CISAFree trialFree trial

By isaca
Aug, 2025

Verified

25Q per page

Question 1

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

  • A: The BCP has not been tested since it was first issued.
  • B: The BCP is not version-controlled.
  • C: The BCP's contact information needs to be updated.
  • D: The BCP has not been approved by senior management.

Question 2

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

  • A: Pilot testing
  • B: System testing
  • C: Integration testing
  • D: Unit testing

Question 3

While auditing a small organization's data classification processes and procedures, an IS auditor noticed that data is often classified at the incorrect level. What is the MOST effective way for the organization to improve this situation?

  • A: Conduct awareness presentations and seminars for information classification policies.
  • B: Use automatic document classification based on content.
  • C: Have IT security staff conduct targeted training for data owners.
  • D: Publish the data classification policy on the corporate web portal.

Question 4

Which of the following should be the GREATEST concern for an IS auditor performing a post-implementation review for a major system upgrade?

  • A: Changes are promoted to production by the development group.
  • B: Developers have access to the testing environment.
  • C: Object code can be accessed by the development group.
  • D: Change approvals are not formally documented.

Question 5

Which of the following observations noted by an IS auditor reviewing internal IT standards is MOST important to address?

  • A: The standards have no reference to an industry-recognized framework.
  • B: The standards are not detailed in policies and procedures.
  • C: The standards are not readily available to organization-wide users.
  • D: The standards have not been revised within the last year.

Question 6

Which of the following is MOST important for an organization to consider when planning to outsource data storage to a third-party provider?

  • A: The cost of delivering the service
  • B: The country in which the provider operates
  • C: The classification levels of the stored data
  • D: The skill set and experience of the provider

Question 7

An IS auditor has been tasked with analyzing an organization's capital expenditures against its repair and maintenance costs. Which of the following is the BEST reason to use a data analytics tool for this purpose?

  • A: It reduces the sample size required to perform the audit.
  • B: It improves the reliability of the data.
  • C: It reduces the error rate.
  • D: It enables the auditor to work with 100% of the transactions.

Question 8

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applications over financial reporting?

  • A: Lack of portability for users
  • B: Calculation errors in spreadsheets B. Inability to quickly modify and deploy a solution
  • C: Loss of time due to manual processes

Question 9

An IS auditor should look for which of the following to ensure the risk associated with scope creep has been mitigated during software development?

  • A: Source code version control
  • B: Project change management controls
  • C: Existence of an architecture review board
  • D: Configuration management

Question 10

Which of the following is MOST important to consider when defining disaster recovery strategies?

  • A: Mean time to restore (MTTR)
  • B: Maximum time between failures (MTBF)
  • C: Maximum tolerable downtime (MTD)
  • D: Mean time to acknowledge (MTTA)

Question 11

Which of the following is the GREATEST advantage of agile development over waterfall development?

  • A: Agile development values working software over static documentation.
  • B: Agile development values processes and tools over individuals and interactions.
  • C: Agile development values contract negotiation over customer collaboration.
  • D: Agile development values following a plan over responding to change.

Question 12

Which of the following controls provides the MOST protection against ransomware attacks?

  • A: Education and awareness training
  • B: Tested and reliable backups
  • C: A tested incident response plan
  • D: Signature based anti-malware tools

Question 13

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

  • A: Including project team members who can provide security expertise
  • B: Reverting to traditional waterfall software development life cycle (SDLC) techniques
  • C: Documenting security control requirements and obtaining internal audit sign off
  • D: Requiring the project to go through accreditation before release into production

Question 14

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done
FIRST?

  • A: Implement additional firewalls to protect the system.
  • B: Decommission the server.
  • C: Implement a new system that can be patched.
  • D: Evaluate the associated risk.

Question 15

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

  • A: Including project team members who can provide security expertise
  • B: Reverting to traditional waterfall software development life cycle (SDLC) techniques
  • C: Documenting security control requirements and obtaining internal audit sign off
  • D: Requiring the project to go through accreditation before release into production

Question 16

Which of the following is the BEST control to help ensure that security requirements are considered throughout the life cycle of an agile software development project?

  • A: Including project team members who can provide security expertise
  • B: Reverting to traditional waterfall software development life cycle (SDLC) techniques
  • C: Documenting security control requirements and obtaining internal audit sign off
  • D: Requiring the project to go through accreditation before release into production

Question 17

Which of the following is MOST important when assembling an internal team to perform penetration testing for the organization?

  • A: Obtain a listing of key systems for testing from management.
  • B: Gain agreement from management on timing and scope.
  • C: Perform a scan and identify in-scope assets.
  • D: Query the company directory to find privileged users.

Question 18

Which of the following would a digital signature MOST likely prevent?

  • A: Disclosure
  • B: Repudiation
  • C: Corruption
  • D: Unauthorized change

Question 19

An IS auditor is determining the scope for an upcoming audit. Which of the following BEST enables the auditor to ensure appropriate controls are considered?

  • A: Conducting interviews with IT staff
  • B: Reading recent industry journal articles
  • C: Using an IT-related framework
  • D: Reviewing previous audit reports

Question 20

A PRIMARY objective of risk management is to keep the total cost of risks below the:

  • A: estimated amount of losses included in the firm's budget.
  • B: amount of losses that would materially damage the firm.
  • C: costs of loss prevention measures, such as physical security measures.
  • D: administrative costs of risk management.

Question 21

Which of the following should be the role of internal audit in an organization’s move to the cloud?

  • A: Identifying and mitigating risk to an acceptable level
  • B: Identifying impacts to organizational budgets and resources
  • C: Implementing security controls for data prior to migration
  • D: Serving as a trusted partner and advisor

Question 22

Which of the following should be the role of internal audit in an organization’s move to the cloud?

  • A: Identifying and mitigating risk to an acceptable level
  • B: Identifying impacts to organizational budgets and resources
  • C: Implementing security controls for data prior to migration
  • D: Serving as a trusted partner and advisor

Question 23

How does a switched network reduce the risk of network sniffing?

  • A: Switches can detect active packet sniffing devices in their subnet.
  • B: Packets are not broadcasted throughout the whole subnet.
  • C: Network traffic is generally reduced.
  • D: Source and destination addresses are encrypted.

Question 24

Which of the following is the MOST effective way for internal audit management to ensure the quality of IS audits is maintained?

  • A: Engage a third party to conduct regular quality assurance (QA) reviews.
  • B: Include quality metrics in audit staff annual performance evaluations.
  • C: Introduce a balanced scorecard for internal audit.
  • D: Conduct control self-assessments (CSA) with IT management.

Question 25

During a review of an organization's network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution.
Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?

  • A: Further review closed unactioned alerts to identify mishandling of threats.
  • B: Reopen unactioned alerts and report to the audit committee.
  • C: Recommend that management enhance the policy and improve threat awareness training.
  • D: Omit the finding from the report as this practice is in compliance with the current policy.
Page 1 of 58 • Questions 1-25 of 1449
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!