
showing discrepancies from expected modification timelines.
Incorrect Answers:
A. Running tests is slower and may miss subtle changes.
B. Approval checks may not detect unauthorized actions.
D. Manual comparison is accurate but not efficient.

Question 164
An IS auditor is observing transaction processing and notes that a high-priority
update job ran out of sequence. What is the MOST significant risk from this
observation?
A. Daily schedules lack change control
B. Previous jobs may have failed
C. The job may not have run to completion
D. The job completes with invalid data
Correct Answer: D – The job completes with invalid data
Explanation: Out-of-sequence execution can lead to invalid data, corrupting
downstream processes or reports.
Incorrect Answers:
A. Lack of change control is a broader issue, not the direct risk.
B. Failed jobs are a risk but not the primary concern here.
C. Incomplete runs are possible but less critical than invalid outcomes.

Question 165
Which of the following is the BEST source of information for an IS auditor to use
when determining whether an organization's information security policy is adequate?
A. Risk assessment results
B. Penetration test results
C. Industry benchmarks
D. Information security program plans
Correct Answer: A – Risk assessment results
Explanation: Risk assessments identify threats and vulnerabilities, directly
informing whether current policies address real-world risks.
Incorrect Answers:
B. Pen tests show exposure, not policy adequacy.
C. Benchmarks are useful but not organization-specific.
D. Program plans are directional, not evaluative.

Question 166
Which of the following is the MOST significant risk associated with the use of
virtualization?
A. Insufficient network bandwidth
B. Single point of failure
C. Inadequate configuration
D. Performance issues of hosts
Correct Answer: C – Inadequate configuration
Explanation: Misconfigured virtual environments can expose multiple virtual
machines (VMs) to compromise or failure.
Incorrect Answers:
A. Bandwidth limits performance but is not the greatest risk.
B. Failover strategies mitigate single points of failure.
D. Host performance issues are secondary to security risks.

Question 167
Which of the following is MOST important to consider when scheduling follow-up
audits?
A. The impact if corrective actions are not taken
B. The amount of time the auditee has agreed to spend with auditors
C. The efforts required for independent verification with new auditors
D. Controls and detection risks related to the observations
Correct Answer: A – The impact if corrective actions are not taken
Explanation: Risk-based prioritization ensures follow-ups are focused where
unaddressed issues could cause major harm.
Incorrect Answers:
B. Time availability is logistical, not strategic.
C. Verification effort doesn’t determine audit need.
D. Detection risks are relevant but derive from impact.

Question 168
Secure code reviews as part of a continuous deployment program are which type of
control?
A. Detective
B. Corrective
C. Logical
D. Preventive
Correct Answer: D – Preventive
Explanation: Secure code reviews aim to detect vulnerabilities before deployment,
thus preventing security issues.
Incorrect Answers:
A. Detective controls operate post-event.
B. Corrective actions address existing problems.
C. Logical controls refer to system access, not code quality.

Question 169
Which of the following would BEST detect unauthorized modification of data by a
database administrator (DBA)?
A. Audit database change requests
B. Audit database activity logs
C. Review changes to edit checks
D. Compare data to input records
Correct Answer: B – Audit database activity logs
Explanation: Activity logs provide detailed insight into what the DBA has changed,
allowing detection of unauthorized actions.
Incorrect Answers:
A. Change requests show intent but not execution.
C. Edit checks help integrity, not detect admin behavior.
D. Data comparisons do not identify the source of changes.
Question 170
In a typical system development life cycle (SDLC), which group is PRIMARILY
responsible for confirming compliance with requirements?
A. Steering committee
B. Risk management
C. Quality assurance (QA)
D. Internal audit
Correct Answer: C – Quality assurance (QA)
Explanation: QA teams validate that deliverables meet business and technical
requirements throughout the SDLC.
Incorrect Answers:
A. Steering committees guide direction, not validation.
B. Risk management focuses on risk, not compliance.
D. Internal audit assesses controls post-implementation.

Question 171
Which of the following is MOST important when an organization is implementing a
new vendor management policy?
A. Defining escalation procedures for service failures
B. Monitoring vendor performance metrics
C. Establishing risk-based vendor tiers
D. Training staff on vendor selection
Correct Answer: C – Establishing risk-based vendor tiers
Explanation: Categorizing vendors by risk level ensures appropriate oversight and
controls.
Incorrect Answers:
A. Important but reactive.
B. Metrics matter, but depend on correct tiering.
D. Training is supportive, not foundational.

Question 172
An IS auditor is evaluating a new SaaS application used by the finance team. Which
of the following would be the MOST important control?
A. Two-factor authentication
B. Local data backups
C. Business continuity planning
D. Formal approval from finance department
Correct Answer: A – Two-factor authentication
Explanation: Strong authentication helps prevent unauthorized access to sensitive
financial data.
Incorrect Answers:
B. Backups may be managed by the vendor.
C. BCP is broader than access control.
D. Approval is necessary, but not a control.

Question 173
Which of the following BEST supports traceability in software development?
A. Use of open-source components
B. Integration with business intelligence tools
C. Requirement-to-test case mapping
D. Continuous integration tools
Correct Answer: C – Requirement-to-test case mapping
Explanation: Mapping ensures every requirement is validated through testing.
Incorrect Answers:
A. Traceability relates to documentation, not licensing.
B. BI tools report, not track development lineage.
D. CI helps automation, not traceability.

Question 174
Which of the following is the PRIMARY concern when staff use unauthorized cloud
services for file sharing?
A. Increased bandwidth consumption
B. Delayed IT service response times
C. Data leakage and regulatory noncompliance
D. Redundancy of IT-managed solutions
Correct Answer: C – Data leakage and regulatory noncompliance
Explanation: Shadow IT use can result in loss of control over sensitive data.
Incorrect Answers:
A. Minor operational impact.
B. Not the primary risk.
D. Redundancy is an inefficiency, not a risk.

Question 175
Which of the following provides the BEST assurance of confidentiality in email
communication?
A. Secure email gateway
B. Digital signatures
C. Email encryption
D. Anti-malware filters
Correct Answer: C – Email encryption
Explanation: Encryption ensures only authorized recipients can read the content.
Incorrect Answers:
A. Gateways help routing, not encryption.
B. Signatures confirm identity, not content privacy.
D. Malware protection is a different function.

Question 176
An IS auditor notices that access logs are reviewed only annually. What is the
GREATEST risk?
A. Overutilization of IT staff
B. Delayed detection of unauthorized access
C. Increased false positive rates
D. Duplicate user accounts
Correct Answer: B – Delayed detection of unauthorized access
Explanation: Infrequent reviews reduce chances of timely response to misuse.
Incorrect Answers:
A. Staff time isn’t the main issue.
C. False positives relate to tool tuning.
D. Duplicates are more about provisioning than reviews.

Question 177
Which of the following BEST ensures that new employees receive access aligned with
their job responsibilities?
A. Periodic review of user access rights
B. Preapproved access templates based on roles
C. Manual approval from department head
D. Delayed provisioning to ensure completeness
Correct Answer: B – Preapproved access templates based on roles
Explanation: Role-based provisioning standardizes access control and reduces
errors.
Incorrect Answers:
A. Periodic reviews are reactive.
C. Manual approvals are subject to inconsistency.
D. Delays hinder productivity.

Question 178
Which of the following should be the FIRST step when designing a security
awareness program?
A. Measure incident trends
B. Define program objectives
C. Assign awareness coordinators
D. Develop training modules
Correct Answer: B – Define program objectives
Explanation: Clear goals guide the structure, content, and evaluation of the
program.
Incorrect Answers:
A, C, D: Important but follow after setting objectives.

Question 179
What is the PRIMARY objective of implementing a centralized identity management
system?
A. Improve audit readiness
B. Simplify user provisioning
C. Ensure consistent access control
D. Enforce password complexity
Correct Answer: C – Ensure consistent access control
Explanation: Centralization standardizes access across systems.
Incorrect Answers:
A. Audit readiness is a benefit, not the main goal.
B. Simplification supports control, not the end itself.
D. Passwords are just one aspect.

Question 180
Which of the following would be MOST helpful to determine whether an organization
is following its patch management policy?
A. Interviewing system administrators
B. Reviewing help desk tickets
C. Comparing patch levels with policy timelines
D. Evaluating server performance reports
Correct Answer: C – Comparing patch levels with policy timelines
Explanation: This directly assesses compliance with patch deployment
requirements.
Incorrect Answers:
A. Interviews are subjective.
B. Help desk logs reflect issues, not compliance.
D. Performance is affected by many factors.

Question 181
When evaluating the management practices at a third-party organization providing
outsourced services, the IS auditor considers relying on an independent auditor's
report. The IS auditor would FIRST:
A. Review the objectives of the audit
B. Examine the independent auditor's workpapers
C. Discuss the report with the independent auditor
D. Determine if recommendations have been implemented
Correct Answer: A – Review the objectives of the audit
Explanation: Understanding the objectives ensures the report’s scope aligns with
the IS auditor’s reliance requirements.
Incorrect Answers:
B. Workpapers are useful but not the first step.
C. Discussions are secondary to reviewing scope.
D. Implementation follows after verifying the audit's relevance.

Question 182
What is the BEST control to address SQL injection vulnerabilities?
A. Digital signatures
B. Input validation
C. Unicode translation
D. Secure Sockets Layer (SSL) encryption
Correct Answer: B – Input validation
Explanation: Input validation prevents malicious SQL code from being processed,
effectively blocking injection attempts.
Incorrect Answers:
A. Digital signatures verify authenticity, not prevent injection.
C. Unicode translation does not sanitize input.
D. SSL protects data in transit, not input fields.

Question 183
In a typical network architecture used for e-commerce, a load balancer is normally
found between the:
A. Routers and the web servers
B. Mail servers and the mail repositories
C. Users and the external gateways
D. Databases and internal firewalls
Correct Answer: A – Routers and the web servers
Explanation: The load balancer distributes incoming traffic from routers to multiple
web servers to optimize performance and availability.
Incorrect Answers:
B. Mail systems don’t use load balancers in this way.
C. Users interact with web services, not directly with load balancers.
D. Load balancing is not typically used between databases and firewalls.

Question 184
During an audit of a financial application, it was determined that many terminated
users' accounts were not disabled. Which of the following should be the IS auditor's
NEXT step?
A. Perform a review of terminated users' account activity
B. Conclude that IT general controls are ineffective
C. Communicate risks to the application owner
D. Perform substantive testing of terminated users' access rights
Correct Answer: A – Perform a review of terminated users' account activity
Explanation: This determines whether any unauthorized access occurred, which is
crucial before making broader conclusions.
Incorrect Answers:
B. It's premature to conclude control failure without evidence.
C. Communicating risks is important but follows analysis.
D. Substantive testing is part of the activity review, not the first step.

Question 185
When developing metrics to measure the contribution of IT to the achievement of
business goals, the MOST important consideration is that the metrics:
A. Measure the effectiveness of IT controls in the achievement of IT strategy
B. Provide quantitative measurement of IT initiatives in relation with business
targets
C. Are expressed in terms of how IT risk impacts the achievement of business goals
D. Are used by similar industries to measure the effect of IT on business strategy
Correct Answer: B – Provide quantitative measurement of IT initiatives in
relation with business targets
Explanation: Metrics must clearly link IT performance to business value and
outcomes.
Incorrect Answers:
A. Control effectiveness supports IT strategy, not business goals.
C. IT risk impact is useful but not primary.
D. Industry benchmarks help comparison but not organizational alignment.

Question 186
The MOST important function of a business continuity plan (BCP) is to:
A. Ensure that the critical business functions can be recovered
B. Provide procedures for evaluating tests of the BCP
C. Provide a schedule of events that has to occur if there is a disaster
D. Ensure that all business functions are restored
Correct Answer: A – Ensure that the critical business functions can be recovered
Explanation: BCP prioritizes continuity of essential services to maintain operations
during disruption.
Incorrect Answers:
B. Evaluation procedures are supportive, not core.
C. Scheduling is part of execution, not the primary purpose.
D. Not all functions are equally critical or included.
Question 187
A small financial institution is preparing to implement a check image processing
system to support planned mobile banking product offerings. Which of the following
is MOST critical to the successful implementation of the system?
A. Feasibility studies
B. Control design
C. Integration testing
D. End user training
Correct Answer: B – Control design
Explanation: Proper controls ensure that the system operates securely and meets
regulatory and operational requirements.
Incorrect Answers:
A. Feasibility is important early but not critical during implementation.
C. Testing is important, but security and compliance depend on controls.
D. Training supports adoption but follows secure design.

Question 188
A characteristic of a digital signature is that it:
A. Is under control of the receiver
B. Is unique to the message
C. Has a reproducible hashing algorithm
D. Is validated when data are changed
Correct Answer: B – Is unique to the message
Explanation: Digital signatures combine hashing and encryption, producing a value
unique to both the sender and the message.
Incorrect Answers:
A. The sender controls the signature.
C. Algorithms are consistent, but not the key trait.
D. Changes invalidate the signature; they don’t validate it.

Question 189
What is the BEST way to control updates to the vendor master file in an accounts
payable system?
A. Using prenumbered and authorized request forms
B. Having only one person updating the master file
C. Periodically reviewing the entire vendor master file
D. Comparing updates against authorization
Correct Answer: D – Comparing updates against authorization
Explanation: This ensures that all changes are verified and approved, reducing the
risk of fraud or error.
Incorrect Answers:
A. Forms aid control but don’t confirm execution.
B. Single-user access increases risk.
C. Periodic review is less timely and may miss issues.

Question 190
A PRIMARY benefit derived by an organization employing control self-assessment
(CSA) techniques is that CSA:
A. Can identify high-risk areas for detailed review
B. Allows IS auditors to independently assess risk
C. Can be used as a replacement for traditional audits
D. Allows management to relinquish responsibility for control
Correct Answer: A – Can identify high-risk areas for detailed review
Explanation: CSA helps management and auditors focus resources by highlighting
weak or high-risk areas proactively.
Incorrect Answers:
B. CSA supports management, not auditor independence.
C. It complements, not replaces, audits.
D. It reinforces, not removes, control responsibility.

Question 191
During an audit of an organization's financial statements, an IS auditor finds that
the IT general controls are deficient. What should the IS auditor recommend?
A. Increase the compliance testing of the application controls
B. Place greater reliance on the application controls
C. Increase the substantive testing of the financial balances
D. Place greater reliance on the framework of control
Correct Answer: C – Increase the substantive testing of the financial balances
Explanation: When general controls are weak, the auditor compensates by
performing more direct tests on financial balances to ensure accuracy.
Incorrect Answers:
A. Compliance testing is ineffective if general controls are already known to be weak.
B. Weak general controls undermine application controls.
D. The framework doesn’t mitigate specific control deficiencies.

Question 192
An organization is considering allowing users to connect personal devices to the
corporate network. Which of the following should be done FIRST?
A. Configure users on the mobile device management (MDM) solution
B. Create inventory records of personal devices
C. Implement an acceptable use policy
D. Conduct security awareness training
Correct Answer: C – Implement an acceptable use policy
Explanation: Establishing acceptable use guidelines is critical before allowing device
access, ensuring users understand responsibilities and limitations.
Incorrect Answers:
A. MDM setup follows policy implementation.
B. Inventory creation is a follow-up control.
D. Training supports policy, not substitutes it.

Question 193
During an incident management audit, an IS auditor finds that several similar
incidents were logged during the audit period. Which of the following is the auditor's
MOST important course of action?
A. Document the finding and present it to management
B. Determine if a root cause analysis was conducted
C. Validate whether all incidents have been actioned
D. Confirm the resolution time of the incidents
Correct Answer: B – Determine if a root cause analysis was conducted
Explanation: Repeated incidents suggest an unresolved issue. The auditor must
confirm whether the underlying cause was identified and addressed.
Incorrect Answers:
A. Documentation follows investigation.
C. Action taken doesn’t ensure problem resolution.
D. Resolution time matters, but without root cause analysis, recurrence remains.

Question 194
Stress testing should ideally be carried out under a:
A. Test environment with test data
B. Production environment with test data
C. Test environment with production workloads
D. Production environment with production workloads
Correct Answer: C – Test environment with production workloads
Explanation: Using real workloads in a controlled (test) environment simulates
actual performance without risking operations.
Incorrect Answers:
A. Test data may not represent real load.
B. Testing in production with test data may be unreliable.
D. Testing in live production is risky and not ideal.

Question 195
An audit of environmental controls at a data center could include a review of the:
A. Local alarms on emergency exits
B. Logs recording visitors to the data center
C. List of employees authorized to enter the data center
D. Ceiling space to ensure that there are no wet pipes
 Correct Answer: D – Ceiling space to ensure that there are no wet pipes
Explanation: Wet pipes in ceiling spaces can cause damage to IT infrastructure.
Preventing water hazards is a key environmental control.
Incorrect Answers:
A. Alarms support physical access control, not environmental.
B. Visitor logs are security-related, not environmental.
C. Access lists are physical access controls.

Question 196
A data breach has occurred due to malware. Which of the following should be the
FIRST course of action?
A. Shut down the affected systems
B. Quarantine the impacted systems
C. Notify customers of the breach
D. Notify the cyber insurance company
Correct Answer: B – Quarantine the impacted systems
Explanation: Isolating infected systems prevents further spread and facilitates
investigation while maintaining evidence.
Incorrect Answers:
A. Shutdown may hinder forensics.
C. Notification is a legal step but not immediate.
D. Insurance notification is important but not the first step.

Question 197
An online retailer is receiving customer complaints about receiving different items
from what they ordered on the organization's website. The root cause has been
traced to poor data quality. Despite efforts to clean erroneous data from the system,
multiple data quality issues continue to occur. Which of the following
recommendations would be the BEST way to reduce the likelihood of future
occurrences?
A. Outsource data cleansing activities to reliable third parties
B. Assign responsibility for improving data quality
C. Implement business rules to validate employee data entry
D. Invest in additional employee training for data entry
Correct Answer: B – Assign responsibility for improving data quality
Explanation: Without ownership, data quality cannot be consistently managed or
improved across processes.
Incorrect Answers:
A. Outsourcing doesn't fix systemic issues.
C. Rules are important but require governance.
D. Training helps but is insufficient alone.
Question 198
During an operational audit of a biometric system used to control physical access,
which of the following should be of GREATEST concern to an IS auditor?
A. False positives
B. User acceptance of biometrics
C. False negatives
D. Lack of biometric training
Correct Answer: A – False positives
Explanation: False positives allow unauthorized access, posing a direct security risk.
Incorrect Answers:
B. User acceptance affects adoption, not security.
C. False negatives inconvenience users but don’t threaten security.
D. Training enhances usability, not integrity.

Question 199
During a software acquisition review, an IS auditor should recommend that there be
a software escrow agreement when:
A. The product is new in the market
B. The deliverables do not include the source code
C. There is no service level agreement (SLA)
D. The estimated life for the product is less than 3 years
Correct Answer: B – The deliverables do not include the source code
Explanation: An escrow ensures source code access in case the vendor is unable to
support the software, critical when it's not provided initially.
Incorrect Answers:
A. New products may be stable; escrow depends on code access.
C. SLA addresses service, not code availability.
D. Product lifespan doesn't determine escrow necessity.

Question 200
When reviewing a data classification scheme, it is MOST important for an IS auditor
to determine if:
A. The information owner is required to approve access to the asset
B. Senior IT managers are identified as information owners
C. The security criteria are clearly documented for each classification
D. Each information asset is assigned to a different classification
Correct Answer: C – The security criteria are clearly documented for each
classification
Explanation: Clear criteria ensure consistent classification and application of
security controls.
Incorrect Answers:
A. Approval workflows are secondary.
B. Ownership may vary; not always IT.
D. Not all assets need distinct classification levels.

Question 201
During a project meeting for the implementation of an enterprise resource planning
(ERP) system, a new requirement is requested by the finance department. Which of
the following would BEST indicate to an IS auditor that the resulting risk to the
project has been assessed?
A. The project status as reported in the meeting minutes
B. The analysis of the cost and time impact of the requirement
C. The updated business requirements
D. The approval of the change by the finance department
Correct Answer: B – The analysis of the cost and time impact of the
requirement
Explanation: An analysis of cost and time impact confirms that project risk has
been evaluated, helping ensure realistic expectations and appropriate decision-
making.
Incorrect Answers:
A. Meeting minutes may reflect status but not risk analysis.
C. Updated requirements show changes, not their impact.
D. Approval alone does not confirm that risk was assessed.

Question 202
An organization has implemented a quarterly job schedule to update database tables
so prices are adjusted in line with a price index. These changes do not go through the
regular change management process. Which of the following is the MOST important
control to have in place?
A. An overarching approval is obtained from the change advisory board
B. User acceptance testing (UAT) is performed after the production run
C. Each production run is approved by an authorized individual
D. Exception reports are generated to identify anomalies
Correct Answer: C – Each production run is approved by an
authorized individual
Explanation: Ensuring each run is approved provides accountability and control
over updates that bypass standard change processes.
Incorrect Answers:
A. General approvals may overlook run-specific risks.
B. Testing after production does not prevent issues.
D. Exception reports help detect, not prevent, unauthorized changes.

Question 203
Which of the following methods will BEST reduce the risk associated with the
transition to a new system using technologies that are not compatible with the old
system?
A. Pilot operation
B. Parallel changeover
C. Modular changeover
D. Phased operation
Correct Answer: B – Parallel changeover
Explanation: Running both systems in parallel allows verification of outputs,
minimizing operational risk during transition.
Incorrect Answers:
A. Pilot is limited in scope.
C. Modular change may not cover all incompatibilities.
D. Phased operation is slower and riskier in tech mismatch cases.

Question 204
Following a merger, a review of an international organization determines the IT
steering committee's decisions do not extend to regional offices as required in the
consolidated IT operating model. Which of the following is the IS auditor's BEST
recommendation?
A. Create regional centers of excellence
B. Engage an IT governance consultant
C. Update the IT steering committee's formal charter
D. Create regional IT steering committees
Correct Answer: C – Update the IT steering committee's formal
charter
Explanation: Updating the charter formalizes authority across all regions, aligning
governance with the new model.
Incorrect Answers:
A. Centers of excellence don't fix governance gaps.
B. Consultants help but don’t directly resolve structure issues.
D. Regional committees may fragment oversight.

Question 205
An organization recently decided to send the backup of its customer relationship
management (CRM) system to its cloud provider for recovery. Which of the following
should be of GREATEST concern to an IS auditor reviewing this process?
A. Testing of restore data has not been performed
B. Validation of backup data has not been performed
C. Backups are sent and stored in unencrypted format
D. The cloud provider is located in a different country
Correct Answer: C – Backups are sent and stored in unencrypted
format
Explanation: Unencrypted backups risk exposure of sensitive data in transit or
storage, posing a major security threat.
Incorrect Answers:
A. Testing is important but secondary to data protection.
B. Validation helps ensure accuracy but not confidentiality.
D. Location concerns are legal, not directly a security issue.

Question 206
A checksum is classified as which type of control?
A. Preventive control
B. Detective control
C. Administrative control
D. Corrective control
Correct Answer: B – Detective control
Explanation: Checksums detect data integrity issues after transmission or storage.
Incorrect Answers:
A. Preventive controls stop issues; checksums detect them.
C. Administrative controls are policy-related.
D. Corrective controls address issues after detection.

Question 207
During a follow-up audit, an IS auditor finds that some critical recommendations
have not been addressed as management has decided to accept the risk. Which of the
following is the IS auditor's BEST course of action?
A. Adjust the annual risk assessment accordingly
B. Require the auditee to address the recommendations in full
C. Evaluate senior management's acceptance of the risk
D. Update the audit program based on management's acceptance of risk
Correct Answer: C – Evaluate senior management's acceptance of the
risk
Explanation: The auditor must assess whether management's acceptance is
documented, justified, and properly authorized.
Incorrect Answers:
A. Risk assessment update comes after evaluation.
B. Requiring action overrides management discretion.
D. Audit program should reflect evaluated decisions.

Question 208
Management has asked internal audit to prioritize and perform a specialized
cybersecurity audit, but the IS audit team has no experience in this area. Which of
the following is the BEST course of action?
A. Delay the audit until the IS auditors are sufficiently trained
B. Delay the audit until an experienced IS auditor has been hired
C. Perform the audit as requested using third-party support
D. Perform the audit with the most experienced IS auditors
Correct Answer: C – Perform the audit as requested using third-party
support
Explanation: Engaging external experts ensures audit quality without delay, while
maintaining independence and competence.
Incorrect Answers:
A. Training delays urgent audits.
B. Hiring takes time.
D. Inexperienced auditors may miss key findings.

Question 209
When implementing a new IT maturity model, which of the following should occur
FIRST?
A. Determine the model elements to be evaluated
B. Benchmark with industry peers
C. Define the target IT maturity level
D. Develop performance metrics
Correct Answer: A – Determine the model elements to be evaluated
Explanation: Defining what to evaluate is foundational for all further actions in
maturity modeling.
Incorrect Answers:
B. Benchmarking follows element identification.
C. Target maturity needs a baseline.
D. Metrics come after defining scope.

Question 210
When reviewing an organization's information security policies, an IS auditor should
verify that the policies have been defined PRIMARILY on the basis of:
A. An information security framework
B. Past information security incidents
C. A risk management process
D. Industry best practices
Correct Answer: C – A risk management process
Explanation: Policies should be tailored to actual risks the organization faces,
ensuring relevance and effectiveness.
Incorrect Answers:
A. Frameworks guide structure but not content priorities.
B. Past incidents inform but don't drive policy creation.
D. Best practices are generic; risk-based policies are contextual.
Question 211
An organization that has suffered a cyberattack is performing a forensic analysis of
the affected users' computers. Which of the following should be of GREATEST
concern for the IS auditor reviewing this process?
A. The chain of custody has not been documented
B. An imaging process was used to obtain a copy of the data from each computer
C. Audit was only involved during extraction of the information
D. The legal department has not been engaged
Correct Answer: A – The chain of custody has not been documented
Explanation: Without a documented chain of custody, forensic evidence may not be
admissible in legal proceedings and could be challenged.
Incorrect Answers:
B. Imaging is standard practice and preserves integrity.
C. Limited audit involvement is not critical in forensic processes.
D. Legal involvement is important, but chain of custody is fundamental.

Question 212
The members of an emergency incident response team should be:
A. Assigned at the time of each incident
B. Appointed by the CISO
C. Restricted to IT personnel
D. Selected from multiple departments
Correct Answer: D – Selected from multiple departments
Explanation: Incident response requires a multidisciplinary team including legal,
communications, HR, and IT to handle all aspects of an incident.
Incorrect Answers:
A. Pre-identified teams ensure quick response.
B. While the CISO may appoint members, diversity is key.
C. IT-only teams lack needed perspectives.

Question 213
Which of the following is the BEST indicator that an application system’s agreed-
upon level of service has been met?
A. Transaction response time
B. Bandwidth usage logs
C. CPU utilization reports
D. Security incident reports
Correct Answer: A – Transaction response time
Explanation: Response time directly reflects user experience and service level
objectives defined in SLAs.
Incorrect Answers:
B. Bandwidth logs are indirect indicators.
C. CPU usage doesn’t reflect service quality.
D. Security incidents relate to security, not performance.

Question 214
The PRIMARY benefit to using a dry-pipe fire-suppression system rather than a wet-
pipe system is that a dry-pipe system:
A. Disperses dry chemical suppressants exclusively
B. Has a decreased risk of leakage
C. Allows more time to abort release of the suppressant
D. Is more effective at suppressing flames
Correct Answer: B – Has a decreased risk of leakage
Explanation: Dry-pipe systems only fill with water when activated, reducing the
risk of accidental water damage.
Incorrect Answers:
A. Dry-pipe systems typically use water, not chemicals.
C. Abort time is not a primary benefit.
D. Effectiveness depends on context, not pipe type.

Question 215
After the merger of two organizations, which of the following is the MOST important
task for an IS auditor to perform?
A. Updating the continuity plan for critical resources
B. Updating the security policy
C. Verifying that access privileges have been reviewed
D. Investigating access rights for expiration dates
Correct Answer: C – Verifying that access privileges have been
reviewed
Explanation: Mergers introduce access risks; reviewing privileges ensures only
appropriate access is granted post-integration.
Incorrect Answers:
A. Important, but secondary to access risk.
B. Security policy update is a long-term task.
D. Expiry checks alone won’t prevent unauthorized access.

Question 216
An organization sends daily backup media by courier to an offsite location. Which of
the following provides the BEST evidence that the media is transported reliably?
A. Documented backup media transport procedures
B. Signed acknowledgments by offsite manager
C. Certification of the courier company
D. Delivery schedule of the backup media
Correct Answer: B – Signed acknowledgments by offsite manager
Explanation: Acknowledgments confirm actual delivery and receipt, providing proof
that transport occurred as intended.
Incorrect Answers:
A. Procedures don’t confirm execution.
C. Certification speaks to vendor credibility, not proof.
D. Schedules don’t verify completion.

Question 217
As part of a recent business-critical initiative, an organization is re-purposing its
customer data. However, its customers are unaware that their data is being used for
another purpose. What is the BEST recommendation to address the associated data
privacy risk to the organization?
A. Ensure the data processing activity remains onshore
B. Maintain an audit trail of the data analysis activity
C. Obtain customer consent for secondary use of the data
D. Adjust the existing data retention requirements
Correct Answer: C – Obtain customer consent for secondary use of the
data
Explanation: Secondary use of personal data requires explicit consent under most
privacy regulations.
Incorrect Answers:
A. Jurisdiction doesn’t address consent.
B. Audit trails provide tracking, not authorization.
D. Retention is unrelated to repurposing.

Question 218
An organization has adopted a backup and recovery strategy that involves copying
on-premise virtual machine (VM) images to a cloud service provider. Which of the
following provides the BEST assurance that VMs can be recovered in the event of a
disaster?
A. Existence of a disaster recovery plan (DRP) with specified roles for emergencies
B. Periodic on-site restoration of VM images obtained from the cloud provider
C. Procurement of adequate storage for the VM images from the cloud service
provider
D. Inclusion of the right to audit in the cloud service provider contract
Correct Answer: B – Periodic on-site restoration of VM images
obtained from the cloud provider
Explanation: Regular recovery testing confirms that backups are usable and meet
recovery objectives.
Incorrect Answers:
A. DRPs define roles but don’t confirm recoverability.
C. Storage space doesn’t ensure recovery success.
D. Audit rights relate to oversight, not functionality.

Question 219
During the implementation of an enterprise resource planning (ERP) system, an IS
auditor is reviewing the results of user acceptance testing (UAT). The auditor’s
PRIMARY focus should be to determine if:
A. Application interfaces have been satisfactorily tested
B. All errors found in the testing process have been corrected
C. The business process owner has signed off on the results
D. System integration testing was performed
Correct Answer: C – The business process owner has signed off on the
results
Explanation: Business owner sign-off indicates acceptance and accountability that
system requirements are met.
Incorrect Answers:
A. Interface testing is part of UAT but not the main assurance.
B. Corrections are expected but not the final decision factor.
D. Integration testing occurs earlier in the process.

Question 220
A help desk has been contacted regarding a lost business mobile device. The FIRST
course of action should be to:
A. Consult the legal team regarding the impact of intellectual property loss
B. Verify the user's identity through a challenge response system
C. Involve the security response team to launch an investigation
D. Attempt to locate the device remotely
Correct Answer: D – Attempt to locate the device remotely
Explanation: Immediate response to minimize loss involves locating or locking the
device remotely.
Incorrect Answers:
A. Legal review comes later.
B. Identity confirmation delays response.
C. Investigation follows containment.

Question 221
When conducting a requirements analysis for a project, the BEST approach would be
to:
A. Conduct a control self-assessment (CSA)
B. Test operational deliverables
C. Prototype the requirements
D. Consult key stakeholders
Correct Answer: D – Consult key stakeholders
Explanation: Consulting key stakeholders ensures the requirements align with
business needs and expectations.
Incorrect Answers:
A. CSA is used for control evaluation, not requirement gathering.
B. Testing operational deliverables is done later in the lifecycle.
C. Prototyping is useful but follows after understanding needs.

Question 222
When evaluating information security governance within an organization, which of
the following findings should be of MOST concern to an IS auditor?
A. An information security governance audit was not conducted within the past year
B. Information security policies are updated annually
C. The data center manager has final sign-off on security projects
D. The information security department has difficulty filling vacancies
Correct Answer: C – The data center manager has final sign-off on
security projects
Explanation: Sign-off on security initiatives should be governed by independent
oversight, not by operations personnel, to avoid conflicts of interest.
Incorrect Answers:
A. Annual audits are not always mandatory.
B. Annual updates are acceptable if risks are assessed.
D. Staffing concerns are secondary to governance issues.

Question 223
During a post-implementation review, an IS auditor learns that while benefits were
realized according to the business case, complications during implementation added
to the cost of the solution. Which of the following is the auditor's BEST course of
action?
A. Design controls that will prevent future added costs
B. Verify that lessons learned were documented for future projects
C. Determine if project deliverables were provided on time
D. Ensure costs related to the complications were subtracted from realized benefits
Correct Answer: B – Verify that lessons learned were documented for
future projects
Explanation: Capturing lessons learned helps prevent similar issues in future
projects and supports organizational learning.
Incorrect Answers:
A. Control design is not the auditor's role.
C. Timeliness may be irrelevant if objectives were met.
D. Subtracting costs is a management responsibility.

Question 224
When reviewing an organization's IT governance processes, which of the following
provides the BEST indication that information security expectations are being met
at all levels?
A. Achievement of established security metrics
B. Approval of the security program by senior management
C. Utilization of an internationally recognized security standard
D. Implementation of a comprehensive security awareness program
Correct Answer: A – Achievement of established security metrics
Explanation: Metrics provide objective, measurable evidence of whether goals and
expectations are being met.
Incorrect Answers:
B. Approval alone does not ensure outcomes.
C. Adoption of standards is not proof of effectiveness.
D. Awareness is necessary but not a key measure of expectation fulfillment.

Question 225
When assessing whether an organization's IT performance measures are comparable
to other organizations in the same industry, which of the following would be MOST
helpful to review?
A. Balanced scorecard
B. IT governance frameworks
C. Benchmarking surveys
D. Utilization reports
Correct Answer: C – Benchmarking surveys
Explanation: Benchmarking allows comparison of performance metrics against
industry peers.
Incorrect Answers:
A. Balanced scorecards show internal performance.
B. Frameworks help guide practices, not measure them.
D. Utilization reports are internal usage metrics.

Question 226
An employee approaches an IS auditor and expresses concern about a critical security
issue in a newly installed application. Which of the following would be the MOST
appropriate action for the auditor to take?
A. Discuss the concern with audit management
B. Recommend reverting to the previous application
C. Immediately conduct a review of the application
D. Discuss the concern with additional end users
Correct Answer: A – Discuss the concern with audit management
Explanation: Escalating the concern through the proper audit channel ensures
objectivity and formal handling.
Incorrect Answers:
B. Immediate action is not within the auditor's scope.
C. A formal review requires planning.
D. Input from other users is not the priority at this point.

Question 227
An organization has outsourced its data processing function to a service provider.
Which of the following would BEST determine whether the service provider continues
to meet the organization's objectives?
A. Periodic audits of controls by an independent auditor
B. Adequacy of the service provider's insurance
C. Assessment of the personnel training processes of the provider
D. Review of performance against service level agreements (SLAs)
Correct Answer: D – Review of performance against service level
agreements (SLAs)
Explanation: SLAs provide clear expectations and performance metrics agreed upon
by both parties.
Incorrect Answers:
A. Audits may not cover day-to-day performance.
B. Insurance helps with risk transfer, not service alignment.
C. Training is important but doesn’t directly verify outcomes.

Question 228
The PRIMARY objective of value delivery in reference to IT governance is to:
A. Increase efficiency
B. Optimize investments
C. Ensure compliance
D. Promote best practices
Correct Answer: B – Optimize investments
Explanation: Value delivery ensures IT investments contribute to business value
and are cost-effective.
Incorrect Answers:
A. Efficiency is one aspect of optimization.
C. Compliance is part of risk management.
D. Best practices support governance but are not the main goal.
Question 229
What is the MAIN purpose of an organization's internal IS audit function?
A. Provide assurance to management about the effectiveness of the organization's
risk management and internal controls
B. Identify and initiate necessary changes in the control environment to help ensure
sustainable improvement
C. Review the organization's policies and procedures against industry best practice
and standards
D. Independently attest the organization's compliance with applicable legal and
regulatory requirements
Correct Answer: A – Provide assurance to management about the
effectiveness of the organization's risk management and internal controls
Explanation: The primary goal is to assess and report on risk and control
effectiveness to senior management.
Incorrect Answers:
B. Auditors recommend but do not initiate changes.
C. Comparing to standards is part of evaluation, not the main goal.
D. Attestation is external auditor territory.

Question 230
Following a recent internal data breach, an IS auditor was asked to evaluate
information security practices within the organization. Which of the following
findings would be MOST important to report to senior management?
A. Employees are not required to sign a non-compete agreement
B. Security education and awareness workshops have not been completed
C. Users lack technical knowledge related to security and data protection
D. Desktop passwords do not require special characters
Correct Answer: B – Security education and awareness workshops
have not been completed
Explanation: Awareness training is a fundamental layer of defense; lack of it
increases human error risk.
Incorrect Answers:
A. Non-compete agreements are legal concerns.
C. Technical training helps, but general awareness is broader.
D. Password complexity is important but not as impactful as lack of awareness.

Question 231
A business unit cannot achieve desired segregation of duties between operations and
programming due to size constraints. Which of the following is MOST important for
the IS auditor to identify?
A. Unauthorized user controls
B. Compensating controls
C. Controls over operational effectiveness
D. Additional control weaknesses
Correct Answer: B – Compensating controls
Explanation: When segregation of duties isn't possible due to organizational
limitations, compensating controls are crucial to mitigate the risks.
Incorrect Answers:
A. Unauthorized controls are a symptom, not a mitigation strategy.
C. Operational effectiveness is important, but not the primary concern in this
context.
D. Identifying more weaknesses is useful but not a solution.

Question 232
The BEST way to determine whether programmers have permission to alter data in
the production environment is by reviewing:
A. the access control system's configuration.
B. how the latest system changes were implemented.
C. the access rights that have been granted.
D. the access control system's log settings.
Correct Answer: C – The access rights that have been granted
Explanation: Access rights provide definitive information on who has what
permissions, making it the best indicator.
Incorrect Answers:
A. System configuration shows the structure, not individual permissions.
B. Reviewing changes may show process adherence but not permissions.
D. Logs may show usage but not direct permission levels.

Question 233
Several unattended laptops containing sensitive customer data were stolen from
personnel offices. Which of the following would be an IS auditor's BEST
recommendation to protect data in case of recurrence?
A. Enhance physical security.
B. Require the use of cable locks.
C. Require two-factor authentication.
D. Encrypt the disk drive.
Correct Answer: D – Encrypt the disk drive
Explanation: Disk encryption protects data even if the device is stolen, making it
the most effective control.
Incorrect Answers:
A. Physical security helps, but it can be bypassed.
B. Cable locks delay theft but don’t protect data.
C. 2FA is for access control, not data at rest.
Question 234
When classifying information, it is MOST important to align the classification to:
A. business risk.
B. data retention requirements.
C. industry standards.
D. security policy.
Correct Answer: A – Business risk
Explanation: Classification should reflect the potential impact on the organization,
which is tied to business risk.
Incorrect Answers:
B. Retention is a secondary concern.
C. Standards guide but don’t drive classification.
D. Policies are shaped by classification, not the other way around.

Question 235
An organization's information security department has recently created a centralized
governance model to ensure that network-related findings are remediated within the
service level agreement (SLA). What should the IS auditor use to assess the maturity
and capability of this governance model?
A. Key risk indicators (KRIs)
B. Key process controls
C. Key data elements
D. Key performance indicators (KPIs)
Correct Answer: D – Key performance indicators (KPIs)
Explanation: KPIs measure progress and effectiveness, making them ideal for
assessing governance maturity.
Incorrect Answers:
A. KRIs focus on risks, not performance.
B. Controls are mechanisms, not indicators.
C. Data elements are input, not performance metrics.

Question 236
The performance, risks, and capabilities of an IT infrastructure are BEST measured
using a:
A. risk management review.
B. control self-assessment (CSA).
C. service level agreement (SLA).
D. balanced scorecard.
Correct Answer: D – Balanced scorecard
Explanation: A balanced scorecard provides a multidimensional view of IT
performance, including risk and capability.
Incorrect Answers:
A. Risk reviews focus narrowly on risk.
B. CSA is useful but subjective.
C. SLAs only measure agreed service targets.

Question 237
To develop meaningful recommendations for findings, which of the following is MOST
important for an IS auditor to determine and understand?
A. Criteria
B. Responsible party
C. Impact
D. Root cause
Correct Answer: D – Root cause
Explanation: Understanding the root cause ensures that recommendations address
the underlying issue.
Incorrect Answers:
A. Criteria define standards but don’t solve problems.
B. Responsibility matters later, not in defining recommendations.
C. Impact explains severity but not cause.

Question 238
An organization allows employees to use personally owned mobile devices to access
customers' personal information. Which of the following is MOST important for an
IS auditor to verify?
A. Employees have signed off on an acceptable use policy.
B. Devices have adequate storage and backup capabilities.
C. Mobile devices are compatible with company infrastructure.
D. Mobile device security policies have been implemented.
Correct Answer: D – Mobile device security policies have been
implemented
Explanation: Without enforced security policies, personal devices can pose serious
risks to customer data.
Incorrect Answers:
A. Policies are only effective if implemented.
B. Backup isn’t the main risk with personal data.
C. Compatibility doesn’t address security.

Question 239
When is the BEST time to commence continuity planning for a new application
system?
A. Immediately after implementation
B. Following successful user testing
C. During the design phase
D. Just prior to the handover to the system maintenance group
Correct Answer: C – During the design phase
Explanation: Early integration of continuity planning ensures it is baked into the
system’s architecture and requirements.
Incorrect Answers:
A. Too late; risks are already present.
B. Testing comes after design.
D. Maintenance handover is post-development.

Question 240
Prior to the migration of acquired software into production, it is MOST important
that the IS auditor review the:
A. user acceptance test (UAT) report.
B. vendor testing report.
C. system documentation.
D. source code escrow agreement.
Correct Answer: A – User acceptance test (UAT) report
Explanation: UAT verifies that the software meets business needs before production
use.
Incorrect Answers:
B. Vendor testing is not sufficient.
C. Documentation supports but doesn’t validate functionality.
D. Escrow is for continuity, not readiness.

Question 241
Which type of attack poses the GREATEST risk to an organization's most sensitive
data?
A. Spear phishing attack
B. Insider attack
C. Password attack
D. Eavesdropping attack
Correct Answer: B – Insider attack
Explanation: Insider attacks are highly dangerous because insiders have legitimate
access to sensitive systems and data.
Incorrect Answers:
A. Spear phishing is targeted but still external.
C. Password attacks are mitigated by controls.
D. Eavesdropping may capture data but is harder to perform at scale.
Question 242
Using swipe cards to limit employee access to restricted areas requires implementing
which additional control?
A. Physical sign-in of all employees for access to restricted areas
B. Initial escort of all new hires by a current employee
C. Periodic review of access profiles by management
D. Employee-access criteria determined on the basis of IS experience
Correct Answer: C – Periodic review of access profiles by management
Explanation: Periodic reviews ensure that access rights are still appropriate and
aligned with employee responsibilities.
Incorrect Answers:
A. Physical sign-in is useful but less effective for validation.
B. Escorts are a one-time measure.
D. Experience does not determine access rights.

Question 243
To enable the alignment of IT staff development plans with IT strategy, which of the
following should be done FIRST?
A. Include strategic objectives in IT staff performance objectives.
B. Review IT staff job descriptions for alignment.
C. Identify required IT skill sets that support key business processes.
D. Develop quarterly training for each IT staff member.
Correct Answer: C – Identify required IT skill sets that support key
business processes
Explanation: Identifying skill gaps based on strategic goals allows focused and
relevant development planning.
Incorrect Answers:
A. Comes after identifying skill needs.
B. Job descriptions support but don’t drive training alignment.
D. Training should be based on identified needs.

Question 244
An internal audit department reports directly to the chief financial officer (CFO) of
an organization. This MOST likely leads to:
A. audit findings becoming more business-oriented.
B. concern over the independence of the auditor.
C. audit recommendations receiving greater attention.
D. biased audit findings and recommendations.
Correct Answer: B – Concern over the independence of the auditor
Explanation: Reporting to a senior manager involved in operations may impair the
independence of the audit function.
Incorrect Answers:
A. Business orientation is not a primary concern.
C. Attention to recommendations does not assure independence.
D. Bias is possible but the core issue is independence.

Question 245
An internal audit department recently established a quality assurance (QA) program.
Which of the following activities is MOST important to include as part of the QA
program requirements?
A. Long-term internal audit resource planning
B. Feedback from internal audit staff
C. Analysis of user satisfaction reports from business lines
D. Ongoing monitoring of the audit activities
Correct Answer: D – Ongoing monitoring of the audit activities
Explanation: Ongoing monitoring ensures that audit activities consistently adhere
to standards and continuously improve.
Incorrect Answers:
A. Resource planning is useful but not QA-specific.
B. Feedback helps improvement but is supplementary.
C. User satisfaction is not a core QA indicator.

Question 246
While planning a review of IT governance, the IS auditor is MOST likely to:
A. obtain information about the framework of control adopted by management.
B. examine audit committee minutes for IS-related matters and their control.
C. assess whether business process owner responsibilities are consistent across the
organization.
D. review compliance with policies and procedures issued by the board of directors.
Correct Answer: A – Obtain information about the framework of
control adopted by management
Explanation: The control framework reveals how IT governance is structured and
measured, which is essential for planning the audit.
Incorrect Answers:
B. Audit committee minutes are supplemental.
C. Role consistency may be checked later.
D. Policy compliance is part of execution, not planning.

Question 247
Many departments of an organization have not implemented audit recommendations
by their agreed upon target dates. Who should address this situation?
A. Head of internal audit
B. External auditor
C. Department managers
D. Senior management
Correct Answer: D – Senior management
Explanation: Senior management is accountable for ensuring organizational units
follow through on audit recommendations.
Incorrect Answers:
A. Internal audit reports findings but cannot enforce implementation.
B. External auditors are not responsible for internal follow-up.
C. Managers carry out actions but are overseen by senior leadership.

Question 248
An advantage of object-oriented system development is that it:
A. is easier to code than procedural languages.
B. partitions systems into a client/server architecture.
C. decreases the need for system documentation.
D. is suited to data with complex relationships.
Correct Answer: D – Is suited to data with complex relationships
Explanation: Object-oriented development models complex data relationships more
naturally and intuitively.
Incorrect Answers:
A. Ease of coding depends on the developer’s skill.
B. Architecture is unrelated to the development method.
C. Documentation is still necessary regardless of methodology.

Question 249
Which of the following MUST be completed as part of the annual audit planning
process?
A. Fieldwork
B. Risk control matrix
C. Risk assessment
D. Business impact analysis (BIA)
Correct Answer: C – Risk assessment
Explanation: Annual audit planning should be based on risk assessment to
prioritize audit activities appropriately.
Incorrect Answers:
A. Fieldwork happens after planning.
B. Control matrices are used within audits.
D. BIA is for continuity, not audit planning.

Question 250
Code changes are compiled and placed in a change folder by the developer. An
implementation team migrates changes to production from the change folder. Which
of the following BEST indicates separation of duties is in place during the migration
process?
A. A second individual performs code review before the change is released to
production.
B. The implementation team does not have access to change the source code.
C. The implementation team does not have experience writing code.
D. The developer approves changes prior to moving them to the change folder.
Correct Answer: B – The implementation team does not have access
to change the source code
Explanation: Preventing the implementation team from modifying code maintains
proper separation of duties.
Incorrect Answers:
A. Code review supports quality but doesn’t enforce SoD.
C. Experience level is irrelevant to access rights.
D. Developer approval does not assure separation.

Question 251
Management has decided to include a compliance manager in the approval process
for a new business that may require changes to the IT infrastructure. Which of the
following is the GREATEST benefit of this approach?
A. Process accountabilities to external stakeholders are improved.
B. Security breach incidents can be identified in early stages.
C. Regulatory risk exposures can be identified before they materialize.
D. Fewer reviews are needed when updating the IT compliance process.
Correct Answer: C – Regulatory risk exposures can be identified
before they materialize
Explanation: Involving the compliance manager early helps proactively identify and
mitigate regulatory risks before they become issues.
Incorrect Answers:
A. External accountability is indirect.
B. Security breaches are typically detected through monitoring, not approvals.
D. Reviews may still be necessary even with early involvement.

Question 252
Malicious program code was found in an application and corrected prior to release
into production. After the release, the same issue was reported. Which of the
following is the IS auditor's BEST recommendation?
A. Ensure corrected program code is compiled in a dedicated server.
B. Ensure change management reports are independently reviewed.
C. Ensure programmers cannot access code after the completion of program edits.
D. Ensure the business signs off on end-to-end user acceptance test (UAT) results.
 Correct Answer: C – Ensure programmers cannot access code after
the completion of program edits
Explanation: Preventing programmers from accessing production code after edits
ensures changes cannot be maliciously or accidentally undone.
Incorrect Answers:
A. Compilation servers are secondary controls.
B. Report reviews don’t prevent code reintroduction.
D. UAT focuses on functionality, not development control.

Question 253
For an organization that has plans to implement web-based trading, it would be
MOST important for an IS auditor to verify the organization's information security
plan includes:
A. security training prior to implementation
B. the firewall configuration for the web server
C. security requirements for the new application
D. attributes for system passwords
Correct Answer: C – Security requirements for the new application
Explanation: Security should be built into the design phase. Requirements define
what protections are needed throughout the system.
Incorrect Answers:
A. Training is important but secondary to foundational design.
B. Firewall configuration is tactical, not strategic.
D. Password attributes are too narrow.

Question 254
Which cloud deployment model is MOST likely to be limited in scalability?
A. Hybrid
B. Private
C. Community
D. Public
Correct Answer: B – Private
Explanation: Private clouds have finite resources and are generally limited to the
owning organization, restricting scalability.
Incorrect Answers:
A. Hybrid leverages multiple models.
C. Community clouds can share across groups.
D. Public clouds are highly scalable.

Question 255
After the release of an application system, an IS auditor wants to verify that the
system is providing value to the organization. The auditor's BEST course of action
would be to:
A. review the results of compliance testing
B. perform a gap analysis against the benefits defined in the business case
C. quantify improvements in client satisfaction
D. confirm that risk has declined since the application system release
Correct Answer: B – Perform a gap analysis against the benefits
defined in the business case
Explanation: A gap analysis compares expected and actual results, validating
whether the investment delivered intended value.
Incorrect Answers:
A. Compliance is unrelated to value realization.
C. Client satisfaction is useful but less objective.
D. Risk reduction is one aspect, not the full picture.

Question 256
A chief information officer (CIO) has asked an IS auditor to implement several
security controls for an organization's IT processes and systems. The auditor should:
A. refuse due to independence issues.
B. communicate the conflict of interest to audit management.
C. perform the assignment and future audits with the due professional care.
D. obtain approval from executive management for the implementation.
Correct Answer: B – Communicate the conflict of interest to audit
management
Explanation: Performing implementation would compromise audit independence.
Reporting the conflict maintains objectivity.
Incorrect Answers:
A. Refusing is premature without proper escalation.
C. Performing the assignment violates independence.
D. Approval doesn't eliminate the conflict.

Question 257
An algorithm in an email program analyzes traffic to quarantine emails identified as
spam. The algorithm in the program is BEST characterized as which type of control?
A. Detective
B. Directive
C. Preventive
D. Corrective
Correct Answer: C – Preventive
Explanation: The control prevents spam from reaching users by acting before harm
occurs.
Incorrect Answers:
A. Detective controls identify issues after they occur.
B. Directive controls guide behavior, not block threats.
D. Corrective actions restore systems after events.

Question 258
During the implementation of a new system, an IS auditor must assess whether
certain automated calculations comply with the regulatory requirements. Which of
the following is the BEST way to obtain this assurance?
A. Re-perform the calculation with audit software
B. Review the source code related to the calculation
C. Review sign-off documentation
D. Inspect user acceptance test (UAT) results
Correct Answer: A – Re-perform the calculation with audit software
Explanation: Independent recalculation validates whether the results comply with
regulatory formulas.
Incorrect Answers:
B. Code review shows logic but not output accuracy.
C. Sign-offs are subjective and may miss errors.
D. UAT checks functionality, not regulatory compliance.

Question 259
When testing the adequacy of tape backup procedures, which step BEST verifies that
regularly scheduled backups are timely and run to completion?
A. Reviewing a sample of system-generated backup logs
B. Interviewing key personnel involved in the backup process
C. Observing the execution of a daily backup run
D. Evaluating the backup policies and procedures
Correct Answer: A – Reviewing a sample of system-generated backup
logs
Explanation: Logs offer objective, historical data on backup success and
completion.
Incorrect Answers:
B. Interviews are subjective.
C. Observation captures one point in time.
D. Policies don’t verify execution.

Question 260
During the planning stage of a compliance audit, an IS auditor discovers that a
bank's inventory of compliance requirements does not include recent regulatory
changes related to managing data risk. What should the auditor do FIRST?
A. Ask management why the regulatory changes have not been included
B. Report the missing regulatory updates to the chief information officer (CIO)
C. Discuss potential regulatory issues with the legal department
D. Exclude recent regulatory changes from the audit scope
Correct Answer: A – Ask management why the regulatory changes
have not been included
Explanation: Engaging management helps determine whether the issue is oversight
or intentional.
Incorrect Answers:
B. Escalating before understanding may be premature.
C. Legal input may come after management clarification.
D. Excluding changes without investigation undermines audit integrity.

Question 261
An organization has replaced all of the storage devices at its primary data center
with new, higher capacity units. The replaced devices have been installed at the
disaster recovery site to replace older units. An IS auditor's PRIMARY concern
would be whether:
A. The recovery site devices can handle the storage requirements
B. The procurement was in accordance with corporate policies and procedures
C. The relocation plan has been communicated to all concerned parties
D. A hardware maintenance contract is in place for both old and new storage devices
Correct Answer: A – The recovery site devices can handle the storage
requirements
Explanation: Ensuring that the DR site can accommodate the current and future
data needs is essential for business continuity.
Incorrect Answers:
B. Policy compliance is important but not critical in this scenario.
C. Communication is relevant, but storage capability is more critical.
D. Maintenance contracts matter, but don’t address capacity adequacy.

Question 262
Which of the following should be of GREATEST concern to an IS auditor reviewing
data conversion and migration during the implementation of a new application
system?
A. Data conversion was performed using manual processes
B. Unauthorized data modifications occurred during conversion
C. The change management process was not formally documented
D. Backups of the old system and data are not available online
Correct Answer: B – Unauthorized data modifications occurred during
conversion
Explanation: Unauthorized changes can compromise data integrity and introduce
compliance risks.
Incorrect Answers:
A. Manual processes increase error risk but don’t imply compromise.
C. Documentation is important, but unauthorized change is more severe.
D. Online backup availability is secondary to data integrity.

Question 263
When auditing the alignment of IT to the business strategy, it is MOST important
for the IS auditor to:
A. Ensure an IT steering committee is appointed to monitor new IT projects
B. Evaluate deliverables of new IT initiatives against planned business services
C. Interview senior managers for their opinion of the IT function
D. Compare the organization's strategic plan against industry best practice
Correct Answer: B – Evaluate deliverables of new IT initiatives
against planned business services
Explanation: This ensures that IT is actively supporting business goals and
delivering expected value.
Incorrect Answers:
A. Governance structure is useful but indirect.
C. Interviews are subjective.
D. Industry best practices don’t confirm internal alignment.

Question 264
An organization is acquiring a new customer relationship management (CRM)
system. In which of the following would the IS auditor find the MOST relevant
information on projected cost savings?
A. Request for proposal (RFP)
B. Feasibility study document
C. Business case
D. Results of prototype testing
Correct Answer: C – Business case
Explanation: The business case outlines expected financial and operational benefits,
including cost savings.
Incorrect Answers:
A. RFP focuses on vendor responses.
B. Feasibility discusses practicality, not specific savings.
D. Prototype results assess functionality, not financial value.

Question 265
During the implementation of an upgraded enterprise resource planning (ERP)
system, which of the following is the MOST important consideration for a go-live
decision?
A. Post-implementation review objectives
B. Business case
C. Rollback strategy
D. Test cases
Correct Answer: C – Rollback strategy
Explanation: A rollback strategy ensures that the organization can recover if the
go-live fails.
Incorrect Answers:
A. Review objectives occur after go-live.
B. Business case justifies the project, not readiness.
D. Test cases are important but are part of a broader readiness check.

Question 266
When reviewing the functionality of an intrusion detection system (IDS), the IS
auditor should be MOST concerned if:
A. Legitimate packets blocked by the system have increased
B. False positives have been reported
C. Detected events have increased
D. Actual attacks have not been identified
Correct Answer: D – Actual attacks have not been identified
Explanation: Failing to detect real threats undermines the purpose of IDS, posing
major security risk.
Incorrect Answers:
A. Blocking legitimate traffic is disruptive, but less severe.
B. False positives are manageable with tuning.
C. Increased events may signal effectiveness, not failure.

Question 267
An organization is disposing of a system containing sensitive data and has deleted all
files from the hard disk. An IS auditor should be concerned because:
A. Deleted data cannot easily be retrieved
B. Backup copies of files were not deleted as well
C. Deleting all files separately is not as efficient as formatting the hard disk
D. Deleting the files logically does not overwrite the files' physical data
Correct Answer: D – Deleting the files logically does not overwrite the
files' physical data
Explanation: Logical deletion does not remove actual data, making recovery
possible with forensic tools.
Incorrect Answers:
A. Deleted data can be recovered.
B. Backups are another issue, not this specific risk.
C. Efficiency is not the concern; secure erasure is.

Question 268
What is the MOST difficult aspect of access control in a multiplatform, multiple-site
client/server environment?
A. Restricting a local user to necessary resources on a local platform
B. Creating new user IDs valid only on a few hosts
C. Maintaining consistency throughout all platforms
D. Restricting a local user to necessary resources on the host server
Correct Answer: C – Maintaining consistency throughout all platforms
Explanation: Consistency is complex due to varied systems, policies, and
permissions across sites.
Incorrect Answers:
A & D. These are technical tasks, not systemic challenges.
B. Local ID creation is less complex than system-wide consistency.

Question 269
Following significant business model changes, which of the following is the MOST
important consideration when updating the IT policy?
A. The policy is endorsed by IT leadership
B. The policy is compliant with relevant laws and regulations
C. The policy is integrated into job descriptions
D. The policy is aligned with industry standards and best practice
Correct Answer: B – The policy is compliant with relevant laws and
regulations
Explanation: Legal compliance is paramount, especially after business changes that
might trigger new obligations.
Incorrect Answers:
A. Leadership support is good but not primary.
C. Integration helps implementation, but not legality.
D. Best practice is helpful, but not mandatory.

Question 270
During the design phase of a software development project, the PRIMARY
responsibility of an IS auditor is to evaluate the:
A. Development methodology employed
B. Controls incorporated into the system specifications
C. Future compatibility of the design
D. Proposed functionality of the application
Correct Answer: B – Controls incorporated into the system
specifications
Explanation: Ensuring that controls are integrated early supports security and
audit readiness.
Incorrect Answers:
A. Methodology guides process but not controls.
C. Compatibility is not the auditor's main concern.
D. Functionality is the business' responsibility.

Question 271
During an audit of a disaster recovery plan (DRP) for a critical business area, an IS
auditor finds that not all critical systems are covered. What should the auditor do
NEXT?
A. Evaluate the impact of not covering the systems
B. Escalate the finding to senior management
C. Evaluate the prior year's audit results regarding critical system coverage
D. Verify whether the systems are part of the business impact analysis (BIA)
Correct Answer: D – Verify whether the systems are part of the
business impact analysis (BIA)
Explanation: The BIA determines system criticality and drives DRP coverage.
Ensuring these systems were properly assessed is foundational.
Incorrect Answers:
A. Impact evaluation is relevant but premature.
B. Escalation should follow validation.
C. Prior audit results may not reflect current needs.

Question 272
Due to a recent business divestiture, an organization has limited IT resources to
deliver critical projects. Reviewing the IT staffing plan against which of the following
would BEST guide IT management when estimating resource requirements for future
projects?
A. Peer organization staffing benchmarks
B. Human resources (HR) sourcing strategy
C. Budgeted forecast for the next financial year
D. Records of actual time spent on projects
Correct Answer: D – Records of actual time spent on projects
Explanation: Actual historical data offers reliable insight into effort requirements
and aids in accurate planning.
Incorrect Answers:
A. Benchmarks offer comparisons but may not reflect internal efficiency.
B. HR strategy is long-term, not project-specific.
C. Budget forecasts help planning, not effort estimation.
Question 273
A bank's web-hosting provider has just completed an internal IT security audit and
provides only a summary of the findings to the bank's auditor. Which of the
following should be the bank's GREATEST concern?
A. The audit scope may not have addressed critical areas
B. The audit procedures are not provided to the bank
C. The bank's auditors are not independent of the service provider
D. The audit may be duplicative of the bank's internal audit procedures
Correct Answer: A – The audit scope may not have addressed critical
areas
Explanation: A limited or misaligned audit scope can overlook important risks,
making summary reports insufficient.
Incorrect Answers:
B. Procedure detail helps, but scope is critical.
C. Auditor independence of the host provider isn't assumed.
D. Duplication isn’t as significant as scope omissions.

Question 274
An incorrect version of source code was amended by a development team. This
MOST likely indicates a weakness in:
A. Change management
B. Project management
C. Incident management
D. Quality assurance (QA)
Correct Answer: A – Change management
Explanation: Managing versions and ensuring only approved code is changed is
central to change management.
Incorrect Answers:
B. Project management deals with broader delivery timelines and resources.
C. Incident management deals with problems, not changes.
D. QA finds defects but doesn’t manage deployment.

Question 275
An organization allows employees to retain confidential data on personal mobile
devices. Which of the following is the BEST recommendation to mitigate the risk of
data leakage from lost or stolen devices?
A. Configure to auto-wipe after multiple failed access attempts
B. Require employees to attend security awareness training
C. Enable device auto-lock function
D. Password protect critical data files
Correct Answer: A – Configure to auto-wipe after multiple failed
access attempts
Explanation: Auto-wipe minimizes risk of data exposure after unauthorized access
attempts.
Incorrect Answers:
B. Training helps prevention but not incident response.
C. Auto-lock delays access, not protects data.
D. Passwords alone are insufficient protection.

Question 276
A new regulation in one country of a global organization has recently prohibited
cross-border transfer of personal data. An IS auditor has been asked to determine the
organization's level of exposure in the affected country. Which of the following would
be MOST helpful in making this assessment?
A. Identifying data security threats in the affected jurisdiction
B. Reviewing data classification procedures associated with the affected jurisdiction
C. Identifying business processes associated with personal data exchange with the
affected jurisdiction
D. Developing an inventory of all business entities that exchange personal data with
the affected jurisdiction
Correct Answer: C – Identifying business processes associated with
personal data exchange with the affected jurisdiction
Explanation: Understanding where personal data flows helps assess compliance with
data residency laws.
Incorrect Answers:
A. Threats relate to security, not legal transfer.
B. Classification helps, but doesn’t show flow.
D. Inventory is useful, but process mapping shows actual exposure.

Question 277
When responding to an ongoing denial of service (DoS) attack, an organization's
FIRST course of action should be to:
A. Minimize impact
B. Investigate damage
C. Analyze the attack path
D. Restore service
Correct Answer: A – Minimize impact
Explanation: Immediate priority during a DoS is to contain the disruption and
limit business impact.
Incorrect Answers:
B. Damage assessment follows containment.
C. Analysis is useful but secondary during attack.
D. Restoration follows containment efforts.
Question 278
Which of the following BEST describes an audit risk?
A. The financial report may contain undetected material errors
B. Employees have been misappropriating funds
C. The company is being sued for false accusations
D. Key employees have not taken vacation for 2 years
Correct Answer: A – The financial report may contain undetected
material errors
Explanation: Audit risk is the risk of not detecting material misstatements in
financial reporting.
Incorrect Answers:
B. Misappropriation is a fraud issue, not audit risk itself.
C. Lawsuits relate to legal risk.
D. Vacation patterns are a control red flag, not audit risk.

Question 279
In an IT organization where many responsibilities are shared, which of the following
is the BEST control for detecting unauthorized data changes?
A. Users are required to periodically rotate responsibilities
B. Segregation of duties conflicts are periodically reviewed
C. Data changes are logged in an outside application
D. Data changes are independently reviewed by another group
Correct Answer: D – Data changes are independently reviewed by
another group
Explanation: Independent review ensures oversight, reducing the chance of
unauthorized activity going undetected.
Incorrect Answers:
A. Rotation reduces collusion risk but doesn’t detect changes.
B. SoD review is preventive, not detective.
C. Logging is helpful but needs analysis to detect issues.

Question 280
End users have been demanding the ability to use their own devices for work, but
want to keep personal information out of corporate control. Which of the following
would be MOST effective at reducing the risk of security incidents while satisfying
end user requirements?
A. Encrypt corporate data on the devices
B. Enable remote wipe capabilities for the devices
C. Require complex passwords
D. Implement an acceptable use policy
 Correct Answer: A – Encrypt corporate data on the devices
Explanation: Encryption protects data without giving corporate full control over
personal device content.
Incorrect Answers:
B. Remote wipe may delete personal data, causing resistance.
C. Passwords help but don’t address full security.
D. Policies guide behavior but don’t secure data.

Question 281
Following the sale of a business division, employees will be transferred to a new
organization, but they will retain access to IT equipment from the previous employer.
An IS auditor has recommended that both organizations agree to and document an
acceptable use policy for the equipment. What type of control has been
recommended?
A. Corrective control
B. Preventive control
C. Detective control
D. Directive control
Correct Answer: D – Directive control
Explanation: Directive controls are designed to guide the behavior of employees
through policies and procedures, such as acceptable use agreements.
Incorrect Answers:
A. Corrective controls address issues after they occur.
B. Preventive controls stop issues from occurring but are not necessarily policy-
driven.
C. Detective controls identify issues after they occur.

Question 282
What is the BEST way for an IS auditor to assess the adequacy of an expert
consultant who was selected to be involved in an audit engagement?
A. Obtain an understanding of the expert's relevant experience.
B. Verify that the engagement letter outlines the expert's responsibilities.
C. Review the independence and objectivity of the expert.
D. Review the industry reputation of the expert consultant's firm.
Correct Answer: A – Obtain an understanding of the expert's relevant
experience
Explanation: Understanding the expert’s relevant experience ensures they possess
the necessary skills and knowledge.
Incorrect Answers:
B. While helpful, responsibilities alone don’t confirm qualifications.
C. Independence is important, but adequacy is based on skill and experience.
D. Reputation is general and not necessarily indicative of individual adequacy.

Question 283
In a small IT web development company where developers must have write access to
production, the BEST recommendation of an IS auditor would be to:
A. Perform a user access review for the development team.
B. Hire another person to perform migration to production.
C. Implement continuous monitoring controls.
D. Remove production access from the developers.
Correct Answer: C – Implement continuous monitoring controls
Explanation: In environments where segregation is not feasible, monitoring helps
detect inappropriate access or changes.
Incorrect Answers:
A. A review helps but does not control access continuously.
B. Hiring may not be feasible in a small company.
D. Removing access may hinder operations in a small team.

Question 284
Of the following, who are the MOST appropriate staff for ensuring the alignment of
user authorization tables with approved authorization forms?
A. Security administrators
B. System owners
C. Database administrators (DBAs)
D. IT managers
Correct Answer: A – Security administrators
Explanation: Security administrators are responsible for implementing and verifying
access rights per approved forms.
Incorrect Answers:
B. System owners define roles but don’t enforce access.
C. DBAs manage databases, not access rights policies.
D. IT managers oversee staff but don’t handle individual access mappings.

Question 285
As part of business continuity planning, which of the following is MOST important
to assess when conducting a business impact analysis (BIA)?
A. Risk appetite
B. Completeness of critical asset inventory
C. Critical applications in the cloud
D. Recovery scenarios
Correct Answer: B – Completeness of critical asset inventory
Explanation: A complete asset inventory ensures accurate impact assessments and
prioritization of recovery efforts.
Incorrect Answers:
A. Risk appetite influences planning, not BIA directly.
C. Cloud applications may be part of inventory but not the most important factor.
D. Recovery scenarios are developed after the BIA.

Question 286
During the post-implementation review of an application that was implemented six
months ago, which of the following would be MOST helpful in determining whether
the application meets business requirements?
A. Project closure report and lessons-learned documents from the project
management office (PMO)
B. User acceptance testing (UAT) results and sign-off from users on meeting business
requirements
C. Difference between approved budget and actual project expenditures determined
post implementation
D. Comparison between expected benefits from the business case and actual benefits
after implementation
Correct Answer: D – Comparison between expected benefits from the
business case and actual benefits after implementation
Explanation: Comparing planned vs. realized benefits helps assess whether the
application delivers the expected business value.
Incorrect Answers:
A. Project documentation shows process closure, not effectiveness.
B. UAT focuses on functional correctness, not long-term benefit.
C. Budget variances relate to cost, not business value.

Question 287
An organization maintains an inventory of the IT applications used by its staff.
Which of the following would pose the GREATEST concern with regard to the
quality of the inventory data?
A. Inventory data is available on and downloadable from the corporate intranet.
B. The inventory does not contain a formal risk ranking for all the IT applications.
C. The application owner and contact information fields are not required to be
completed.
D. The organization has not established a formal recertification process for the
inventory data.
Correct Answer: C – The application owner and contact information
fields are not required to be completed
Explanation: Missing ownership info hinders responsibility, issue resolution, and
risk management.
Incorrect Answers:
A. Availability improves accessibility.
B. Risk rankings are useful but secondary.
D. Recertification helps maintain accuracy but not as critical as ownership.

Question 288
What is BEST for an IS auditor to review when assessing the effectiveness of changes
recently made to processes and tools related to an organization's business continuity
plan (BCP)?
A. Change management processes
B. Updated inventory of systems
C. Full test results
D. Completed test plans
Correct Answer: C – Full test results
Explanation: Test results show whether the BCP changes work as intended under
realistic conditions.
Incorrect Answers:
A. Change management supports the process but doesn’t prove effectiveness.
B. Inventory updates are important but indirect.
D. Test plans show preparation, not actual outcomes.

Question 289
IS management has recently disabled certain referential integrity controls in the
database management system (DBMS) software to provide users increased query
performance. Which of the following controls will MOST effectively compensate for
the lack of referential integrity?
A. More frequent data backups
B. Periodic table link checks
C. Performance monitoring tools
D. Concurrent access controls
Correct Answer: B – Periodic table link checks
Explanation: These checks detect orphaned records and integrity issues caused by
disabled constraints.
Incorrect Answers:
A. Backups address data recovery, not integrity.
C. Performance tools don’t verify data consistency.
D. Access controls manage security, not data relationships.

Question 290
What would be an IS auditor's BEST recommendation upon finding that a third-
party IT service provider hosts the organization's human resources (HR) system in a
foreign country?
A. Review third-party audit reports.
B. Conduct a privacy impact analysis.
C. Implement change management review.
D. Perform background verification checks.
Correct Answer: B – Conduct a privacy impact analysis
Explanation: A privacy impact analysis helps assess data protection and
compliance risks in cross-border scenarios.
Incorrect Answers:
A. Audit reports support assessment but don’t fully address legal implications.
C. Change management relates to system changes, not hosting concerns.
D. Background checks are for personnel, not data compliance.

Question 291
The PRIMARY role of a control self-assessment (CSA) facilitator is to:
A. Provide solutions for control weaknesses
B. Focus the team on internal controls
C. Report on the internal control weaknesses
D. Conduct interviews to gain background information
Correct Answer: B – Focus the team on internal controls
Explanation: A CSA facilitator's main role is to guide and focus the team in
identifying and evaluating internal controls.
Incorrect Answers:
A. Providing solutions is the team's responsibility.
C. Reporting is a byproduct, not the facilitator’s core duty.
D. Interviews may be part of the process but are not the primary role.

Question 292
IT disaster recovery time objectives (RTOs) should be based on the:
A. Maximum tolerable downtime (MTD)
B. Nature of the outage
C. Maximum tolerable loss of data
D. Business-defined criticality of the systems
Correct Answer: A – Maximum tolerable downtime (MTD)
Explanation: RTO is derived from MTD, which is the maximum amount of time a
business process can be disrupted without significant harm.
Incorrect Answers:
B. The nature of the outage is considered later.
C. Data loss refers more to RPO.
D. System criticality helps, but MTD drives RTO.

Question 293
A data analytics team has developed a process automation bot for internal audit that
scans user access to all servers in the environment and then randomly selects a
sample of new users for testing. Which of the following presents the GREATEST
concern with this approach?
A. The bot can only select samples from the current period.
B. Auditor judgment is removed from the process.
C. Evidence of population completeness is not maintained.
D. Data must be validated manually before being loaded into the bot.
Correct Answer: C – Evidence of population completeness is not maintained
Explanation: Without evidence of completeness, the population sample may not be
reliable, impacting audit validity.
Incorrect Answers:
A. Current period sampling is acceptable if defined.
B. Judgment can still be applied post-sampling.
D. Manual validation is a process issue, not the greatest risk.

Question 294
What is the MOST critical finding when reviewing an organization's information
security management?
A. No official charter for the information security management system
B. No employee awareness training and education program
C. No dedicated security officer
D. No periodic assessments to identify threats and vulnerabilities
Correct Answer: D – No periodic assessments to identify threats and
vulnerabilities
Explanation: Continuous assessments are vital for proactive risk management.
Incorrect Answers:
A. Important, but not critical.
B. Affects awareness but not system-wide posture.
C. Can be mitigated by role assignment.

Question 295
The operations team of an organization has reported an IS security attack. Which of
the following should be the FIRST step for the security incident response team?
A. Report results to management
B. Document lessons learned
C. Perform a damage assessment
D. Prioritize resources for corrective action
Correct Answer: C – Perform a damage assessment
Explanation: Understanding the extent of the damage is critical to properly contain
and respond to the incident.
Incorrect Answers:
A. Reporting is done after assessment.
B. Lessons learned are post-incident.
D. Prioritization follows assessment.

Question 296
A company converted its payroll system from an external service to an internal
package. Payroll processing in April was run in parallel. To validate the completeness
of data after the conversion, which of the following comparisons from the old to the
new system would be MOST effective?
A. Cut-off dates and overwrites for a sample of employees
B. Turnaround time for payroll processing
C. Master file employee data to payroll journals
D. Employee counts and year-to-date payroll totals
Correct Answer: D – Employee counts and year-to-date payroll totals
Explanation: This comparison ensures that no data has been lost or misprocessed
during conversion.
Incorrect Answers:
A. Useful for validation but not completeness.
B. Doesn't ensure data accuracy.
C. Checks linkage, not totals.

Question 297
Following an IS audit, which of the following types of risk would be MOST critical to
communicate to key stakeholders?
A. Control
B. Inherent
C. Audit
D. Residual
Correct Answer: D – Residual
Explanation: Residual risk remains after controls are applied and must be
evaluated by stakeholders.
Incorrect Answers:
A. Control risks are managed internally.
B. Inherent risk is a baseline risk.
C. Audit risk pertains to the auditor's process.

Question 298
An organization has installed blade server technology in its data center. To determine
whether higher cooling demands are maintained, which of the following should the IS
auditor review?
A. Air conditioning capacity
B. Ventilation systems
C. Uninterruptible power supply (UPS) systems
D. Duct maintenance
Correct Answer: A – Air conditioning capacity
Explanation: Blade servers generate more heat; air conditioning must handle the
increased thermal load.
Incorrect Answers:
B. Ventilation helps but doesn’t confirm cooling sufficiency.
C. UPS is for power, not cooling.
D. Ducts are part of maintenance, not cooling performance.

Question 299
The use of control totals reduces the risk of:
A. Posting to the wrong record
B. Improper backup
C. Improper authorization
D. Incomplete processing
Correct Answer: D – Incomplete processing
Explanation: Control totals ensure data completeness by reconciling processed
figures with source figures.
Incorrect Answers:
A. Doesn’t prevent misdirection.
B. Unrelated to data processing.
C. Authorization issues are separate.

Question 300
The application systems quality assurance (QA) function should:
A. Compare programs to approved system changes
B. Ensure adherence of programs to standards
C. Assist programmers in designing and developing applications
D. Design and develop quality applications by employing system development
methodology
Correct Answer: B – Ensure adherence of programs to standards
Explanation: QA ensures that development follows standards and policies to
maintain quality.
Incorrect Answers:
A. This is part of configuration management.
C. This can impair QA independence.
D. QA does not perform development.

Question 301
An organization has begun using social media to communicate with current and
potential clients. Which of the following should be of PRIMARY concern to the
auditor?
A. Using a third-party provider to host and manage content
B. Lack of guidance on appropriate social media usage and monitoring
C. Negative posts by customers affecting the organization's image
D. Reduced productivity of staff using social media
Correct Answer: B – Lack of guidance on appropriate social media
usage and monitoring
Explanation: Without defined policies and monitoring mechanisms, the
organization is exposed to reputational, regulatory, and data leakage risks.
Incorrect Answers:
A. Hosting is less of a concern if properly governed.
C. Reputation risks exist but can be mitigated with policy and monitoring.
D. Productivity loss is a management concern, not an audit priority.

Question 302
An organization is developing data classification standards and has asked internal
audit for advice on aligning the standards with best practices. Internal audit would
MOST likely recommend the standards should be:
A. based on the business requirements for confidentiality of the information.
B. aligned with the organization's segregation of duties requirements.
C. based on the results of an organization-wide risk assessment.
D. based on the business requirements for authentication of the information.
Correct Answer: C – Based on the results of an organization-wide risk
assessment
Explanation: A risk-based approach ensures that classification reflects the true
impact of data compromise.
Incorrect Answers:
A. Confidentiality is one component, but not sufficient on its own.
B. Segregation of duties is related to roles, not data classification.
D. Authentication is a control, not a classification driver.

Question 303
An organization considers implementing a system that uses a technology that is not
in line with the organization's IT strategy. Which of the following is the BEST
justification for deviating from the IT strategy?
A. The system makes use of state-of-the-art technology.
B. The system has a reduced cost of ownership.
C. The organization has staff familiar with the technology.
D. The business benefits are achieved even with extra costs.
Correct Answer: D – The business benefits are achieved even with
extra costs
Explanation: Business value should outweigh strict adherence to strategy if benefits
justify the investment.
Incorrect Answers:
A. Innovation alone does not justify deviation.
B. Lower cost doesn’t always mean better alignment.
C. Familiarity reduces training but isn’t strategic justification.

Question 304
An organization is running servers with critical business applications that are in an
area subject to frequent but brief power outages. Knowledge of which of the following
would allow the organization's management to monitor the ongoing adequacy of the
uninterruptible power supply (UPS)?
A. Duration and interval of the power outages
B. Business impact of server downtime
C. Number of servers supported by the UPS
D. Mean time to recover servers after failure
Correct Answer: A – Duration and interval of the power outages
Explanation: Understanding how long and how often power is lost helps determine
if the UPS capacity is sufficient.
Incorrect Answers:
B. Business impact is strategic, not operationally actionable.
C. Capacity is fixed—usage patterns matter more.
D. MTTR applies to recovery, not UPS adequacy.

Question 305
An organization implemented a cybersecurity policy last year. Which of the following
is the GREATEST indicator that the policy may need to be revised?
A. A significant increase in authorized connections to third parties
B. A significant increase in cybersecurity audit findings
C. A significant increase in external attack attempts
D. A significant increase in approved exceptions
Correct Answer: D – A significant increase in approved exceptions
Explanation: Many exceptions suggest the policy is no longer aligned with current
needs and practices.
Incorrect Answers:
A. More connections may still comply with policy.
B. Audit findings suggest enforcement gaps, not policy flaws.
C. Increased attacks are external, not policy-related.

Question 306
An organization's enterprise architecture (EA) department decides to change a legacy
system's components while maintaining its original functionality. Which of the
following is MOST important for an IS auditor to understand when reviewing this
decision?
A. The current business capabilities delivered by the legacy system
B. The database entity relationships within the legacy system
C. The proposed network topology to be used by the redesigned system
D. The data flows between the components to be used by the redesigned system
Correct Answer: A – The current business capabilities delivered by the
legacy system
Explanation: Retaining functionality requires a solid understanding of the system’s
current business capabilities.
Incorrect Answers:
B. Entity relationships are technical, not functional.
C. Network topology is secondary to functionality.
D. Data flows matter, but business capabilities come first.

Question 307
A legacy application is running on an operating system that is no longer supported
by the vendor. If the organization continues to use the current application, which of
the following should be the IS auditor's GREATEST concern?
A. Potential exploitation of zero-day vulnerabilities in the system
B. Inability to update the legacy application database
C. Increased cost of maintaining the system
D. Inability to use the operating system due to potential license issues
Correct Answer: A – Potential exploitation of zero-day vulnerabilities
in the system
Explanation: Unsupported systems are not patched, making them prime targets for
new vulnerabilities.
Incorrect Answers:
B. A database update issue is secondary.
C. Cost is less critical than security.
D. License issues are legal, not security-focused.

Question 308
A system development project is experiencing delays due to ongoing staff shortages.
Which of the following strategies would provide the GREATEST assurance of system
quality at implementation?
A. Utilize new system development tools to improve productivity.
B. Deliver only the core functionality on the initial target date.
C. Implement overtime pay and bonuses for all development staff.
D. Recruit IS staff to expedite system development.
Correct Answer: B – Deliver only the core functionality on the initial
target date
Explanation: Prioritizing core functionality allows delivery with quality and reduces
scope risk.
Incorrect Answers:
A. Tools help but don’t guarantee quality.
C. Overtime may lead to burnout and errors.
D. Recruitment is slow and may not meet deadlines.

Question 309
When reviewing past results of a recurring annual audit, an IS auditor notes that
findings may not have been reported and independence may not have been
maintained. Which of the following IS the auditor's BEST course of action?
A. Reevaluate internal controls
B. Re-perform past audits to ensure independence
C. Inform senior management
D. Inform audit management
Correct Answer: D – Inform audit management
Explanation: Audit management must be made aware to address potential flaws in
audit integrity.
Incorrect Answers:
A. Reevaluation is premature.
B. Re-performing past audits is inefficient.
C. Escalation to senior management should follow internal reporting protocols.

Question 310
An information systems security officer's PRIMARY responsibility for business
process applications is to:
A. create role-based rules for each business process.
B. approve the organization's security policy.
C. ensure access rules agree with policies.
D. authorize secured emergency access.
Correct Answer: C – Ensure access rules agree with policies
Explanation: The officer ensures that access controls reflect approved policies and
roles.
Incorrect Answers:
A. Rule creation is operational, not oversight.
B. Policy approval typically lies with senior leadership.
D. Emergency access is situational, not primary duty.

Question 311
Coding standards provide which of the following?
A. Access control tables
B. Data flow diagrams
C. Field naming conventions
D. Program documentation
Correct Answer: C – Field naming conventions
Explanation: Coding standards typically include conventions like field naming to
ensure consistency and maintainability.
Incorrect Answers:
A. Access controls relate to security, not coding conventions.
B. Data flow diagrams are part of systems analysis, not coding standards.
D. Documentation may be influenced by standards but isn’t the core of them.

Question 312
During which IT project phase is it MOST appropriate to conduct a benefits
realization analysis?
A. Post-implementation review phase
B. Design review phase
C. User acceptance testing (UAT) phase
D. Final implementation phase
Correct Answer: A – Post-implementation review phase
Explanation: Benefits realization is measured after implementation to determine if
objectives were met.
Incorrect Answers:
B. Design phase is too early for measuring benefits.
C. UAT checks functionality, not value delivery.
D. Implementation is ongoing and not evaluative.

Question 313
Due to a high volume of customer orders, an organization plans to implement a new
application for customers to use for online ordering. Which type of testing is MOST
important to ensure the security of the application prior to go-live?
A. Stress testing
B. User acceptance testing (UAT)
C. Vulnerability testing
D. Regression testing
Correct Answer: C – Vulnerability testing
Explanation: Security assurance before release is best achieved through
vulnerability testing.
Incorrect Answers:
A. Stress testing checks performance, not security.
B. UAT focuses on functionality, not vulnerabilities.
D. Regression testing checks for unintended effects of changes.
Question 314
During an audit of identity and access management, an IS auditor finds that the
engagement audit plan does not include the testing of controls that regulate access
by third parties. Which of the following would be the auditor's BEST course of
action?
A. Add testing of third-party access controls to the scope of the audit.
B. Plan to test these controls in another audit.
C. Determine whether the risk has been identified in the planning documents.
D. Escalate the deficiency to audit management.
Correct Answer: C – Determine whether the risk has been identified
in the planning documents
Explanation: The auditor should assess if this was a scoped-out risk or an oversight
before adjusting the audit.
Incorrect Answers:
A. Adding to the scope should follow planning review.
B. Future audits should not delay response to significant risk.
D. Escalation is premature if the omission was deliberate.

Question 315
What is the PRIMARY reason for conducting a risk assessment when developing an
annual IS audit plan?
A. Identify and prioritize audit areas
B. Determine the existence of controls in audit areas
C. Provide assurance material items will be covered
D. Decide which audit procedures and techniques to use
Correct Answer: A – Identify and prioritize audit areas
Explanation: Risk assessments help auditors focus on the areas with the highest
impact and likelihood.
Incorrect Answers:
B. Control testing comes later in the audit.
C. Assurance is a result, not a planning goal.
D. Procedures are selected after areas are chosen.

Question 316
An employee transfers from an organization's risk management department to
become the lead IS auditor. While in the risk management department, the employee
helped develop the key performance indicators (KPIs) now used by the organization.
Which of the following would pose the GREATEST threat to the independence of
this auditor?
A. Evaluating the effectiveness of IT risk management processes
B. Recommending controls to address the IT risks identified by KPIs
C. Developing KPIs to measure the internal audit team
D. Training the IT audit team on IT risk management processes
Correct Answer: A – Evaluating the effectiveness of IT risk
management processes
Explanation: Reviewing work the auditor previously contributed to creates a
conflict of interest.
Incorrect Answers:
B. Recommending controls is consultative, not evaluative.
C. KPI creation for audit is a new function.
D. Training does not impact independence.

Question 317
As part of an audit response, an auditee has concerns with the recommendations and
is hesitant to implement them. Which of the following would be the BEST course of
action for the IS auditor?
A. Suggest hiring a third-party consultant to perform a current state assessment.
B. Issue a final report without including the opinion of the auditee.
C. Conduct further discussions with the auditee to develop a mitigation plan.
D. Accept the auditee's response and perform additional testing.
Correct Answer: C – Conduct further discussions with the auditee to
develop a mitigation plan
Explanation: Collaboration helps resolve concerns and ensures recommendations
are practical and effective.
Incorrect Answers:
A. External consultants are a last resort.
B. Reports should reflect a complete picture, including auditee responses.
D. Testing does not replace resolution of concerns.

Question 318
After discussing findings with an auditee, an IS auditor is required to obtain approval
of the report from the CEO before issuing it to the audit committee. This
requirement PRIMARILY affects the IS auditor's:
A. judgment
B. effectiveness
C. independence
D. integrity
Correct Answer: C – Independence
Explanation: Requiring approval from management before reporting to the audit
committee compromises objectivity.
Incorrect Answers:
A. Judgment is not affected if findings remain unchanged.
B. Effectiveness is impacted indirectly, but not primarily.
D. Integrity is maintained unless there’s a deliberate misrepresentation.

Question 319
During a review of IT service desk practices, an IS auditor notes that help desk
personnel are spending more time fulfilling user requests for password resets than
resolving critical incidents. Which of the following recommendations to IT
management would BEST address this situation?
A. Calculate the age of incident tickets and alert senior IT personnel when they
exceed service level agreements (SLAs).
B. Provide annual password management training to end users to reduce the number
of instances requiring password resets.
C. Incentivize service desk personnel to close incidents within agreed service levels.
D. Implement a self-service solution and redirect users to access frequently requested
services.
Correct Answer: D – Implement a self-service solution and redirect
users to access frequently requested services
Explanation: A self-service solution improves efficiency and reduces low-value
repetitive tasks.
Incorrect Answers:
A. Alerts help but don’t resolve the core issue.
B. Training alone may not be sufficient.
C. Incentives don’t address root cause of workload.

Question 320
During which phase of a system development project should key performance
indicators (KPIs) be established?
A. Planning phase
B. Initiation phase
C. Execution phase
D. Closure phase
Correct Answer: A – Planning phase
Explanation: KPIs should be defined early to track project progress and
effectiveness throughout the lifecycle.
Incorrect Answers:
B. Initiation sets objectives, not detailed metrics.
C. Execution uses KPIs, not defines them.
D. Closure evaluates KPIs, not creates them.

Question 321
An organization wants to change its project methodology to address increasing costs
and process changes. Which of the following is the BEST methodology to use?
A. Agile application development
B. Waterfall application development
C. Joint application development
D. Object-oriented application development
Correct Answer: A – Agile application development
Explanation: Agile is iterative, flexible, and better suited for managing frequent
changes and controlling costs.
Incorrect Answers:
B. Waterfall is rigid and not ideal for dynamic environments.
C. Joint application development emphasizes collaboration, not methodology change.
D. Object-oriented development is a design approach, not a project methodology.

Question 322
A USB device containing sensitive production data was lost by an employee, and its
contents were subsequently found published online. Which of the following controls is
the BEST recommendation to prevent a similar recurrence?
A. Monitoring data being downloaded on USB devices
B. Using a strong encryption algorithm
C. Training users on USB device security
D. Electronically tracking portable devices
Correct Answer: B – Using a strong encryption algorithm
Explanation: Encryption ensures that even if a device is lost, the data remains
protected from unauthorized access.
Incorrect Answers:
A. Monitoring does not protect data once lost.
C. Training is helpful but less reliable.
D. Tracking helps locate devices but does not secure the data.

Question 323
During an IT operations audit, multiple unencrypted backup tapes containing
sensitive credit card information cannot be found. Which of the following presents
the GREATEST risk to the organization?
A. Human resource cost of responding to the incident
B. Business disruption if a data restore cannot be completed
C. Reputational damage due to potential identity theft
D. The cost of recreating the missing backup tapes
Correct Answer: C – Reputational damage due to potential identity
theft
Explanation: Exposure of sensitive credit card data can damage customer trust and
result in legal and financial repercussions.
Incorrect Answers:
A. HR costs are minor in comparison.
B. Disruption is important but not as severe in this context.
D. Recreating tapes is a logistical issue, not the primary risk.

Question 324
An organization uses multiple offsite data center facilities. Which of the following is
MOST important to consider when choosing related backup devices and media?
A. Associated costs
B. Standardization
C. Backup media capacity
D. Restoration speed
Correct Answer: D – Restoration speed
Explanation: The ability to restore data quickly is critical for continuity, especially
across distributed data centers.
Incorrect Answers:
A. Cost is secondary to functionality in disaster recovery.
B. Standardization improves manageability but is not the top priority.
C. Capacity matters, but only if recovery can meet time objectives.

Question 325
Which of the following is MOST important to determine when conducting a post-
implementation review?
A. Whether the solution architecture complies with IT standards
B. Whether success criteria have been achieved
C. Whether lessons learned have been documented
D. Whether the project has been delivered within the approved budget
Correct Answer: B – Whether success criteria have been achieved
Explanation: A post-implementation review should evaluate whether the project
met its intended objectives and value.
Incorrect Answers:
A. Architecture compliance is a technical check.
C. Lessons learned support future improvements but don’t measure success.
D. Budget adherence is important, but less critical than outcomes.

Question 326
While reviewing an organization's business continuity plan (BCP), an IS auditor
observes that a recently developed application is not included. The IS auditor should:
A. ensure that the criticality of the application is determined.
B. include in the audit findings that the BCP is incomplete.
C. recommend that the application be incorporated in the BCP.
D. ignore the observation as the application is not mission critical.
Correct Answer: A – Ensure that the criticality of the application is
determined
Explanation: Before drawing conclusions or recommending inclusion, the
application’s criticality should be assessed.
Incorrect Answers:
B. The plan may not be incomplete if the app is not critical.
C. Inclusion should follow impact assessment.
D. Dismissing without evaluation could overlook potential risk.

Question 327
Data anonymization helps to prevent which types of attacks in a big data
environment?
A. Man-in-the-middle
B. Denial of service (DoS)
C. Correlation
D. Spoofing
Correct Answer: C – Correlation
Explanation: Anonymization prevents attackers from linking data to identifiable
individuals using correlation.
Incorrect Answers:
A. Man-in-the-middle involves interception, not identity linkage.
B. DoS targets availability, not privacy.
D. Spoofing involves identity falsification, not linking data points.

Question 328
During a review of a production schedule, an IS auditor observes that a staff member
is not complying with mandatory operational procedures. The auditor's NEXT step
should be to:
A. note the noncompliance in the audit working papers.
B. determine why the procedures were not followed.
C. issue an audit memorandum identifying the noncompliance.
D. include the noncompliance in the audit report.
Correct Answer: B – Determine why the procedures were not followed
Explanation: Understanding root cause is necessary before taking formal action or
issuing findings.
Incorrect Answers:
A. Documentation is important but not the first action.
C. A memo is premature without investigation.
D. Reporting should be based on full context.

Question 329
The PRIMARY objective of IT service level management is to:
A. improve IT cost control.
B. manage computer operations activities.
C. satisfy customer requirements.
D. increase awareness of IT services.
Correct Answer: C – Satisfy customer requirements
Explanation: The key goal is to ensure IT services meet agreed-upon customer
expectations.
Incorrect Answers:
A. Cost control is a by-product, not the objective.
B. Operations management is part of service delivery but not the focus.
D. Awareness is useful but not the main goal.

Question 330
The use of which of the following would BEST enhance a process improvement
program?
A. Balanced scorecard
B. Project management methodologies
C. Capability maturity models
D. Model-based design notations
Correct Answer: C – Capability maturity models
Explanation: Maturity models assess current processes and guide structured
improvements.
Incorrect Answers:
A. Balanced scorecard measures performance but doesn’t guide improvement.
B. Project methodologies support execution, not maturity.
D. Design notations focus on systems modeling, not process maturity.

Question 331
Reconciliations have identified data discrepancies between an enterprise data
warehouse and a revenue system for key financial reports. What is the GREATEST
risk to the organization in this situation?
A. The key financial reports may no longer be produced
B. Financial reports may be delayed
C. Undetected fraud may occur
D. Decisions may be made based on incorrect information
Correct Answer: D – Decisions may be made based on incorrect
information
Explanation: Inaccurate data in financial reports can lead to poor strategic
decisions, regulatory issues, and reputational damage.
Incorrect Answers:
A. Reports may still be produced, albeit with incorrect data.
B. Delays are less critical than making flawed decisions.
C. While fraud is a risk, incorrect reporting poses broader strategic consequences.

Question 332
An organization has recently implemented a Voice-over IP (VoIP) communication
system. Which of the following should be the IS auditor's PRIMARY concern?
A. Voice quality degradation due to packet loss
B. Lack of integration of voice and data communications
C. A single point of failure for both voice and data communications
D. Inability to use virtual private networks (VPNs) for internal traffic
Correct Answer: C – A single point of failure for both voice and data
communications
Explanation: Combining voice and data over a single network increases the impact
of a failure, making availability a primary concern.
Incorrect Answers:
A. Quality issues affect usability, not availability.
B. Integration is an implementation challenge, not a primary risk.
D. VPN compatibility is not the main risk focus.

Question 333
When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery
of IT processing capabilities, it is MOST important for the IS auditor to verify the
plan is:
A. stored at an offsite location
B. communicated to department heads
C. regularly reviewed
D. periodically tested
Correct Answer: D – Periodically tested
Explanation: Testing ensures the DRP is effective and can restore operations during
a real disaster.
Incorrect Answers:
A. Offsite storage helps availability, but testing confirms functionality.
B. Communication is necessary but not sufficient.
C. Reviews without testing may not reveal weaknesses.

Question 334
During a disaster recovery audit, an IS auditor finds that a business impact analysis
(BIA) has not been performed. The auditor should FIRST:
A. conduct additional compliance testing
B. issue an intermediate report to management
C. perform a business impact analysis (BIA)
D. evaluate the impact on current disaster recovery capability
 Correct Answer: D – Evaluate the impact on current disaster recovery
capability
Explanation: The auditor should assess how the missing BIA affects recovery
planning before making recommendations.
Incorrect Answers:
A. More testing won’t resolve the root issue.
B. Reporting should follow full evaluation.
C. Performing a BIA is not the auditor’s role.

Question 335
During a review, an IS auditor discovers that corporate users are able to access
cloud-based applications and data from any Internet-connected web browser. Which
of the following is the auditor's BEST recommendation to help prevent unauthorized
access?
A. Utilize strong anti-malware controls on all computing devices
B. Implement an intrusion detection system (IDS)
C. Update security policies and procedures
D. Implement multi-factor authentication
Correct Answer: D – Implement multi-factor authentication
Explanation: MFA adds an essential layer of security, especially for remote access to
sensitive data.
Incorrect Answers:
A. Anti-malware helps device security, not access control.
B. IDS detects intrusions but doesn't prevent them.
C. Policies are important but not a strong access control.

Question 336
To create a digital signature in a message using asymmetric encryption, it is
necessary to:
A. encrypt the authentication sequence using a public key
B. first use a symmetric algorithm for the authentication sequence
C. transmit the actual digital signature in unencrypted clear text
D. encrypt the authentication sequence using a private key
Correct Answer: D – Encrypt the authentication sequence using a
private key
Explanation: The sender’s private key is used to create a digital signature, which
recipients can verify using the public key.
Incorrect Answers:
A. Public key is used for verification, not signing.
B. Symmetric algorithms are not used in digital signatures.
C. The signature is not transmitted in plain text for integrity.
Question 337
During an audit of an access control system, an IS auditor finds that RFID card
readers are not connected via the network to a central server. Which of the following
is the GREATEST risk associated with this finding?
A. Lost or stolen cards cannot be disabled immediately
B. Card reader firmware updates cannot be rolled out automatically
C. The system is not easily scalable to accommodate a new device
D. Incidents cannot be investigated without a centralized log file
Correct Answer: A – Lost or stolen cards cannot be disabled
immediately
Explanation: Immediate deactivation is critical to maintaining security when
physical credentials are compromised.
Incorrect Answers:
B. Firmware updates are periodic, not urgent.
C. Scalability is an issue, but not the primary risk.
D. Logging is important but secondary to real-time control.

Question 338
Invoking a business continuity plan (BCP) is demonstrating which type of control?
A. Preventive
B. Corrective
C. Directive
D. Detective
Correct Answer: B – Corrective
Explanation: BCP is a corrective control because it restores operations after a
disruption.
Incorrect Answers:
A. Preventive avoids incidents; BCP reacts to them.
C. Directive guides actions but doesn't restore service.
D. Detective identifies issues but doesn’t resolve them.

Question 339
When determining whether a project in the design phase will meet organizational
objectives, what is BEST to compare against the business case?
A. Project plan
B. Requirements analysis
C. Implementation plan
D. Project budget provisions
Correct Answer: B – Requirements analysis
Explanation: Requirements analysis defines the expected outcomes and ensures
alignment with the business case.
Incorrect Answers:
A. Project plans focus on timeline, not outcomes.
C. Implementation plans cover execution, not alignment.
D. Budgets manage cost, not functional fit.

Question 340
The results of an IS audit indicating the need to strengthen controls has been
communicated to the appropriate stakeholders. Which of the following is the BEST
way for management to enforce implementation of the recommendations?
A. Copy senior management on communications related to the audit
B. Have stakeholders develop a business case for control changes
C. Assign ownership to each remediation activity
D. Request auditors to design a roadmap for closure
Correct Answer: C – Assign ownership to each remediation activity
Explanation: Assigning ownership ensures accountability and follow-through on
control implementation.
Incorrect Answers:
A. Copying management informs but doesn’t enforce.
B. Business cases justify change but don’t ensure action.
D. Auditors should not lead implementation tasks.

Question 341
Internal audit is conducting an audit of customer transaction risk. Which of the
following would be the BEST reason to use data analytics?
A. Transactional data is contained in multiple discrete systems that have varying
levels of reliability
B. Anomalies and risk trends in the data set have yet to be defined
C. The audit is being performed to comply with regulations requiring periodic
random sample testing
D. The audit focus is on a small number of predefined high-risk transactions
Correct Answer: B – Anomalies and risk trends in the data set have
yet to be defined
Explanation: Data analytics is most valuable when patterns, risks, or anomalies are
not yet clearly known, allowing the audit to explore and identify issues.
Incorrect Answers:
A. Data inconsistency may complicate analysis but is not the primary reason for
analytics.
C. Random sampling is a separate audit technique.
D. Data analytics is better suited to large data sets.
Question 342
Critical processes are not defined in an organization's business continuity plan
(BCP). Which of the following would have MOST likely identified the gap?
A. Updating the risk register
B. Reviewing the business continuity strategy
C. Reviewing the business impact analysis (BIA)
D. Testing the incident response plan
Correct Answer: C – Reviewing the business impact analysis (BIA)
Explanation: A BIA identifies critical processes; its omission or poor execution
leads to missing processes in the BCP.
Incorrect Answers:
A. The risk register focuses on threats, not process identification.
B. Strategy review focuses on alignment, not process completeness.
D. Testing may reveal execution issues, not planning gaps.

Question 343
When auditing the closing stages of a system development project, which of the
following should be the MOST important consideration?
A. Rollback procedures
B. Control requirements
C. User acceptance test (UAT) results
D. Functional requirements documentation
Correct Answer: C – User acceptance test (UAT) results
Explanation: UAT confirms the system meets user needs and is ready for
deployment.
Incorrect Answers:
A. Rollback is part of risk mitigation, not closure validation.
B. Control requirements are more relevant in design.
D. Documentation supports the project but is not proof of readiness.

Question 344
Following a breach, what is the BEST source to determine the maximum amount of
time before customers must be notified that their personal information may have
been compromised?
A. Industry standards
B. Information security policy
C. Incident response plan
D. Industry regulations
Correct Answer: D – Industry regulations
Explanation: Legal requirements define timeframes for breach notifications and
must be followed to ensure compliance.
Incorrect Answers:
A. Standards provide guidance, not enforceable requirements.
B. Policy may not be up-to-date or enforceable in court.
C. Response plans reference regulations but are not authoritative.

Question 345
A client/server configuration will:
A. optimize system performance by having a server on a front-end and clients on a
host
B. enhance system performance through the separation of front-end and back-end
processes
C. keep track of all the clients using the IS facilities of a service organization
D. limit the clients and servers' relationship by limiting the IS facilities to a single
hardware system
Correct Answer: B – Enhance system performance through the
separation of front-end and back-end processes
Explanation: This separation allows tasks to be processed more efficiently,
improving overall system performance.
Incorrect Answers:
A. Incorrect role descriptions for client-server structure.
C. Client tracking is not the main performance benefit.
D. Limiting hardware contradicts the client/server model.

Question 346
The PRIMARY benefit of information asset classification is that it:
A. enables risk management decisions
B. helps to align organizational objectives
C. prevents loss of assets
D. facilitates budgeting accuracy
Correct Answer: A – Enables risk management decisions
Explanation: Classification helps prioritize protections and allocate resources
appropriately based on risk.
Incorrect Answers:
B. Alignment is a broader strategy topic.
C. Classification does not directly prevent loss.
D. Budgeting may benefit but is not the core purpose.

Question 347
The implementation of an IT governance framework requires that the board of
directors of an organization:
A. approve the IT strategy
B. be informed of all IT initiatives
C. have an IT strategy committee
D. address technical IT issues
Correct Answer: A – Approve the IT strategy
Explanation: Board approval ensures that the IT strategy aligns with business
goals and governance.
Incorrect Answers:
B. Being informed is passive and insufficient.
C. A committee is helpful but not mandatory.
D. Technical issues are typically delegated.

Question 348
What is the PRIMARY reason to adopt a risk-based IS audit strategy?
A. To achieve synergy between audit and other risk management functions
B. To reduce the time and effort needed to perform a full audit cycle
C. To prioritize available resources and focus on areas with significant risk
D. To identify key threats, risks, and controls for the organization
Correct Answer: C – To prioritize available resources and focus on
areas with significant risk
Explanation: Risk-based audits ensure efforts are focused on areas that present the
highest threat or impact.
Incorrect Answers:
A. Synergy is a secondary benefit.
B. Time-saving is not the primary driver.
D. Identifying risks is part of the process, not the goal.

Question 349
An IS auditor finds that application servers had inconsistent security settings leading
to potential vulnerabilities. Which of the following is the BEST recommendation by
the IS auditor?
A. Improve the change management process
B. Perform a configuration review
C. Establish security metrics
D. Perform a penetration test
Correct Answer: B – Perform a configuration review
Explanation: A configuration review identifies inconsistencies and deviations from
baseline security standards.
Incorrect Answers:
A. Change management helps prevent issues but doesn't identify existing ones.
C. Metrics help measure but not resolve.
D. Penetration testing may not pinpoint configuration gaps.
Question 350
When conducting a post-implementation review of a new software application, an IS
auditor should be MOST concerned with an increasing number of:
A. change requests approved to add new services
B. updates required for the end-user operations manual
C. operational errors impacting service delivery
D. help desk calls requesting future enhancements
Correct Answer: C – Operational errors impacting service delivery
Explanation: Operational errors directly affect business continuity and indicate
implementation or system flaws.
Incorrect Answers:
A. New services may reflect evolving needs.
B. Manual updates are routine.
D. Enhancement requests are expected and not concerning.

Question 351
When an IS auditor evaluates key performance indicators (KPIs) for IT initiatives, it
is MOST important that the KPIs indicate:
A. IT deliverables are process driven
B. IT objectives are measured
C. IT resources are fully utilized
D. IT solutions are within budget
Correct Answer: B – IT objectives are measured
Explanation: KPIs are most effective when they directly reflect whether IT
objectives are being met, ensuring alignment with business goals.
Incorrect Answers:
A. Process-driven deliverables may not reflect outcomes.
C. Utilization is operational, not strategic.
D. Budget compliance is important, but not the best indicator of success.

Question 352
In which phase of penetration testing would host detection and domain name system
(DNS) interrogation be performed?
A. Reporting
B. Attacks
C. Discovery
D. Planning
Correct Answer: C – Discovery
Explanation: Discovery involves gathering information about the target, such as
host detection and DNS interrogation, before any attacks are launched.
Incorrect Answers:
A. Reporting is the documentation phase.
B. Attacks follow the discovery phase.
D. Planning focuses on scope and rules of engagement.

Question 353
Which type of control is being implemented when a biometric access device is
installed at the entrance to a facility?
A. Preventive
B. Deterrent
C. Corrective
D. Detective
Correct Answer: A – Preventive
Explanation: Biometric devices prevent unauthorized access by ensuring only
verified individuals can enter.
Incorrect Answers:
B. Deterrents discourage but do not actively block.
C. Corrective actions occur after an incident.
D. Detective controls identify issues post-occurrence.

Question 354
Which of the following would an IS auditor consider the GREATEST risk associated
with a mobile workforce environment?
A. Loss or damage to the organization's assets
B. Lack of compliance with organizational policies
C. Decrease in employee productivity and accountability
D. Inability to access data remotely
Correct Answer: A – Loss or damage to the organization's assets
Explanation: Mobile environments increase the risk of data loss or theft due to
physical device exposure outside secure areas.
Incorrect Answers:
B. Policy compliance is a concern, but secondary.
C. Productivity may vary but is not the greatest risk.
D. Inability to access is an availability issue, not a top risk.

Question 355
Which of the following key performance indicators (KPIs) provides stakeholders with
the MOST useful information about whether information security risk is being
managed?
A. The number of security controls implemented
B. Time from identifying security threats to implementing solutions
C. Time from security log capture to log analysis
D. The number of entries in the security risk register
 Correct Answer: B – Time from identifying security threats to
implementing solutions
Explanation: This KPI reflects the organization's responsiveness and agility in
managing information security risks.
Incorrect Answers:
A. Quantity does not imply effectiveness.
C. Log analysis timing is a subset of threat management.
D. The number of risks logged doesn't show risk reduction.

Question 356
Which of the following is MOST important when implementing a data classification
program?
A. Planning for secure storage capacity
B. Understanding the data classification levels
C. Formalizing data ownership
D. Developing a privacy policy
Correct Answer: C – Formalizing data ownership
Explanation: Without clear ownership, data classification cannot be enforced or
maintained effectively.
Incorrect Answers:
A. Storage is logistical, not foundational.
B. Understanding levels is necessary but comes after ownership.
D. Privacy policy is related but broader in scope.

Question 357
Which of the following is an IS auditor's BEST recommendation to help an
organization increase the efficiency of computing resources?
A. Hardware upgrades
B. Real-time backups
C. Virtualization
D. Overclocking the central processing unit (CPU)
Correct Answer: C – Virtualization
Explanation: Virtualization optimizes resource use by consolidating workloads on
fewer physical machines.
Incorrect Answers:
A. Hardware upgrades are costly and may not address inefficiency.
B. Backups are for resilience, not efficiency.
D. Overclocking may cause instability or damage.

Question 358
Which of the following would BEST manage the risk of changes in requirements after
the analysis phase of a business application development project?
A. Sign-off from the IT team
B. Quality assurance (QA) review
C. Ongoing participation by relevant stakeholders
D. Expected deliverables meeting project deadlines
Correct Answer: C – Ongoing participation by relevant stakeholders
Explanation: Active stakeholder involvement ensures evolving needs are addressed
promptly, reducing requirement drift.
Incorrect Answers:
A. IT sign-off is insufficient alone.
B. QA reviews test quality, not requirement evolution.
D. Timelines do not ensure requirement accuracy.

Question 359
Which of the following is the BEST data integrity check?
A. Tracing data back to the point of origin
B. Performing a sequence check
C. Counting the transactions processed per day
D. Preparing and running test data
Correct Answer: A – Tracing data back to the point of origin
Explanation: Verifying data against its original source confirms its accuracy and
integrity.
Incorrect Answers:
B. Sequence checks detect missing entries but not source validity.
C. Counting totals shows completeness, not correctness.
D. Test data checks systems, not live data integrity.

Question 360
Which of the following BEST ensures the quality and integrity of test procedures
used in audit analytics?
A. Developing and communicating test procedure best practices to audit teams
B. Centralizing procedures and implementing change control
C. Developing and implementing an audit data repository
D. Decentralizing procedures and implementing periodic peer review
Correct Answer: B – Centralizing procedures and implementing
change control
Explanation: Centralized, controlled procedures reduce inconsistencies and
unauthorized changes, ensuring reliable results.
Incorrect Answers:
A. Communication helps, but without control, inconsistencies may remain.
C. A repository stores data but doesn't ensure procedural integrity.
D. Decentralization increases variation and risk.

Question 361
Which of the following features of a library control software package would protect
against unauthorized updating of source code?
A. Access controls for source libraries
B. Date and time stamping of source and object code
C. Required approvals at each life cycle step
D. Release-to-release comparison of source code
Correct Answer: A – Access controls for source libraries
Explanation: Restricting access to source libraries ensures only authorized
personnel can update source code.
Incorrect Answers:
B. Timestamps provide tracking, not prevention.
C. Approvals are helpful but not sufficient alone.
D. Comparisons detect changes after the fact, not prevent them.

Question 362
Which of the following security testing techniques is MOST effective in discovering
unknown malicious attacks?
A. Penetration testing
B. Sandboxing
C. Vulnerability testing
D. Reverse engineering
Correct Answer: B – Sandboxing
Explanation: Sandboxing allows code to run in isolation and observe behavior,
making it ideal for detecting unknown or zero-day threats.
Incorrect Answers:
A. Penetration testing focuses on known vulnerabilities.
C. Vulnerability testing identifies existing flaws, not unknown ones.
D. Reverse engineering is time-consuming and not preventive.

Question 363
Which of the following should be the PRIMARY objective of conducting an audit
follow-up of management action plans?
A. To verify that risks listed in the audit report have been properly mitigated
B. To ensure senior management is aware of the audit findings
C. To identify new risks and controls for the organization
D. To align the management action plans with business requirements
Correct Answer: A – To verify that risks listed in the audit report
have been properly mitigated
Explanation: The follow-up ensures that corrective actions are implemented and the
original risks are addressed.
Incorrect Answers:
B. Awareness is part of the initial audit communication.
C. New risks may be identified but are not the main goal.
D. Alignment is secondary to risk resolution.

Question 364
Which of the following is the BEST use of a balanced scorecard when evaluating IT
performance?
A. Determining compliance with relevant regulatory requirements
B. Monitoring alignment of IT with the rest of the organization
C. Evaluating implementation of the business strategy
D. Monitoring alignment of the IT project portfolio to budget
Correct Answer: B – Monitoring alignment of IT with the rest of the
organization
Explanation: A balanced scorecard links IT objectives with business goals, ensuring
strategic alignment.
Incorrect Answers:
A. Compliance can be tracked, but it's not the main purpose.
C. Implementation review is broader than scorecard metrics.
D. Budget alignment is only one component.

Question 365
Which of the following is the MOST appropriate role for an IS auditor assigned as a
team member for a software development project?
A. Implementing controls within the software
B. Developing user acceptance testing (UAT) scripts
C. Performing a mid-term evaluation of the project management process
D. Monitoring assessed risk for the project
Correct Answer: D – Monitoring assessed risk for the project
Explanation: The IS auditor’s role is advisory and monitoring in nature, ensuring
risk is identified and addressed.
Incorrect Answers:
A. Implementation compromises independence.
B. Script development is a QA role.
C. Evaluation may occur, but risk monitoring is primary.

Question 366
Which of the following should be of GREATEST concern for an IS auditor reviewing
an organization's bring your own device (BYOD) policy?
A. Not all devices are approved for BYOD
B. The policy does not include the right to audit BYOD devices
C. A mobile device management (MDM) solution is not implemented
D. The policy is not updated annually
Correct Answer: C – A mobile device management (MDM) solution is
not implemented
Explanation: MDM enforces security settings and controls on BYOD devices, and
its absence poses a significant security risk.
Incorrect Answers:
A. Approval gaps can be managed with controls.
B. Audit rights are useful but not critical.
D. Updates are important, but lack of MDM is more critical.

Question 367
Which of the following statements appearing in an organization's acceptable use
policy BEST demonstrates alignment with data classification standards related to the
protection of information assets?
A. Information assets should only be accessed by persons with a justified need
B. All information assets must be encrypted when stored on the organization's
systems
C. Any information assets transmitted over a public network must be approved by
executive management
D. All information assets will be assigned a clearly defined level to facilitate proper
employee handling
Correct Answer: D – All information assets will be assigned a clearly
defined level to facilitate proper employee handling
Explanation: Data classification is about categorizing assets to assign appropriate
controls, making option D the most aligned.
Incorrect Answers:
A. Access control is part of classification, not the classification itself.
B. Encryption is a safeguard, not a classification mechanism.
C. Executive approval is not scalable for classification purposes.

Question 368
Which of the following information security requirements BEST enables the tracking
of organizational data in a bring your own device (BYOD) environment?
A. Employees must immediately report lost or stolen mobile devices containing
organizational data
B. Employees must use auto-lock features and complex passwords on personal devices
C. Employees must sign acknowledgment of the organization's mobile device
acceptable use policy
D. Employees must enroll their personal devices in the organization's mobile device
management program
 Correct Answer: D – Employees must enroll their personal devices in
the organization's mobile device management program
Explanation: MDM enables centralized tracking and control of organizational data
on BYOD devices.
Incorrect Answers:
A. Reporting is reactive, not preventive.
B. Passwords help secure access, but don’t ensure data tracking.
C. Acknowledgment is a compliance measure, not a technical control.

Question 369
Which of the following is MOST important for an IS auditor to verify when
evaluating an organization's firewall?
A. Logs are being collected in a separate protected host
B. Access to configuration files is restricted
C. Automated alerts are being sent when a risk is detected
D. Insider attacks are being controlled
Correct Answer: B – Access to configuration files is restricted
Explanation: Uncontrolled configuration access can lead to misconfigurations or
malicious changes, posing a serious threat.
Incorrect Answers:
A. Log protection is important, but less critical.
C. Alerts are reactive; access control is preventive.
D. Insider threats are broader than just firewall evaluation.

Question 370
Which of the following would be of GREATEST concern to an IS auditor reviewing
backup and recovery controls?
A. Backup procedures are not documented
B. Weekly and monthly backups are stored onsite
C. Backups are stored in an external hard drive
D. Restores from backups are not periodically tested
Correct Answer: D – Restores from backups are not periodically
tested
Explanation: Without testing, the organization cannot be confident that backups
can be successfully restored in an emergency.
Incorrect Answers:
A. Documentation is important but less critical than validation.
B. Onsite storage is risky but acceptable with redundancy.
C. Media type matters less than reliability and testing.
Question 371
Which of the following should be an IS auditor's GREATEST concern when
reviewing an organization's security controls for policy compliance?
A. Security policies are not applicable across all business units
B. End users are not required to acknowledge security policy training
C. The security policy has not been reviewed within the past year
D. Security policy documents are available on a public domain website
Correct Answer: A – Security policies are not applicable across all
business units
Explanation: Inconsistency in policy application across units creates gaps in
enforcement and increases organizational risk.
Incorrect Answers:
B. Acknowledgment supports awareness but is not as critical as universal
applicability.
C. Regular reviews are necessary but can be addressed promptly.
D. Public availability may be poor practice but doesn't directly compromise security.

Question 372
Which of the following should be the PRIMARY basis for prioritizing follow-up
audits?
A. Audit cycle defined in the audit plan
B. Recommendation from executive management
C. Residual risk from the findings of previous audits
D. Complexity of management's action plans
Correct Answer: C – Residual risk from the findings of previous audits
Explanation: Follow-up audits should focus on areas where unresolved risks
continue to pose a threat.
Incorrect Answers:
A. The cycle is a planning tool, not a risk-based trigger.
B. Executive input is important but not the primary basis.
D. Complexity may delay execution but doesn't dictate priority.

Question 373
Which of the following should be an IS auditor's GREATEST consideration when
scheduling follow-up activities for agreed-upon management responses to remediate
audit observations?
A. IT budgeting constraints
B. Availability of responsible IT personnel
C. Risk rating of original findings
D. Business interruption due to remediation
Correct Answer: C – Risk rating of original findings
Explanation: High-risk issues must be addressed first to prevent significant threats
to the organization.
Incorrect Answers:
A. Budget may influence feasibility but not urgency.
B. Personnel availability is a logistical issue, not a risk-based factor.
D. Business interruption can be mitigated but doesn’t reduce the need for follow-up.

Question 374
Which of the following is the MOST useful information for an IS auditor to review
when formulating an audit plan for the organization's outsourced service provider?
A. Service level agreement (SLA) reports
B. The service provider's control self-assessment (CSA)
C. The organization's procurement policy
D. Independent audit reports
Correct Answer: D – Independent audit reports
Explanation: Third-party audit reports provide verified insights into the service
provider’s control environment.
Incorrect Answers:
A. SLA reports show performance but not controls.
B. CSA is self-reported and less reliable.
C. Procurement policies relate to vendor selection, not ongoing risk.

Question 375
Which of the following should be the MOST important consideration when
prioritizing the funding for competing IT projects?
A. Skills and capabilities within the project management team
B. Quality and accuracy of the IT project inventory
C. Criteria used to determine the benefits of projects
D. Senior management preferences
Correct Answer: C – Criteria used to determine the benefits of
projects
Explanation: Objective criteria ensure decisions align with business value and
strategic goals.
Incorrect Answers:
A. Skills are important but do not drive prioritization.
B. Inventory accuracy supports visibility but not funding choices.
D. Preferences may introduce bias.

Question 376
Which of the following is the MOST important consideration when investigating a
security breach of an e-commerce application?
A. Skill set of the response team
B. Chain of custody
C. Notifications to law enforcement
D. Procedures to analyze evidence
Correct Answer: B – Chain of custody
Explanation: Maintaining chain of custody is essential to preserve evidence integrity
and ensure legal admissibility.
Incorrect Answers:
A. Skills are crucial but not the top concern for evidence handling.
C. Notification is secondary to securing and preserving evidence.
D. Procedures are needed, but only valid if evidence is admissible.

Question 377
Which of the following indicates that an internal audit organization is structured to
support the independence and clarity of the reporting process?
A. The internal audit manager has a reporting line to the audit committee
B. The internal audit manager reports functionally to a senior management official
C. Auditors are responsible for assessing and operating a system of internal controls
D. Auditors are responsible for performing operational duties or activities
Correct Answer: A – The internal audit manager has a reporting line
to the audit committee
Explanation: A direct line to the audit committee enhances independence and
reduces management influence.
Incorrect Answers:
B. Functional reporting to management weakens independence.
C. Operating controls compromises objectivity.
D. Performing duties outside of auditing is a conflict of interest.

Question 378
Which of the following would BEST protect the confidentiality of sensitive data in
transit between multiple offices?
A. Digital signatures
B. Public key infrastructure (PKI)
C. Hash algorithms
D. Kerberos
Correct Answer: B – Public key infrastructure (PKI)
Explanation: PKI ensures confidentiality and secure key exchange for encrypted
communication.
Incorrect Answers:
A. Digital signatures verify integrity, not confidentiality.
C. Hashing checks integrity but doesn't encrypt data.
D. Kerberos handles authentication more than encryption.
Question 379
Which of the following is MOST likely to ensure that an organization's systems
development meets its business objectives?
A. Business owner involvement
B. A project plan with clearly identified requirements
C. A focus on strategic projects
D. Segregation of systems development and testing
Correct Answer: A – Business owner involvement
Explanation: Active business involvement ensures alignment with organizational
needs and expectations.
Incorrect Answers:
B. Clear plans help but may not reflect real business needs.
C. Strategy focus is important but not sufficient alone.
D. Segregation supports integrity but not goal alignment.

Question 380
Which of the following is MOST important to review when planning for an IS audit
of an organization's cross-border data transfers?
A. Previous external audit reports
B. Applicable regulatory requirements
C. Offshore supplier risk assessments
D. Long-term IS strategy
Correct Answer: B – Applicable regulatory requirements
Explanation: Cross-border data transfers are subject to various legal and regulatory
requirements that must be reviewed to ensure compliance.
Incorrect Answers:
A. Past reports are helpful but not primary.
C. Supplier risks are relevant but secondary.
D. Strategy is broader and less audit-specific.

Question 381
Which of the following is MOST likely to be a project deliverable of an agile software
development methodology?
A. Automated software programming routines
B. Rapidly created working prototypes
C. Extensive project documentation
D. Strictly managed software requirements baselines
Correct Answer: B – Rapidly created working prototypes
Explanation: Agile emphasizes iterative development and delivering functional
prototypes early.
Incorrect Answers:
A. Automation may be involved but is not a deliverable.
C. Agile focuses on working software over comprehensive documentation.
D. Agile allows evolving requirements rather than strict baselines.

Question 382
Which of the following is the BEST way to mitigate the risk associated with
malicious changes to binary code during the software development life cycle (SDLC)?
A. Parity check
B. Digital envelope
C. Cryptographic hash
D. Segregation of duties
Correct Answer: C – Cryptographic hash
Explanation: A cryptographic hash detects unauthorized changes by verifying code
integrity.
Incorrect Answers:
A. Parity checks detect transmission errors, not tampering.
B. Digital envelopes protect confidentiality, not integrity.
D. Segregation of duties prevents but doesn’t detect binary changes.

Question 383
Which of the following application input controls would MOST likely detect data
input errors in the customer account number field during the processing of an
accounts receivable transaction?
A. Limit check
B. Reasonableness check
C. Validity check
D. Parity check
Correct Answer: C – Validity check
Explanation: A validity check ensures the account number matches a pre-approved
list of valid entries.
Incorrect Answers:
A. Limit checks validate numeric ranges, not specific codes.
B. Reasonableness checks assess plausibility, not existence.
D. Parity checks ensure transmission integrity, not input validity.

Question 384
Which of the following types of environmental equipment will MOST likely be
deployed below the floor tiles of a data center?
A. Temperature sensors
B. Humidity sensors
C. Water sensors
D. Air pressure sensors
Correct Answer: C – Water sensors
Explanation: Water sensors detect leaks under raised floors, helping prevent
damage.
Incorrect Answers:
A. Temperature sensors are typically mounted in air paths or on walls.
B. Humidity sensors are usually wall- or rack-mounted.
D. Air pressure sensors are placed for airflow analysis, not under floors.

Question 385
Which of the following is the BEST justification for deferring remediation testing
until the next audit?
A. The auditor who conducted the audit and agreed with the timeline has left the
organization.
B. Management's planned actions are sufficient given the relative importance of the
observations.
C. Auditee management has accepted all observations reported by the auditor.
D. The audit environment has changed significantly.
Correct Answer: D – The audit environment has changed significantly
Explanation: A changed environment may render prior remediation irrelevant or
outdated, justifying deferral.
Incorrect Answers:
A. Auditor departure doesn’t invalidate timelines.
B. Actions may be sufficient, but testing should confirm results.
C. Acceptance does not equate to implementation.

Question 386
Which of the following would BEST help to ensure the availability of data stored
with a cloud provider?
A. Confirming the cloud provider has a disaster recovery site
B. Requiring the provider to conduct daily backups
C. Defining service level agreements (SLAs) in the contract
D. Defining the reporting process and format
Correct Answer: C – Defining service level agreements (SLAs) in the
contract
Explanation: SLAs explicitly set availability expectations and ensure enforceable
commitments.
Incorrect Answers:
A. A DR site helps, but SLAs formalize availability expectations.
B. Backups support recovery, not continuous availability.
D. Reporting helps monitoring, not assurance.
Question 387
Which of the following security assessment techniques attempts to exploit a system's
open ports?
A. Vulnerability scanning
B. Penetration testing
C. Network scanning
D. Password cracking
Correct Answer: B – Penetration testing
Explanation: Penetration testing simulates attacks to exploit vulnerabilities like
open ports.
Incorrect Answers:
A. Vulnerability scanning identifies issues but doesn’t exploit them.
C. Network scanning identifies ports but doesn’t attempt exploitation.
D. Password cracking targets authentication, not port services.

Question 388
Which of the following provides the MOST assurance that new information systems
are ready for migration to the production environment?
A. Approval by the change advisory board
B. Results of end user acceptance testing (UAT)
C. Results of penetration testing performed by the development team
D. System quality assurance (QA) performed by an in-house team
Correct Answer: B – Results of end user acceptance testing (UAT)
Explanation: UAT confirms the system meets business needs before production.
Incorrect Answers:
A. Change board approval is administrative, not technical.
C. Pen testing ensures security, not functionality.
D. QA ensures quality but may not reflect user expectations.

Question 389
Which of the following controls BEST ensures appropriate segregation of duties
within an accounts payable department?
A. Including the creator's user ID as a field in every transaction record created
B. Ensuring that audit trails exist for transactions
C. Restricting access to update programs to accounts payable staff only
D. Restricting program functionality according to user security profiles
Correct Answer: D – Restricting program functionality according to
user security profiles
Explanation: Role-based access ensures users can only perform actions within their
responsibilities.
Incorrect Answers:
A. Logging actions helps with audits but doesn’t prevent improper access.
B. Audit trails assist after-the-fact, not during operation.
C. Limiting to A/P staff doesn't enforce segregation within that group.

Question 390
Which of the following reports would provide the GREATEST assurance to an IS
auditor about the controls of a third party that processes critical data for the
organization?
A. Independent control assessment
B. Black box penetration test report
C. The third party's control self-assessment (CSA)
D. Vulnerability scan report
Correct Answer: A – Independent control assessment
Explanation: Independent assessments by a qualified party offer the highest
assurance of control effectiveness.
Incorrect Answers:
B. Pen tests are point-in-time and limited in scope.
C. Self-assessments may lack objectivity.
D. Vulnerability scans don’t evaluate control design or operation fully.

Question 391
Which of the following is the BEST indicator of the effectiveness of signature-based
intrusion detection systems (IDSs)?
A. An increase in the number of internally reported critical incidents
B. An increase in the number of unfamiliar sources of intruders
C. An increase in the number of identified false positives
D. An increase in the number of detected incidents not previously identified
Correct Answer: D – An increase in the number of detected incidents
not previously identified
Explanation: Signature-based IDS effectiveness is best indicated by its ability to
detect known threats that were previously missed.
Incorrect Answers:
A. Internal reporting is subjective and may be delayed.
B. Source recognition doesn’t ensure detection quality.
C. More false positives indicate reduced effectiveness.

Question 392
Which of the following should be done by an IS auditor during a post-
implementation review of a critical application that has been operational for six
months?
A. Test program system interfaces
B. Verify the accuracy of data conversions
C. Assess project management risk reports
D. Examine project change request logs
Correct Answer: B – Verify the accuracy of data conversions
Explanation: After implementation, confirming data was converted correctly is
essential to system integrity.
Incorrect Answers:
A. Interface testing is typically done earlier.
C. Risk reports are more useful during project execution.
D. Change logs help but don’t validate correctness of conversion.

Question 393
Which of the following types of testing would BEST mitigate the risk of a newly
implemented system adversely impacting existing systems?
A. User acceptance testing (UAT)
B. Functionality testing
C. Sociability testing
D. Unit testing
Correct Answer: C – Sociability testing
Explanation: Sociability testing (a type of integration testing) verifies that the new
system does not disrupt existing systems.
Incorrect Answers:
A. UAT focuses on business functionality.
B. Functionality testing assesses new system operations.
D. Unit testing is isolated to code modules.

Question 394
Which of the following would be of GREATEST concern to an IS auditor reviewing
an organization's security incident handling procedures?
A. Annual tabletop exercises are performed instead of functional incident response
exercises
B. Roles for computer emergency response team (CERT) members have not been
formally documented
C. Guidelines for prioritizing incidents have not been identified
D. Workstation antivirus software alerts are not regularly reviewed
Correct Answer: C – Guidelines for prioritizing incidents have not
been identified
Explanation: Without prioritization, incidents may not be handled efficiently or
appropriately.
Incorrect Answers:
A. Tabletop exercises are acceptable for some scenarios.
B. Undocumented roles are problematic but not as critical.
D. Antivirus alerts are important but secondary in this context.

Question 395
Which of the following is the MOST important consideration for an organization
when strategizing to comply with privacy regulations?
A. Ensuring up-to-date knowledge of where customer personal data is saved
B. Ensuring there are staff members with in-depth knowledge of the regulations
C. Ensuring regular access recertification to information systems
D. Ensuring contracts with third parties that process customer data are regularly
updated
Correct Answer: A – Ensuring up-to-date knowledge of where
customer personal data is saved
Explanation: Knowing where personal data resides is foundational to ensuring
compliance with privacy requirements.
Incorrect Answers:
B. Knowledge is valuable, but action requires data awareness.
C. Recertification helps but does not address all privacy concerns.
D. Contracts are important, but data location is more critical.

Question 396
Which of the following should an IS auditor review FIRST during the audit of an
organization's business continuity plan (BCP)?
A. System recovery time objectives (RTOs)
B. List of critical business processes
C. System recovery manuals and documentation
D. Frequency of business database replication
Correct Answer: B – List of critical business processes
Explanation: Identifying critical processes ensures BCP efforts focus on the most
essential activities.
Incorrect Answers:
A. RTOs depend on process criticality.
C. Documentation follows planning.
D. Replication supports recovery but is a detail, not a starting point.

Question 397
Which of the following BEST ensures the confidentiality of sensitive data during
transmission?
A. Password protecting data over virtual local area networks (VLAN)
B. Sending data through proxy servers
C. Sending data over public networks using Transport Layer Security (TLS)
D. Restricting the recipient through destination IP addresses
 Correct Answer: C – Sending data over public networks using
Transport Layer Security (TLS)
Explanation: TLS encrypts data in transit, protecting confidentiality over public
networks.
Incorrect Answers:
A. Passwords don’t encrypt data in transit.
B. Proxy servers route data, but do not encrypt it.
D. IP restrictions limit access, not confidentiality.

Question 398
Which of the following is the BEST detective control for a job scheduling process
involving data transmission?
A. Metrics denoting the volume of monthly job failures are reported and reviewed by
senior management
B. Jobs are scheduled to be completed daily and data is transmitted using a Secure
File Transfer Protocol (SFTP)
C. Job failure alerts are automatically generated and routed to support personnel
D. Jobs are scheduled and a log of this activity is retained for subsequent review
Correct Answer: C – Job failure alerts are automatically generated
and routed to support personnel
Explanation: Real-time alerts are the most effective way to detect and respond to
transmission failures.
Incorrect Answers:
A. Monthly metrics provide delayed insights.
B. SFTP is a preventive control, not detective.
D. Logs support reviews but lack immediacy.

Question 399
Which of the following is MOST important when creating a forensic image of a hard
drive?
A. Generating a content hash of the hard drive
B. Choosing an industry-leading forensics software tool
C. Requiring an independent third-party be present while imaging
D. Securing a backup copy of the hard drive
Correct Answer: A – Generating a content hash of the hard drive
Explanation: A hash ensures the integrity of the image and is essential for
admissibility in legal proceedings.
Incorrect Answers:
B. Tool choice is secondary to procedure.
C. A witness may help, but is not essential.
D. A backup is useful, but hashing is mandatory.
Question 400
Which of the following is the GREATEST concern associated with a high number of
IT policy exceptions approved by management?
A. The exceptions are likely to continue indefinitely
B. The exceptions may negatively impact process efficiency
C. The exceptions may elevate the level of operational risk
D. The exceptions may result in noncompliance
Correct Answer: C – The exceptions may elevate the level of
operational risk
Explanation: Too many exceptions undermine security and increase exposure to
risks.
Incorrect Answers:
A. Indefinite continuation is a consequence, not a risk.
B. Efficiency is less critical than risk.
D. Noncompliance is possible, but risk elevation is broader and more severe.

Question 401
Which of the following is MOST important for an IS auditor to consider when
planning an assessment of the organization's end-user computing (EUC) program?
A. The integrity of data processed by end user tools
B. The inclusion of end user tools in the IT balanced scorecard
C. Identification of IT owners for each end user tool
D. The training program curriculum for key end users
Correct Answer: A – The integrity of data processed by end user tools
Explanation: Ensuring the accuracy and reliability of data processed through EUC
tools is critical to organizational decision-making.
Incorrect Answers:
B. Balanced scorecards are helpful but not a primary concern.
C. Ownership is important but secondary to data accuracy.
D. Training supports control but is not the main audit concern.

Question 402
Which of the following access rights presents the GREATEST risk when granted to a
new member of the system development staff?
A. Write access to production program libraries
B. Execute access to development program libraries
C. Write access to development data libraries
D. Execute access to production program libraries
Correct Answer: A – Write access to production program libraries
Explanation: This access allows unauthorized changes to live code, directly
impacting production systems.
Incorrect Answers:
B. Execute rights don’t allow code modification.
C. Development data is non-production.
D. Execute access to production is less risky than write access.

Question 403
Which of the following is the FIRST step in initiating a data classification program?
A. Inventory of data assets
B. Assignment of data ownership
C. Assignment of sensitivity levels
D. Risk appetite assessment
Correct Answer: A – Inventory of data assets
Explanation: Knowing what data exists is the foundation for classification.
Incorrect Answers:
B. Ownership is based on asset identification.
C. Sensitivity cannot be assigned before identification.
D. Risk appetite is strategic, not procedural.

Question 404
Which of the following should be the FIRST step when planning an IS audit of a
third-party service provider that monitors network activities?
A. Determine if the organization has a secure connection to the provider
B. Review the roles and responsibilities of the third-party provider
C. Evaluate the organization's third-party monitoring process
D. Review the third party's monitoring logs and incident handling
Correct Answer: B – Review the roles and responsibilities of the third-
party provider
Explanation: Understanding responsibilities ensures proper scope and control
evaluation.
Incorrect Answers:
A. Connection security is reviewed later.
C. Monitoring is part of execution, not planning.
D. Logs are examined after roles and scope are defined.

Question 405
Which of the following is the BEST use of a maturity model in a small organization?
A. To assess the current maturity level and the level of compliance with key controls
B. To identify required actions to close the gap between current and desired maturity
levels
C. To benchmark against peer organizations that have attained the highest maturity
level
D. To develop a roadmap for the organization to achieve the highest maturity level
Correct Answer: B – To identify required actions to close the gap
between current and desired maturity levels
Explanation: Maturity models help identify improvement areas to align with
business goals.
Incorrect Answers:
A. Assessment is useful, but the value lies in planning improvement.
C. Benchmarking is optional and not always feasible.
D. Highest maturity may not be realistic or necessary.

Question 406
Which of the following should be defined in an audit charter?
A. Audit methodology
B. Audit authority
C. Audit results
D. Audit schedule
Correct Answer: B – Audit authority
Explanation: The audit charter formally defines the internal audit function’s
authority, purpose, and responsibilities.
Incorrect Answers:
A. Methodology is documented separately.
C. Results are outputs, not charter contents.
D. Schedule is part of planning, not the charter.

Question 407
Which of the following areas of responsibility would cause the GREATEST
segregation of duties conflict if the individual who performs the related tasks also has
approval authority?
A. Vendor selection and statements of work
B. Invoices and reconciliations
C. Purchase requisitions and purchase orders
D. Goods receipts and payments
Correct Answer: D – Goods receipts and payments
Explanation: This allows both initiating and executing payments, increasing fraud
risk.
Incorrect Answers:
A. Still needs other approvals for payments.
B. Involves review, not transaction execution.
C. Conflict is lower than combining payments and receipts.
Question 408
Which of the following would MOST likely impair the independence of the IS auditor
when performing a post-implementation review of an application system?
A. The IS auditor implemented a specific control during the development of the
application system
B. The IS auditor designed an embedded audit module exclusively for auditing the
application system
C. The IS auditor participated as a member of the application system project team,
but did not have operational responsibilities
D. The IS auditor provided consulting advice concerning application system best
practices
Correct Answer: A – The IS auditor implemented a specific control
during the development of the application system
Explanation: Implementing controls creates a conflict of interest and compromises
independence.
Incorrect Answers:
B. Designing tools does not influence implementation.
C. Participation without operations may be acceptable.
D. Consulting doesn’t equate to execution.

Question 409
Which of the following is MOST important for an IS auditor to assess during a post-
implementation review of a newly modified IT application developed in-house?
A. Rollback plans for changes
B. Sufficiency of implemented controls
C. Updates required for end user manuals
D. Resource management plan
Correct Answer: B – Sufficiency of implemented controls
Explanation: Controls ensure security, integrity, and availability in the live
environment.
Incorrect Answers:
A. Rollbacks are useful but secondary post-implementation.
C. Documentation is necessary but less critical.
D. Resource plans relate to project management, not post-review.

Question 410
Which of the following is the BEST point in time to conduct a post-implementation
review (PIR)?
A. To coincide with the annual PIR cycle
B. Immediately after deployment
C. After a full processing cycle
D. Six weeks after deployment
 Correct Answer: C – After a full processing cycle
Explanation: This ensures the system has been used long enough to evaluate its
performance.
Incorrect Answers:
A. Timing should depend on operational use, not calendar.
B. Immediate reviews miss usage issues.
D. Six weeks may not cover a full cycle.

Question 411
In which phase of the internal audit process is contact established with the
individuals responsible for the business processes in scope for review?
A. Execution phase
B. Planning phase
C. Selection phase
D. Follow-up phase
Correct Answer: B – Planning phase
Explanation: Initial contact with auditees and clarification of scope occurs during
the planning phase.
Incorrect Answers:
A. Execution involves fieldwork.
C. Selection focuses on determining audit areas.
D. Follow-up comes after findings are reported.

Question 412
Which of the following would be of MOST concern for an IS auditor evaluating the
design of an organization's incident management processes?
A. Prioritization criteria are not defined.
B. Service management standards are not followed.
C. Expected time to resolve incidents is not specified.
D. Metrics are not reported to senior management.
Correct Answer: A – Prioritization criteria are not defined
Explanation: Without prioritization, critical incidents may be mishandled or
delayed.
Incorrect Answers:
B. Standards support design but are not as critical.
C. Resolution times are secondary to proper prioritization.
D. Metrics are for monitoring, not core process definition.

Question 413
Which of the following approaches would BEST ensure that data protection controls
are embedded into software being developed?
A. Utilizing a data protection template for user acceptance testing (UAT)
B. Implementing a quality assurance (QA) process during the development phase
C. Deriving data protection requirements from key stakeholders
D. Tracking data protection requirements throughout the SDLC
Correct Answer: D – Tracking data protection requirements
throughout the SDLC
Explanation: This ensures that controls are considered from design to deployment.
Incorrect Answers:
A. UAT happens late in the cycle.
B. QA supports quality but may miss data protection.
C. Deriving is helpful but must be tracked to implementation.

Question 414
Which of the following is MOST important for an IS auditor to do during an exit
meeting with an auditee?
A. Specify implementation dates for the recommendations.
B. Ensure that the facts presented in the report are correct.
C. Communicate the recommendations to senior management.
D. Request input in determining corrective action.
Correct Answer: B – Ensure that the facts presented in the report are
correct
Explanation: Confirming factual accuracy prevents disputes and ensures credibility.
Incorrect Answers:
A. Implementation is management's responsibility.
C. Communication happens post-exit.
D. Input may be sought earlier in discussions.

Question 415
Which of the following should be the PRIMARY role of an internal audit function in
the management of identified business risks?
A. Validating enterprise risk management (ERM)
B. Establishing a risk management framework
C. Operating the risk management framework
D. Establishing a risk appetite
Correct Answer: A – Validating enterprise risk management (ERM)
Explanation: Internal audit provides independent assurance over risk processes.
Incorrect Answers:
B. Establishing frameworks is a management role.
C. Operating the framework creates conflict of interest.
D. Risk appetite is determined by leadership.
Question 416
Which of the following is MOST critical for the effective implementation of IT
governance?
A. Supportive corporate culture
B. Strong risk management practices
C. Documented policies
D. Internal auditor commitment
Correct Answer: A – Supportive corporate culture
Explanation: Governance requires cultural alignment and buy-in across the
organization.
Incorrect Answers:
B. Risk management is a component, not the foundation.
C. Policies are necessary but depend on culture for enforcement.
D. Auditors provide oversight but are not the driving force.

Question 417
Which of the following controls is BEST implemented through system configuration?
A. Application user access is reviewed every 180 days for appropriateness.
B. Network user accounts for temporary workers expire after 90 days.
C. Computer operations personnel initiate batch processing jobs daily.
D. Financial data in key reports is traced to source systems for completeness and
accuracy.
Correct Answer: B – Network user accounts for temporary workers
expire after 90 days
Explanation: Account expiration can be automated through system settings.
Incorrect Answers:
A. Review requires manual oversight.
C. Batch jobs are operational tasks.
D. Tracing data is an audit or reconciliation activity.

Question 418
Which of the following techniques is MOST appropriate for verifying application
program controls?
A. Observation of data entry
B. Statistical sampling
C. Use of test data
D. Code review
Correct Answer: C – Use of test data
Explanation: This directly verifies how controls respond to valid and invalid inputs.
Incorrect Answers:
A. Observation helps understand but not verify controls.
B. Sampling supports testing but doesn’t target control logic.
D. Code review is indirect and may miss runtime issues.

Question 419
Which of the following is MOST helpful in preventing a systems failure from
occurring when an application is replaced using the abrupt changeover technique?
A. Comprehensive testing
B. Comprehensive documentation
C. Threat and risk assessment
D. Change management
Correct Answer: A – Comprehensive testing
Explanation: Abrupt changes require robust testing to ensure functionality.
Incorrect Answers:
B. Documentation aids troubleshooting, not prevention.
C. Assessment helps planning but doesn’t prevent issues.
D. Change management supports structure, not technical validation.

Question 420
Which of the following findings should be of GREATEST concern to an IS auditor
assessing the risk associated with end-user computing (EUC) in an organization?
A. Lack of defined criteria for EUC applications
B. Lack of awareness training for EUC users
C. Insufficient processes to track ownership of each EUC application
D. Insufficient processes to test for version control
Correct Answer: C – Insufficient processes to track ownership of each
EUC application
Explanation: Without ownership, accountability and control over critical
spreadsheets or tools is weak.
Incorrect Answers:
A. Criteria help classification but not as critical as ownership.
B. Training improves usage but doesn’t assign accountability.
D. Version control is important but follows ownership establishment.

Question 421
Which of the following would be of GREATEST concern if noted during an audit of
compliance with licensing agreements?
A. Distribution software is only maintained on a centralized server.
B. The software vendor required monthly verification of licenses.
C. Desktop software is personally expensed and not capitalized.
D. The organization does not monitor upgrades to its software.
Correct Answer: D – The organization does not monitor upgrades to
its software
Explanation: Failing to monitor software upgrades may result in unlicensed use,
violating agreements.
Incorrect Answers:
A. Centralized software control improves compliance.
B. Vendor requirements may be strict but not inherently risky.
C. Expensing software affects accounting, not compliance.

Question 422
Which of the following is MOST important for an IS auditor to confirm when
conducting a review of an active-active application cluster configuration?
A. Results from recent user satisfaction surveys meet operational targets.
B. The cluster configuration includes adequate network bandwidth.
C. The cluster switches between active-active and active-passive configurations.
D. The IT operations team maintains a version history of the cluster software.
Correct Answer: B – The cluster configuration includes adequate
network bandwidth
Explanation: Adequate bandwidth ensures performance and high availability in an
active-active setup.
Incorrect Answers:
A. User satisfaction is less technical and not specific to clustering.
C. Switching modes is unrelated if active-active is required.
D. Version history is important but not critical for availability.

Question 423
Which of the following is the MOST appropriate control to ensure integrity of online
orders?
A. Public key encryption
B. Digital signature
C. Data Encryption Standard (DES)
D. Multi-factor authentication
Correct Answer: B – Digital signature
Explanation: Digital signatures provide integrity by verifying data has not been
altered.
Incorrect Answers:
A. Encryption ensures confidentiality, not integrity.
C. DES is outdated and insecure.
D. MFA authenticates users but doesn't ensure data integrity.

Question 424
Which of the following should be done FIRST to develop an effective business
continuity plan (BCP)?
A. Perform a business impact analysis (BIA).
B. Secure an alternate processing site.
C. Create a business unit communications plan.
D. Create a disaster recovery plan (DRP).
Correct Answer: A – Perform a business impact analysis (BIA)
Explanation: BIA identifies critical processes and dependencies essential to
developing a BCP.
Incorrect Answers:
B. Alternate sites are selected based on BIA findings.
C. Communication plans come later in BCP.
D. DRP is a component of the BCP, not the starting point.

Question 425
During an exit meeting, an IS auditor highlights that backup cycles are being missed
due to operator error and that these exceptions are not being managed.
Which of the following is the BEST way to help management understand the
associated risk?
A. Explain the impact to resource requirements.
B. Explain the impact to disaster recovery.
C. Explain the impact to backup scheduling.
D. Explain the impact to incident management.
Correct Answer: B – Explain the impact to disaster recovery
Explanation: Missed backups compromise disaster recovery, which can be critical
during an outage.
Incorrect Answers:
A. Resource needs are secondary to recovery risk.
C. Scheduling issues are symptoms, not the main concern.
D. Incident management is a response layer, not the core risk.

Question 426
Which of the following is the BEST way to determine if IT is delivering value to the
business?
A. Analyze downtime frequency and duration.
B. Interview key IT managers and service providers.
C. Perform control self-assessments (CSAs).
D. Review IT service level agreement (SLA) results.
Correct Answer: D – Review IT service level agreement (SLA) results
Explanation: SLA results objectively measure whether IT meets business
expectations.
Incorrect Answers:
A. Downtime is part of SLA but not comprehensive.
B. Interviews are subjective.
C. CSA focuses on controls, not business value delivery.

Question 427
Which of the following is the MOST important determining factor when establishing
appropriate timeframes for follow-up activities related to audit findings?
A. Remediation dates included in management responses
B. Availability of IS audit resources
C. Peak activity periods for the business
D. Complexity of business processes identified in the audit
Correct Answer: A – Remediation dates included in management
responses
Explanation: The agreed-upon remediation schedule dictates follow-up timing.
Incorrect Answers:
B. Audit resource availability is secondary.
C. Business cycles may influence but not determine timing.
D. Complexity affects duration, not necessarily timing.

Question 428
Which of the following is MOST important to consider when assessing the scope of
privacy concerns for an IT project?
A. Business requirements and data flows
B. Applicable laws and regulations
C. Data ownership
D. End user access rights
Correct Answer: B – Applicable laws and regulations
Explanation: Legal compliance drives the extent and handling of privacy-related
data.
Incorrect Answers:
A. Business flows help identify data paths but do not define scope.
C. Ownership supports control but isn't the primary driver.
D. Access rights are part of implementation, not scope.

Question 429
Which of the following is MOST important to verify when implementing an
organization's information security program?
A. The organization's security strategy is documented and approved.
B. The security program has been benchmarked to industry standards.
C. The security program is adequately funded in the budget.
D. The IT department has developed and implemented training programs.
Correct Answer: A – The organization's security strategy is
documented and approved
Explanation: A documented and approved strategy ensures direction, alignment,
and commitment.
Incorrect Answers:
B. Benchmarking helps compare but doesn't define implementation.
C. Funding is essential but follows strategy approval.
D. Training is important but secondary to governance.

Question 430
Which of the following should be of GREATEST concern to an IS auditor performing
a review of information security controls?
A. The information security policy does not include mobile device provisions.
B. The information security policy is not frequently reviewed.
C. The information security policy has not been approved by the chief audit
executive (CAE).
D. The information security policy has not been approved by the policy owner.
Correct Answer: D – The information security policy has not been
approved by the policy owner
Explanation: Without approval from the accountable owner, enforcement and
ownership are weak.
Incorrect Answers:
A. Mobile provisions are content-level, not governance.
B. Review frequency is important but not as critical as lack of approval.
C. CAE approval is not required for security policies—it's outside their role.

Question 431
Which of the following provides the BEST method for maintaining the security of
corporate applications pushed to employee-owned mobile devices?
A. Disabling unnecessary network connectivity options
B. Implementing mobile device management (MDM)
C. Enabling remote data destruction capabilities
D. Requiring security awareness training for mobile users
Correct Answer: B – Implementing mobile device management
(MDM)
Explanation: MDM allows centralized control, enforcing security policies, updates,
and remote wipe for lost devices.
Incorrect Answers:
A. Disabling connectivity is not scalable or comprehensive.
C. Remote wipe is part of MDM but not sufficient alone.
D. Awareness training supports security but doesn’t enforce controls.
Question 432
Which of the following is found in an audit charter?
A. The authority given to the audit function
B. The process of developing the annual audit plan
C. Audit objectives and scope
D. Required training for audit staff
Correct Answer: A – The authority given to the audit function
Explanation: An audit charter formally grants authority and outlines the role of
internal audit.
Incorrect Answers:
B. Planning processes are part of operational procedures, not the charter.
C. Objectives are defined in individual audits, not the charter.
D. Training requirements are handled by HR or audit policy, not the charter.

Question 433
Which of the following would be an appropriate role of internal audit in helping to
establish an organization's privacy program?
A. Designing controls to protect personal data
B. Defining roles within the organization related to privacy
C. Analyzing risks posed by new regulations
D. Developing procedures to monitor the use of personal data
Correct Answer: C – Analyzing risks posed by new regulations
Explanation: Internal audit can assess privacy-related risks to support management
decision-making.
Incorrect Answers:
A. Designing controls compromises audit independence.
B. Defining roles is a management responsibility.
D. Procedure development is operational, not audit’s role.

Question 434
Which of the following is the PRIMARY reason for using a digital signature?
A. Authenticate the sender of a message
B. Provide confidentiality to the transmission
C. Verify the integrity of the data and the identity of the recipient
D. Provide availability to the transmission
Correct Answer: A – Authenticate the sender of a message
Explanation: Digital signatures verify the sender’s identity and message integrity.
Incorrect Answers:
B. Confidentiality is achieved through encryption, not signatures.
C. Integrity is ensured, but recipient identity is not verified.
D. Availability is unrelated to signatures.
Question 435
Which of the following is the BEST way to mitigate the impact of ransomware
attacks?
A. Paying the ransom
B. Invoking the disaster recovery plan (DRP)
C. Backing up data frequently
D. Requiring password changes for administrative accounts
Correct Answer: C – Backing up data frequently
Explanation: Frequent, secure backups allow data restoration without paying
ransom.
Incorrect Answers:
A. Paying ransom is discouraged and may not restore access.
B. DRP helps but depends on backup availability.
D. Changing passwords is a security best practice but not specific to ransomware
mitigation.

Question 436
Which of the following demonstrates the use of data analytics for a loan origination
process?
A. Evaluating whether loan records are included in the batch file and are validated
by the servicing system.
B. Validating whether reconciliations between the two systems are performed and
discrepancies are investigated.
C. Comparing a population of loans input in the origination system to loans booked
on the servicing system.
D. Reviewing error handling controls to notify appropriate personnel in the event of a
transmission failure.
Correct Answer: C – Comparing a population of loans input in the
origination system to loans booked on the servicing system
Explanation: This comparison is a direct application of analytics to ensure data
integrity between systems.
Incorrect Answers:
A. Validation is useful but more operational than analytic.
B. Reconciliation review is procedural, not analytical.
D. Reviewing controls is important, but not a use of analytics.

Question 437
Which of the following observations would an IS auditor consider the GREATEST
risk when conducting an audit of a virtual server farm for potential software
vulnerabilities?
A. Guest operating systems are updated monthly.
B. Antivirus software has been implemented on the guest operating system only.
C. A variety of guest operating systems operate on one virtual server.
D. The hypervisor is updated quarterly.
Correct Answer: B – Antivirus software has been implemented on the
guest operating system only
Explanation: The hypervisor layer also needs protection; focusing only on guests
leaves critical infrastructure exposed.
Incorrect Answers:
A. Monthly updates are standard and not alarming.
C. OS diversity can be managed with proper controls.
D. Quarterly hypervisor updates may be acceptable based on patching cycles.

Question 438
Which of the following is the PRIMARY purpose of conducting follow-up audits for
material observations?
A. To assess evidence for management reporting
B. To validate the correctness of reported findings
C. To validate remediation efforts
D. To assess the risk of the audit environment
Correct Answer: C – To validate remediation efforts
Explanation: The main goal is to ensure corrective actions have been implemented
effectively.
Incorrect Answers:
A. Management reporting is a result, not the purpose.
B. Original findings have already been validated.
D. Risk assessment is part of planning, not follow-up.

Question 439
Which of the following would be a result of utilizing a top-down maturity model
process?
A. A means of comparing the effectiveness of other processes within the enterprise
B. Identification of older, more established processes to ensure timely review
C. Identification of processes with the most improvement opportunities
D. A means of benchmarking the effectiveness of similar processes with peers
Correct Answer: C – Identification of processes with the most
improvement opportunities
Explanation: Maturity models help prioritize improvements based on current
capability levels.
Incorrect Answers:
A. Internal comparison is limited in top-down models.
B. Process age is not necessarily linked to maturity.
D. Benchmarking is separate from internal maturity modeling.

Question 440
Which of the following is the BEST recommendation to prevent fraudulent electronic
funds transfers by accounts payable employees?
A. Periodic vendor reviews
B. Independent reconciliation
C. Re-keying of monetary amounts
D. Dual control
Correct Answer: D – Dual control
Explanation: Dual control ensures no single employee can complete a transaction,
reducing fraud risk.
Incorrect Answers:
A. Vendor reviews detect issues but don't prevent fraud.
B. Reconciliation is a detective, not preventive, control.
C. Re-keying helps data entry but doesn’t reduce fraud risk alone.

Question 441
Which of the following is the MOST important issue for an IS auditor to consider
with regard to Voice-over IP (VoIP) communications?
A. Nonrepudiation
B. Identity management
C. Continuity of service
D. Homogeneity of the network
Correct Answer: C – Continuity of service
Explanation: VoIP requires continuous network availability; loss of connectivity
directly disrupts communication.
Incorrect Answers:
A. Nonrepudiation is important, but less critical for voice services.
B. Identity management is needed, but not the top concern for VoIP.
D. Network diversity is less of a concern than service continuity.

Question 442
Which of the following is the BEST control to help prevent sensitive data leaving an
organization via email?
A. Scanning outgoing emails
B. Blocking outbound emails sent without encryption
C. Conducting periodic phishing tests
D. Providing encryption solutions for employees
Correct Answer: B – Blocking outbound emails sent without
encryption
Explanation: Preventive controls like encryption enforcement stop data leaks before
they happen.
Incorrect Answers:
A. Scanning is detective, not preventive.
C. Phishing tests target user behavior, not outbound data protection.
D. Encryption tools help, but enforcement is key.

Question 443
Which of the following is the BEST indicator of the effectiveness of an organization's
portfolio management program?
A. Percentage of investments achieving their forecasted value
B. Maturity levels of the value management processes
C. Experience of the portfolio management personnel
D. Stakeholder's perception of IT's value
Correct Answer: A – Percentage of investments achieving their
forecasted value
Explanation: Meeting expected value demonstrates alignment with business
objectives.
Incorrect Answers:
B. Maturity models help guide improvement, not measure results.
C. Experience is helpful, but not a performance metric.
D. Perception is subjective and may not reflect actual value.

Question 444
Which of the following would BEST prevent the potential leakage of sensitive
corporate data from personal mobile devices accessing corporate applications?
A. Limiting access and capabilities when connecting to the Internet
B. Creating a separate secure partition on the devices
C. Monitoring employee connections to the corporate network
D. Requiring employees to sign acknowledgment of an acceptable use policy
Correct Answer: B – Creating a separate secure partition on the
devices
Explanation: Secure containers isolate corporate data from personal areas, reducing
leakage risk.
Incorrect Answers:
A. Limiting capabilities is reactive and insufficient.
C. Monitoring alone won’t prevent leakage.
D. Acknowledgments are important but do not enforce technical controls.

Question 445
Which of the following would BEST determine whether a post-implementation review
(PIR) performed by the project management office (PMO) was effective?
A. The review was performed by an external provider.
B. Management approved the PIR report.
C. Project outcomes have been realized.
D. Lessons learned were implemented.
Correct Answer: D – Lessons learned were implemented
Explanation: Effective PIRs result in actionable improvements being adopted for
future projects.
Incorrect Answers:
A. External providers don’t guarantee effectiveness.
B. Approval doesn’t ensure outcomes were acted upon.
C. Outcomes reflect project success, not PIR effectiveness.

Question 446
Which of the following applications has the MOST inherent risk and should be
prioritized during audit planning?
A. An internally developed application
B. An onsite application that is unsupported
C. A decommissioned legacy application
D. An outsourced accounting application
Correct Answer: B – An onsite application that is unsupported
Explanation: Unsupported applications pose risks due to lack of patches and vendor
support.
Incorrect Answers:
A. Internally developed systems can be secure if maintained.
C. Decommissioned apps pose minimal operational risk.
D. Outsourced systems may be well governed under SLAs.

Question 447
Which of the following BEST enables an organization to quantify acceptable data
loss in the event of a disaster?
A. Recovery time objective (RTO)
B. Recovery point objective (RPO)
C. Availability of backup software
D. Mean time to recover (MTTR)
Correct Answer: B – Recovery point objective (RPO)
Explanation: RPO defines how much data can be lost between backups, helping
quantify acceptable loss.
Incorrect Answers:
A. RTO defines downtime, not data loss.
C. Software availability supports backup but doesn’t quantify loss.
D. MTTR relates to recovery speed, not data retention.
Question 448
Which of the following is the BEST compensating control when segregation of duties
is lacking in a small IS department?
A. Transaction log review
B. Background checks
C. Mandatory holidays
D. User awareness training
Correct Answer: A – Transaction log review
Explanation: Independent reviews of activity logs help detect inappropriate actions.
Incorrect Answers:
B. Background checks are preventive, not compensating for SoD issues.
C. Mandatory leave may help but is less frequent.
D. Awareness helps prevent mistakes, not compensate for SoD.

Question 449
Which of the following would be the MOST useful metric for management to
consider when reviewing a project portfolio?
A. Cost of projects divided by total IT cost
B. Net present value (NPV) of the portfolio
C. Total cost of each project
D. Expected return divided by total project cost
Correct Answer: B – Net present value (NPV) of the portfolio
Explanation: NPV helps evaluate project value over time, aligning with financial
goals.
Incorrect Answers:
A. Cost ratios lack insight into return.
C. Total cost alone doesn’t assess benefit.
D. Return/cost is helpful but less comprehensive than NPV.

Question 450
Which of the following would BEST detect that a distributed denial of service
(DDoS) attack is occurring?
A. Server crashes
B. Customer service complaints
C. Penetration testing
D. Automated monitoring of logs
Correct Answer: D – Automated monitoring of logs
Explanation: Real-time log analysis can identify abnormal traffic patterns typical of
DDoS attacks.
Incorrect Answers:
A. Crashes indicate effects, not detection.
B. Complaints are indirect and delayed.
C. Pen testing is proactive, not for real-time detection.

Question 451
Which of the following is the BEST indicator for measuring performance of the IT
help desk function?
A. Percentage of problems raised from incidents
B. Number of reopened tickets
C. Number of incidents reported
D. Mean time to categorize tickets
Correct Answer: B – Number of reopened tickets
Explanation: A low number of reopened tickets indicates issues are being resolved
effectively the first time.
Incorrect Answers:
A. This metric doesn't directly measure resolution performance.
C. Volume alone does not reflect quality or efficiency.
D. Categorization speed matters less than resolution quality.

Question 452
Which of the following types of firewalls provide the GREATEST degree of control
against hacker intrusion?
A. Packet filtering router
B. Circuit gateway
C. Application level gateway
D. Screening router
Correct Answer: C – Application level gateway
Explanation: This firewall works at the application layer and can inspect full
payloads for malicious content.
Incorrect Answers:
A. Packet filters offer only basic filtering.
B. Circuit gateways are less granular.
D. Screening routers offer limited inspection.

Question 453
Which of the following responsibilities of an organization's quality assurance (QA)
function should raise concern for an IS auditor?
A. Ensuring the test work supports observations
B. Implementing solutions to correct defects
C. Updating development methodology
D. Ensuring standards are adhered to within the development process
Correct Answer: B – Implementing solutions to correct defects
Explanation: QA should not be involved in implementation, which could impair
independence.
Incorrect Answers:
A. Supporting observations is part of QA validation.
C. Updating methodology is an advisory role.
D. Ensuring adherence to standards is a QA responsibility.

Question 454
Which of the following is the GREATEST risk associated with data conversion and
migration during implementation of a new application?
A. Lack of data transformation rules
B. Absence of segregation of duties
C. Obsolescence and data backup compatibility
D. Inadequate audit trails and logging
Correct Answer: A – Lack of data transformation rules
Explanation: Without clear transformation rules, data integrity can be
compromised during conversion.
Incorrect Answers:
B. Important, but not the top risk in data conversion.
C. Backups matter, but transformation errors are more critical.
D. Logging supports audit, but errors in conversion are more impactful.

Question 455
Which of the following is MOST important to include within a business continuity
plan (BCP) so that backup and replication is configured in a way that ensures data
availability?
A. Recovery time objective (RTO)
B. Resource management plan
C. Disaster recovery location site
D. Recovery point objective (RPO)
Correct Answer: D – Recovery point objective (RPO)
Explanation: RPO determines how recent the restored data should be, directly
guiding backup frequency.
Incorrect Answers:
A. RTO defines recovery time, not data point recency.
B. Resource plans help planning but not backup config.
C. DR site location doesn't define backup timing.

Question 456
Which of the following concerns is BEST addressed by securing production source
libraries?
A. Changes are applied to the wrong version of production source libraries.
B. Programs are not approved before production source libraries are updated.
C. Unauthorized changes can be moved into production.
D. Production source and object libraries may not be synchronized
Correct Answer: C – Unauthorized changes can be moved into
production
Explanation: Securing source libraries restricts unauthorized access, protecting
against unapproved changes.
Incorrect Answers:
A. Version control systems address this.
B. Approval processes are related but not dependent on library security.
D. Synchronization is a process concern, not a security one.

Question 457
Which of the following is the BEST source of information for an IS auditor to use as
a baseline to assess the adequacy of an organization's privacy policy?
A. Globally accepted privacy best practices
B. Historical privacy breaches and related root causes
C. Benchmark studies of similar organizations
D. Local privacy standards and regulations
Correct Answer: D – Local privacy standards and regulations
Explanation: Compliance with applicable laws is mandatory, forming the baseline
for privacy policies.
Incorrect Answers:
A. Best practices are supplemental to legal requirements.
B. Breaches help improvement but not define adequacy.
C. Benchmarks may not reflect legal mandates.

Question 458
Which of the following findings should be of MOST concern to an IS auditor
reviewing an organization's business continuity plan (BCP)?
A. The plan has not been updated in several years.
B. The plan has not been signed by executive management.
C. No tabletop exercises have been conducted for the plan.
D. End users have not been trained on the latest version of the plan.
Correct Answer: A – The plan has not been updated in several years
Explanation: An outdated BCP may not reflect current risks or systems, making it
ineffective during a disaster.
Incorrect Answers:
B. Important, but lack of update affects usefulness more.
C. Testing is vital, but an outdated plan is foundationally flawed.
D. Training follows an updated plan.
Question 459
Which of the following conditions would be of MOST concern to an IS auditor
assessing the risk of a successful brute force attack against encrypted data at rest?
A. Short key length
B. Use of asymmetric encryption
C. Use of symmetric encryption
D. Random key generation
Correct Answer: A – Short key length
Explanation: Shorter keys are easier to crack using brute force techniques.
Incorrect Answers:
B/C. Encryption type matters, but key length is the primary brute force risk.
D. Random keys are good; not a concern.

Question 460
Which of the following metrics would be MOST useful to an IS auditor when
assessing the resilience of an application programming interface (API)?
A. Number of patches released within a time interval for the API
B. Number of defects logged during development compared to other APIs
C. Number of API calls expected versus actually received within a time interval
D. Number of developers adopting the API for their applications
Correct Answer: C – Number of API calls expected versus actually
received within a time interval
Explanation: Variances in expected vs actual calls may indicate availability or
reliability issues.
Incorrect Answers:
A. Patch volume doesn't reflect real-time resilience.
B. Defect counts are historical, not operational.
D. Developer adoption shows popularity, not resilience.
Question 461
Which of the following controls would BEST ensure that payroll system rate changes
are valid?
A. Rate changes must be entered twice to ensure that they are entered correctly.
B. Rate changes are reported to and independently verified by a manager.
C. Rate changes require visual verification before acceptance.
D. Only a payroll department manager can input the new rate.
Correct Answer: B – Rate changes are reported to and independently
verified by a manager
Explanation: Independent verification ensures the legitimacy of payroll rate changes
and reduces fraud.
Incorrect Answers:
A. Double entry helps input accuracy but not validation.
C. Visual checks are less reliable and lack documentation.
D. Restricting input alone does not confirm validity.

Question 462
Which of the following testing methods is MOST appropriate for assessing whether
system integrity has been maintained after changes have been made?
A. Integration testing
B. Regression testing
C. Acceptance testing
D. Unit testing
Correct Answer: B – Regression testing
Explanation: Regression testing verifies that new changes haven’t affected existing
functionalities, maintaining system integrity.
Incorrect Answers:
A. Integration testing focuses on module interaction, not past functionality.
C. Acceptance testing ensures business requirements are met.
D. Unit testing focuses on individual components, not overall integrity.

Question 463
Which of the following is MOST important when planning a network audit?
A. Isolation of rogue access points
B. Identification of existing nodes
C. Analysis of traffic content
D. Determination of IP range in use
Correct Answer: B – Identification of existing nodes
Explanation: Knowing what devices are on the network is essential to define the
audit scope and assess vulnerabilities.
Incorrect Answers:
A. Rogue access point detection is part of testing, not planning.
C. Traffic analysis is post-audit activity.
D. IP range helps, but node inventory is more fundamental.

Question 464
Which of the following is the MOST important benefit of involving IS audit when
implementing governance of enterprise IT?
A. Identifying relevant roles for an enterprise IT governance framework
B. Providing independent and objective feedback to facilitate improvement of IT
processes
C. Making decisions regarding risk response and monitoring of residual risk
D. Verifying that legal, regulatory, and contractual requirements are being met
Correct Answer: B – Providing independent and objective feedback to
facilitate improvement of IT processes
Explanation: IS auditors bring unbiased insights that improve governance by
identifying process gaps.
Incorrect Answers:
A. Defining roles is management’s task.
C. Risk decisions are not the auditor’s role.
D. Compliance verification is important but secondary to governance improvements.

Question 465
Which of the following governance functions is responsible for ensuring IT projects
have sufficient resources and are prioritized appropriately?
A. Executive management
B. IT steering committee
C. IT management
D. Board of directors
Correct Answer: B – IT steering committee
Explanation: The IT steering committee aligns projects with business goals and
prioritizes resources.
Incorrect Answers:
A. Executive management sets direction but does not prioritize all projects.
C. IT management handles execution, not governance prioritization.
D. The board oversees strategy but doesn’t directly manage IT project resources.

Question 466
Which of the following would be MOST useful to an IS auditor confirming that an IS
department meets its service level agreements (SLAs)?
A. System utilization reports
B. Capacity planning tools
C. System downtime reports
D. IS strategic plan
Correct Answer: C – System downtime reports
Explanation: Downtime reports directly measure SLA compliance, such as uptime
requirements.
Incorrect Answers:
A. Utilization relates to performance, not SLA fulfillment.
B. Planning tools support operations but don’t confirm SLA adherence.
D. Strategic plans set goals, not performance confirmation.

Question 467
Which of the following is the PRIMARY benefit of performing a maturity model
assessment?
A. It identifies and fixes attribute weaknesses.
B. It facilitates the execution of an improvement plan.
C. It acts as a measuring tool and progress indicator.
D. It ensures organizational consistency and improvement.
Correct Answer: C – It acts as a measuring tool and progress indicator
Explanation: Maturity models benchmark current capabilities and help track
improvements over time.
Incorrect Answers:
A. Identification is a step, not the main purpose.
B. Execution follows assessment; not the purpose.
D. Consistency is a byproduct, not the core benefit.

Question 468
Which of the following represents the HIGHEST level of maturity of an information
security program?
A. The program meets regulatory and compliance requirements.
B. Information security policies and procedures are established.
C. A framework is in place to measure risks and track effectiveness.
D. A training program is in place to promote information security awareness.
Correct Answer: C – A framework is in place to measure risks and
track effectiveness
Explanation: Mature programs use metrics and performance tracking to guide
continuous improvement.
Incorrect Answers:
A/B/D. These are earlier maturity levels, focused on compliance and foundational
practices.

Question 469
Which of the following findings should be of GREATEST concern for an IS auditor
when auditing the effectiveness of a phishing simulation test administered for staff
members?
A. Security awareness training was not provided prior to the test.
B. Staff members were not notified about the test beforehand.
C. Staff members who failed the test did not receive follow-up education.
D. Test results were not communicated to staff members.
Correct Answer: C – Staff members who failed the test did not receive
follow-up education
Explanation: Without follow-up, staff are not corrected or educated, reducing test
value.
Incorrect Answers:
A. Surprise testing is valid to assess real behavior.
B. Notification before testing reduces test effectiveness.
D. Feedback is good, but follow-up is more critical.

Question 470
Which of the following is the GREATEST risk associated with conducting
penetration testing on a business-critical application production environment?
A. Results may differ from those obtained in the test environment.
B. Data integrity may become compromised.
C. System owners may not be informed in advance.
D. This type of testing may not adhere to audit standards.
Correct Answer: B – Data integrity may become compromised
Explanation: Live penetration testing could unintentionally corrupt or alter
production data.
Incorrect Answers:
A. Differences in results are expected, not critical.
C. Notification is procedural, not the highest risk.
D. Audit standards are not the main concern during active testing.

Question 471
Which of the following documents would be MOST useful in detecting a weakness in
segregation of duties?
A. Data flow diagram
B. Systems flowchart
C. Entity-relationship diagram
D. Process flowchart
Correct Answer: B – Systems flowchart
Explanation: A systems flowchart shows the flow of data and responsibilities,
helping to identify conflicts in duties.
Incorrect Answers:
A. Data flow diagrams show information flow but not responsibilities.
C. Entity-relationship diagrams focus on database structure.
D. Process flowcharts describe steps but not role segregation.

Question 472
Which of the following should be of GREATEST concern to an IS auditor reviewing
a system software development project based on agile practices?
A. Lack of change management documentation
B. Lack of user acceptance testing (UAT) sign off
C. Lack of weekly production releases
D. Lack of secure coding practices
Correct Answer: D – Lack of secure coding practices
Explanation: Inadequate secure coding exposes the system to vulnerabilities,
regardless of methodology.
Incorrect Answers:
A. Change management is flexible in Agile.
B. UAT may be continuous and informal in Agile.
C. Weekly releases are not mandatory in all Agile setups.

Question 473
Which of the following is the PRIMARY advantage of using virtualization technology
for corporate applications?
A. Improved disaster recovery
B. Stronger data security
C. Better utilization of resources
D. Increased application performance
Correct Answer: C – Better utilization of resources
Explanation: Virtualization maximizes hardware usage by running multiple systems
on fewer physical machines.
Incorrect Answers:
A. DR is improved but not the main benefit.
B. Security depends on configuration.
D. Virtualization may add overhead, not increase speed.

Question 474
Which of the following IT service management activities is MOST likely to help with
identifying the root cause of repeated instances of network latency?
A. Change management
B. Incident management
C. Problem management
D. Configuration management
Correct Answer: C – Problem management
Explanation: Problem management investigates root causes of recurring issues like
network latency.
Incorrect Answers:
A. Change management tracks system changes.
B. Incident management handles immediate issues.
D. Configuration management tracks asset setups.

Question 475
Which of the following is the BEST indication that an information security program
is aligned with organizational objectives?
A. Senior management conducts regular reviews of information security policies.
B. The information security steering committee sets organizational security priorities.
C. Risk is managed to within organizational tolerances.
D. Information security processes are in place throughout the system development
life cycle (SDLC).
Correct Answer: C – Risk is managed to within organizational
tolerances
Explanation: Alignment is evident when risk levels match what the organization
can accept.
Incorrect Answers:
A. Reviews are important but not sufficient.
B. Committees guide policy but don’t guarantee alignment.
D. SDLC processes help but are just one aspect.

Question 476
Which of the following is the MOST effective way to maintain network integrity
when using mobile devices?
A. Implement outbound firewall rules.
B. Implement network access control.
C. Perform network reviews.
D. Review access control lists.
Correct Answer: B – Implement network access control
Explanation: Network access control ensures only compliant devices connect,
protecting network integrity.
Incorrect Answers:
A. Firewalls help but don’t validate device health.
C. Reviews are periodic, not proactive.
D. Access lists don’t validate endpoint security.

Question 477
Which of the following is a challenge in developing a service level agreement (SLA)
for network services?
A. Finding performance metrics that can be measured properly
B. Reducing the number of entry points into the network
C. Ensuring that network components are not modified by the client
D. Establishing a well-designed framework for network services
Correct Answer: A – Finding performance metrics that can be
measured properly
Explanation: Defining measurable, meaningful metrics is essential and often difficult
when drafting SLAs.
Incorrect Answers:
B. Entry points relate to security, not SLAs.
C. Component changes are governed by policy.
D. Frameworks support delivery but are not SLA-specific.

Question 478
Which of the following is MOST important to ensure when planning a black box
penetration test?
A. The management of the client organization is aware of the testing.
B. The test results will be documented and communicated to management.
C. Diagrams of the organization's network architecture are available.
D. The environment and penetration test scope have been determined.
Correct Answer: D – The environment and penetration test scope
have been determined
Explanation: Defining scope ensures the test is controlled, safe, and compliant with
agreements.
Incorrect Answers:
A. Awareness helps but doesn’t ensure safe execution.
B. Reporting is post-test.
C. Black box tests work without architectural knowledge.

Question 479
Which of the following BEST determines if a batch update job was successfully
executed?
A. Obtaining process owner confirmation that the job was completed
B. Testing a sample of transactions to confirm updates were applied
C. Verifying the timestamp from the job log
D. Reviewing a copy of the script for the job
Correct Answer: B – Testing a sample of transactions to confirm
updates were applied
Explanation: Verifying results confirms that the job executed and data was
correctly processed.
Incorrect Answers:
A. Process owner statements are not evidence.
C. Timestamps show execution, not correctness.
D. Scripts don’t verify outcome.

Question 480
Which of the following is the MOST effective approach in assessing the quality of
modifications made to financial software?
A. An independent auditor will be engaged to undertake a pre-implementation
review.
B. The quality of the implemented product will be assessed during acceptance
testing.
C. The quality plan will be assessed during the design phase of development.
D. Independent quality assurance (QA) activities will be undertaken at various
phases of the project.
Correct Answer: D – Independent quality assurance (QA) activities
will be undertaken at various phases of the project
Explanation: Continuous, independent QA throughout the project ensures
consistent software quality.
Incorrect Answers:
A. Pre-implementation reviews are limited in scope.
B. UAT focuses on user needs, not software quality.
C. Design review is early and doesn’t cover implementation.

Question 481
Which of the following is the MOST effective detective control for identifying
unauthorized changes in a critical database?
A. Use of database views
B. Periodic data integrity checks
C. Access control restrictions
D. Implementation of change control procedures
Correct Answer: B – Periodic data integrity checks
Explanation: These checks identify unauthorized alterations by comparing data
against expected norms.
Incorrect Answers:
A. Views limit access but don't detect changes.
C. Preventive, not detective.
D. Ensures changes follow protocol but doesn’t detect deviations.

Question 482
Which of the following is the PRIMARY concern when outsourcing IT services to a
vendor operating in a different jurisdiction?
A. Network latency
B. Cultural differences
C. Regulatory compliance
D. Currency exchange risk
Correct Answer: C – Regulatory compliance
Explanation: Legal and data protection laws vary across jurisdictions, possibly
impacting compliance.
Incorrect Answers:
A. Latency is technical, not legal.
B. Important but secondary.
D. Financial risk, not compliance-related.

Question 483
Which of the following is the BEST way to ensure audit logs are protected against
unauthorized changes?
A. Encrypting audit logs
B. Implementing backup rotation
C. Regularly reviewing logs
D. Storing logs in plain text
Correct Answer: A – Encrypting audit logs
Explanation: Encryption ensures logs cannot be tampered with and preserves their
integrity.
Incorrect Answers:
B. Ensures availability, not integrity.
C. Helps detection, not prevention.
D. Plain text is insecure.

Question 484
What is the MOST significant risk of not updating firewall rule sets regularly?
A. Increased network bandwidth usage
B. Unauthorized access to sensitive systems
C. Inability to log network activity
D. Excessive user support requests
Correct Answer: B – Unauthorized access to sensitive systems
Explanation: Outdated rules may allow unapproved traffic, leading to compromise.
Incorrect Answers:
A. Traffic may increase but not the primary risk.
C. Logging is separate.
D. Not relevant to firewall updates.

Question 485
Which of the following is the BEST metric for evaluating the efficiency of an IT help
desk?
A. Number of tickets closed
B. Average time to resolve tickets
C. Number of calls received
D. Percentage of calls escalated
Correct Answer: B – Average time to resolve tickets
Explanation: It reflects how efficiently the team resolves issues.
Incorrect Answers:
A. Quantity doesn’t imply quality.
C. Doesn’t indicate resolution success.
D. Escalation rate shows complexity, not efficiency.

Question 486
Which of the following would BEST support data minimization principles in a
customer onboarding process?
A. Encrypting all customer data
B. Limiting collected data to what is necessary
C. Using anonymized datasets
D. Implementing a strong authentication mechanism
Correct Answer: B – Limiting collected data to what is necessary
Explanation: Data minimization requires only collecting essential data.
Incorrect Answers:
A. Protects data but doesn’t reduce volume.
C. Helps with privacy, but may not be applicable in onboarding.
D. Security control, not minimization.

Question 487
Which of the following is the PRIMARY risk of lacking version control in software
development?
A. Source code theft
B. Delayed deployment
C. Untraceable code changes
D. Increased software licensing costs
Correct Answer: C – Untraceable code changes
Explanation: Without version control, identifying what changed and when becomes
difficult.
Incorrect Answers:
A. Access controls mitigate theft.
B. May occur, but not directly linked.
D. Versioning doesn't affect licensing.
Question 488
An IS auditor finds that the antivirus software is not centrally managed. What is the
MOST significant risk?
A. Poor vendor support
B. System performance degradation
C. Inconsistent signature updates
D. Overuse of storage space
Correct Answer: C – Inconsistent signature updates
Explanation: Without central control, endpoints may have outdated protection.
Incorrect Answers:
A. Not critical.
B. Not the main risk.
D. Minor impact.

Question 489
Which of the following BEST mitigates risk when developers are granted emergency
access to production systems?
A. Mandatory password changes
B. Logging and post-access review
C. Two-factor authentication
D. Time-limited access tokens
Correct Answer: B – Logging and post-access review
Explanation: Review ensures actions taken are justified and appropriate.
Incorrect Answers:
A. Helps control access but lacks oversight.
C. Enhances security but doesn’t validate usage.
D. Restricts time but not action.

Question 490
Which of the following would BEST help an IS auditor evaluate the effectiveness of
an organization's data archiving strategy?
A. Number of archived files
B. Storage location of archived data
C. Retrieval time of archived data
D. Type of archive media used
Correct Answer: C – Retrieval time of archived data
Explanation: Fast and reliable access demonstrates an effective archive strategy.
Incorrect Answers:
A. Volume doesn’t reflect usability.
B. Location matters, but not a direct performance measure.
D. Media choice affects durability, not performance alone.
Question 491
When evaluating the design of controls related to network monitoring, which of the
following is MOST important for an IS auditor to review?
A. Network topology diagrams
B. Reports of network traffic analysis
C. The ISP service level agreement
D. Incident monitoring logs
Correct Answer: D – Incident monitoring logs
Explanation: Reviewing incident logs reveals whether monitoring is actively
detecting and responding to anomalies.
Incorrect Answers:
A. Topology diagrams aid understanding but don’t show control operation.
B. Traffic analysis shows trends, not necessarily incidents.
C. ISP SLAs are service-focused, not control-focused.

Question 492
Which of the following is MOST important for an organization to complete prior to
developing its disaster recovery plan (DRP)?
A. Business impact analysis (BIA)
B. Comprehensive IT inventory
C. Support staff skills gap analysis
D. Risk assessment
Correct Answer: A – Business impact analysis (BIA)
Explanation: BIA identifies critical systems and recovery priorities essential for
DRP development.
Incorrect Answers:
B. Inventory supports planning but comes after the BIA.
C. Skills assessment is useful but not foundational.
D. Risk assessment supports BIA, but BIA must precede DRP design.

Question 493
Which of the following would be MOST time and cost efficient when performing a
control self-assessment (CSA) for an organization with a large number of widely
dispersed employees?
A. Survey questionnaire
B. Facilitated workshops
C. Face-to-face interviews
D. Top-down and bottom-up analysis
Correct Answer: A – Survey questionnaire
Explanation: Surveys can quickly gather input from a broad audience at low cost.
Incorrect Answers:
B. Workshops require coordination and travel.
C. Interviews are detailed but time-intensive.
D. Top-down/bottom-up analysis is thorough but resource-heavy.

Question 494
Which of the following is the BEST way to ensure that business continuity plans
(BCPs) will work effectively in the event of a major disaster?
A. Regularly update business impact assessments
B. Prepare detailed plans for each business function
C. Make senior managers responsible for their plan sections
D. Involve staff at all levels in periodic paper walk-through exercises
Correct Answer: D – Involve staff at all levels in periodic paper walk-
through exercises
Explanation: Simulations verify practicality and readiness of the plan across all
functions.
Incorrect Answers:
A. BIA is a supporting activity, not a test.
B. Detailed plans help but don’t ensure functionality.
C. Manager ownership is necessary, but testing confirms effectiveness.

Question 495
Which of the following should be of MOST concern to an IS auditor reviewing the
public key infrastructure (PKI) for enterprise email?
A. The private key certificate has not been updated
B. The certificate revocation list has not been updated
C. The certificate practice statement has not been published
D. The PKI policy has not been updated within the last year
Correct Answer: B – The certificate revocation list has not been
updated
Explanation: An outdated CRL allows compromised certificates to remain valid,
posing serious risks.
Incorrect Answers:
A. Expired private key affects individual users but not entire PKI integrity.
C. Lack of a published CPS is a compliance issue, not an operational risk.
D. Annual policy updates are important but not as urgent.

Question 496
Which of the following will MOST likely compromise the control provided by a
digital signature created using RSA encryption?
A. Altering the plaintext message
B. Deciphering the receiver's public key
C. Obtaining the sender's private key
D. Reversing the hash function using the digest
Correct Answer: C – Obtaining the sender's private key
Explanation: The private key authenticates the signature; if compromised, trust is
lost.
Incorrect Answers:
A. Altering plaintext invalidates the signature, which is the intended result.
B. Public keys are meant to be publicly available.
D. Reversing hashes is computationally infeasible and not a typical concern.

Question 497
Which of the following should be of GREATEST concern to an IS auditor conducting
an audit of an organization that recently experienced a ransomware attack?
A. Antivirus software was unable to prevent the attack even though it was properly
updated
B. Backups were only performed within the local network
C. The most recent security patches were not tested prior to implementation
D. Employees were not trained on cybersecurity policies and procedures
Correct Answer: B – Backups were only performed within the local
network
Explanation: Local backups may also be encrypted by ransomware, rendering
recovery impossible.
Incorrect Answers:
A. Antivirus bypass is common in ransomware and not the primary concern.
C. Untested patches may cause issues but are not the attack vector here.
D. Training is important, but recovery hinges on backup strategy.

Question 498
Which of the following would an IS auditor recommend as the MOST effective
preventive control to reduce the risk of data leakage?
A. Validate that all data files contain digital watermarks
B. Implement an intrusion detection system (IDS)
C. Ensure that paper documents are disposed securely
D. Verify that application logs capture any changes made
Correct Answer: A – Validate that all data files contain digital
watermarks
Explanation: Watermarking helps trace and discourage unauthorized data
distribution.
Incorrect Answers:
B. IDS is a detective control.
C. Secure disposal helps but applies to physical assets.
D. Logging is detective, not preventive.

Question 499
Which of the following should an IS auditor review FIRST when planning a customer
data privacy audit?
A. Legal and compliance requirements
B. Customer agreements
C. Data classification
D. Organizational policies and procedures
Correct Answer: A – Legal and compliance requirements
Explanation: Regulatory requirements guide the audit scope and criteria.
Incorrect Answers:
B. Agreements follow regulatory requirements.
C. Classification helps in assessing controls but is scoped by law.
D. Policies support implementation of regulatory obligations.

Question 500
Which of the following would BEST detect that a distributed denial of service
(DDoS) attack is occurring?
A. Server crashes
B. Customer service complaints
C. Penetration testing
D. Automated monitoring of logs
Correct Answer: D – Automated monitoring of logs
Explanation: Real-time monitoring can detect unusual traffic patterns indicative of
a DDoS attack.
Incorrect Answers:
A. Server crashes show impact, not detection.
B. Complaints are lagging indicators.
C. Pen testing is proactive, not reactive detection.

Question 501
Which of the following is the BEST indication of the completeness of interface
control documents used for the development of a new application?
A. Failed interface data transfers prevent subsequent processes.
B. All documents have been reviewed by end users.
C. Both successful and failed interface data transfers are recorded.
D. All inputs and outputs for potential actions are included.
Correct Answer: D – All inputs and outputs for potential actions are included
Explanation: The completeness of interface control documents is best demonstrated
when they account for all possible inputs and outputs. This ensures the application
can handle all potential interactions correctly.
Incorrect Answers:
A. This shows a failure in the system, not the document's completeness.
B. End-user review is good but not proof of completeness.
C. Logging transfer status is valuable but not sufficient to indicate document
completeness.

Question 502
Which of the following would BEST demonstrate that an effective disaster recovery
plan (DRP) is in place?
A. Full operational test
B. Periodic risk assessment
C. Annual walk-through testing
D. Frequent testing of backups
Correct Answer: A – Full operational test
Explanation: A full operational test demonstrates that systems, processes, and
personnel can effectively recover and resume operations, confirming the effectiveness
of the DRP.
Incorrect Answers:
B. Risk assessments help planning but don’t verify effectiveness.
C. Walk-throughs are theoretical, not practical.
D. Backup testing is important but limited in scope.

Question 503
Which of the following provides the MOST reliable audit evidence on the validity of
transactions in a financial application?
A. Substantive testing
B. Walk-through reviews
C. Design documentation reviews
D. Compliance testing
Correct Answer: A – Substantive testing
Explanation: Substantive testing involves directly validating transaction data and
balances, offering strong evidence of validity.
Incorrect Answers:
B. Walk-throughs are high-level and less rigorous.
C. Documentation review does not confirm transaction validity.
D. Compliance testing focuses on control adherence, not transaction accuracy.

Question 504
Which of the following establishes the role of the internal audit function?
A. Audit project plan
B. Audit objectives
C. Audit charter
D. Audit governance
Correct Answer: C – Audit charter
Explanation: The audit charter formally defines the audit function's authority,
scope, and responsibilities within the organization.
Incorrect Answers:
A. The project plan outlines a specific audit's details.
B. Objectives pertain to individual audits.
D. Governance refers to the broader framework and oversight.

Question 505
Which of the following is MOST important for an IS auditor to review when
evaluating the accuracy of a spreadsheet that contains several macros?
A. Version history
B. Formulas within macros
C. Reconciliation of key calculations
D. Encryption of the spreadsheet
Correct Answer: B – Formulas within macros
Explanation: Macros can execute automated calculations or actions, and errors in
formulas can lead to significant inaccuracies.
Incorrect Answers:
A. Version history helps tracking changes but not accuracy.
C. Reconciliation ensures consistency but not macro logic.
D. Encryption protects confidentiality, not accuracy.

Question 506
Which of the following is MOST important to include in forensic data collection and
preservation procedures?
A. Maintaining chain of custody
B. Preserving data integrity
C. Assuring the physical security of devices
D. Determining tools to be used
Correct Answer: A – Maintaining chain of custody
Explanation: Chain of custody ensures that evidence is admissible in court and that
the data has not been tampered with.
Incorrect Answers:
B. Data integrity is essential but part of maintaining chain of custody.
C. Physical security is important, but not sufficient alone.
D. Tool selection matters but is not the most critical.

Question 507
Which of the following is MOST important for an effective control self-assessment
(CSA) program?
A. Determining the scope of the assessment
B. Evaluating changes to the risk environment
C. Performing detailed test procedures
D. Understanding the business process
Correct Answer: D – Understanding the business process
Explanation: A solid understanding of the business process is foundational for
identifying relevant risks and controls.
Incorrect Answers:
A. Scope is important but should be based on business understanding.
B. Risk changes matter, but come after understanding the process.
C. Testing is part of validation, not planning.

Question 508
Which of the following is the PRIMARY protocol for protecting outbound content
from tampering and eavesdropping?
A. Internet Key Exchange (IKE)
B. Secure Shell (SSH)
C. Point-to-Point Protocol (PPP)
D. Transport Layer Security (TLS)
Correct Answer: D – Transport Layer Security (TLS)
Explanation: TLS is the standard protocol for encrypting and securing content over
the internet.
Incorrect Answers:
A. IKE is used for IPsec key management, not for general content.
B. SSH secures terminal sessions, not general outbound content.
C. PPP is for direct connections and lacks robust encryption.

Question 509
Which of the following security risks can be reduced by a properly configured
network firewall?
A. SQL injection attacks
B. Phishing attacks
C. Denial of service (DoS) attacks
D. Insider attacks
Correct Answer: C – Denial of service (DoS) attacks
Explanation: Firewalls can be configured to detect and block abnormal traffic
patterns typical of DoS attacks.
Incorrect Answers:
A. SQL injection is mitigated at the application layer.
B. Phishing is addressed by email filters and training.
D. Insider threats are managed with access control, not firewalls.
Question 510
Which of the following is the MOST effective control to prevent unauthorized
changes to production data?
A. Limiting user access to production data
B. Logging user activities in the system
C. Encrypting data during transmission
D. Requiring user acceptance testing (UAT) before deployment
Correct Answer: A – Limiting user access to production data
Explanation: Limiting access ensures that only authorized personnel can make
changes, which directly prevents unauthorized modifications.
Incorrect Answers:
B. Logging helps detect, but not prevent, unauthorized access.
C. Encryption protects data in transit, not at rest or from unauthorized changes.
D. UAT ensures correctness but does not prevent unauthorized access post-
deployment.