Which type of testing is most important to perform during a project audit to help ensure business objectives are met?

Which of the following should an IS auditor recommend as a PRIMARY area of focus when an organization decides to outsource technical support for its external customers?

A. Align service level agreements (SLAs) with current needs. B. Monitor customer satisfaction with the change. C. Ensure right to audit is included within the contract. D. Minimize costs related to the third-party agreement.

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

A. Bring the escrow version up to date. B. Develop a maintenance plan to support the application using the existing code C. Perform an analysis to determine the business risk D. Analyze a new application that moots the current re

Which of the following provides the MOST reliable audit evidence on the validity of transactions in a financial application?

A. Walk-through reviews B. Design documentation reviews C. Compliance testing D. Substantive testing

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

A. configuration of the firewall B. location of the firewall within the network C. firewall standards. D. firmware version of the firewall

Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

A. Password/PIN protection B. Periodic backup C. Device tracking software D. Device encryption

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

A. Allowing employees to store large emails on flash drives B. Limiting the size of file attachments being sent via email C. Automatically deleting emails older than one year D. Moving emails to a virtual email vault after 30 days

Which of the following is the BEST evidence that an organization's IT strategy is aligned lo its business objectives?

A. The IT strategy is modified in response to organizational change. B. The IT strategy is approved by executive management. C. The IT strategy is based on IT operational best practices. D. The IT strategy has significant impact on the business strategy

Which of the following would an IS auditor recommend as the MOST effective preventive control to reduce the risk of data leakage?

A. Verify that application logs capture any changes made. B. Ensure that paper documents arc disposed security. C. Validate that all data files contain digital watermarks D. Implement an intrusion detection system (IDS).

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

A. Observe the performance of business processes. B. Review a report of security rights in the system. C. Develop a process to identify authorization conflicts. D. Examine recent system access rights violations.

Which of the following security risks can be reduced by a property configured network firewall?

A. Phishing attacks B. Insider attacks C. Denial of service (DoS) attacks D. SQL injection attacks

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

A. Comparing a list of all servers from the directory server against a list of all servers present in the central log repository B. Inspecting a sample of alert settings configured in the central log repository C. Inspecting a sample of alerts generated from the central log repository D. Comparing all servers included in the current central log repository with the listing used for the prior-year audit

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization's disaster recovery plan (DRP)?

A. The DRP has not been distributed to end users. B. The DRP contains recovery procedures for critical servers only. C. The DRP has not been formally approved by senior management. D. The DRP has not been updated since an IT infrastructure upgrade.

The waterfall life cycle model of software development is BEST suited for which of the following situations?

A. The project will involve the use of new technology. B. The project intends to apply an object-oriented design approach. C. The project is subject to time pressures. D. The protect requirements are wall understood.

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system. It is MOST effective for an IS auditor to review;

A. rollback plans B. audit trails C. data analytics findings. D. acceptance lasting results

Cross-site scripting (XSS) attacks are BEST prevented through:

A. secure coding practices. B. a three-tier web architecture. C. use of common industry frameworks. D. application firewall policy settings.

Secure code reviews as part of a continuous deployment program are which type of control?

A. Preventive B. Corrective C. Detective D. Logical

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

A. Portfolio management B. Business processes C. Business plans D. IT strategic plans

Which of the following BEST Indicates that an incident management process is effective?

A. Increased number of reported critical incidents B. Decreased number of calls lo the help desk C. Decreased time for incident resolution D. Increased number of incidents reviewed by IT management

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

A. Establishing committees to support and oversee framework activities B. Documenting IT-related policies and procedures C. Involving appropriate business representation within the framework D. Aligning the framework to industry best practices

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

A. Transaction log review B. User awareness training C. Background checks D. Mandatory holidays

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

A. reflect current practices. B. incorporate changes to relevant laws. C. be subject to adequate quality assurance (QA). D. include new systems and corresponding process changes.

An organization is planning an acquisition and has engaged an IS auditor lo evaluate the IT governance framework of the target company. Which of the following would be MOST helpful In determining the effectiveness of the framework?

A. Sell-assessment reports of IT capability and maturity B. IT performance benchmarking reports with competitors C. Current and previous internal IS audit reports D. Recent third-party IS audit reports

Which of the following BEST helps to ensure data integrity across system interfaces?

A. Access controls B. System backups C. Reconciliation D. Environment segregation

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

A. The policy aligns with corporate policies and practices. B. The policy aligns with local laws and regulations. C. The policy aligns with global best practices. D. The policy aligns with business goals and objectives.

Which of the following is the MOST important reason to classify a disaster recovery plan (DRP) as confidential?

A. Reduce the risk of data leakage that could lead to an attack. B. Ensure compliance with the data classification policy. C. Protect the plan from unauthorized alteration. D. Comply with business continuity best practice.

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment Is the software version MOST likely to be the same as production?

A. Integration B. Staging C. Development D. Testing

An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor's GREATEST concern?

A. The data model is not clearly documented. B. A training plan for business users has not been developed. C. The vendor development team is located overseas. D. The cost of outsourcing is lower than in-house development.

Which of the following should be an IS auditor's GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

A. IT budgeting constraints B. Risk rating of original findings C. Availability of responsible IT personnel D. Business interruption due to remediation

Which of the following is the BEST reason for an organization to use clustering?

A. To improve system resiliency B. To facilitate faster backups C. To Improve the recovery lime objective (RTO) D. To decrease system response time

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

A. The private key certificate has not been updated. B. The certificate revocation list has not been updated. C. The certificate practice statement has not been published D. The PKI policy has not been updated within the last year.

Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?

A. Identify approved data workflows across the enterprise. B. Conduct a threat analysis against sensitive data usage. C. Conduct a data inventory and classification exercise D. Create the DLP pcJc.es and templates

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

A. Implement overtime pay and bonuses for all development staff. B. Deliver only the core functionality on the initial target date. C. Recruit IS staff to expedite system development. D. Utilize new system development tools to improve productivity.

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

A. Configuring the router as a firewall B. Installing biometrics-based authentication C. Using smart cards with one-time passwords D. Periodically reviewing log files

The BEST way to determine whether programmers have permission to alter data in the production environment is by reviewing:

A. the access rights that have been granted. B. how the latest system changes were implemented. C. the access control system's log settings. D. the access control system's configuration.

An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

A. Security incident log B. Manual sign-in and sign-out log C. Alarm system with CCTV D. System electronic log

Correct Answer: B

Explanation: (Only visible for ExamsLabs members)

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

A. Assign additional resources to supplement the audit B. Escalate to the audit committee C. Determine where delays have occurred D. Extend the audit deadline

When auditing the alignment of IT to the business strategy, it is MOST Important for the IS auditor to:

A. interview senior managers for their opinion of the IT function. B. evaluate deliverables of new IT initiatives against planned business services. C. ensure an IT steering committee is appointed to monitor new IT projects. D. compare the organization's strategic plan against industry best practice.

Which of the following is MOST effective for controlling visitor access to a data center?

A. Visitors are escorted by an authorized employee B. Pre-approval of entry requests C. Visitors sign in at the front desk upon arrival D. Closed-circuit television (CCTV) is used to monitor the facilities