Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CISAFree trial

By isaca

Verified

25Q per page

Question 76

An IS auditor conducts a review of a third-party vendor's reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?

A: Some KPIs are not documented.
B: KPIs are not clearly defined.
C: KPIs have never been updated.
D: KPI data is not being analyzed.

—

Question 77

Which of the following is critical to the successful establishment of an enterprise IT architecture?

A: Comparison of the architecture with that of other organizations
B: A well-defined data migration policy
C: Organizational support for standardization
D: An architecture encompassing only critical systems

—

Question 78

Which of the following would protect the confidentiality of information sent in email messages?

A: Encryption
B: Secure Hash Algorithm 1 (SHA-1)
C: Digital certificates
D: Digital signatures

—

Question 79

Which of the following would be of GREATEST concern to an IS auditor when evaluating governance processes for a user-developed tool?

A: Penetration testing has not been conducted.
B: Significant changes to the tool were not documented.
C: The backup strategy has not been tested.
D: A risk assessment has not been performed.

—

Question 80

Which task should an IS auditor complete FIRST during the preliminary planning phase of a database security review?

A: Determine which databases will be in scope.
B: Identify the most critical database controls.
C: Evaluate the types of databases being used.
D: Perform a business impact analysis (BIA).

—

Question 81

Which of the following is an IS auditor's BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?

A: Determine if an interim compensating control has been implemented.
B: Require that remediation is completed in the agreed timeframe.
C: Accept the longer target date and document it in the audit system.
D: Escalate the overdue finding to the audit committee.

—

Question 82

Which type of framework is BEST suited to illustrate the traceability of information and communications technologies and their alignment with business objectives?

A: Enterprise architecture (EA) framework
B: Service management framework
C: Project management framework
D: IT governance framework

—

Question 83

Which of the following is the BEST way for an organization that is using a Software as a Service (SaaS) application to reduce its risk associated with the collection and protection of personal information?

A: Limit the amount of personal information collected to industry standards.
B: Encrypt personal information held by the organization.
C: Limit the amount of personal information collected to the minimum required.
D: Only allow remote access to personal information from an alternate site.

—

Question 84

Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?

A: Data security requirements are not considered.
B: Additional training is required for end users.
C: The system is not supported by the IT department.
D: Corporate procurement standards are not followed.

—

Question 85

A database administrator (DBA) should be prevented from:

A: accessing sensitive information.
B: having end user responsibilities.
C: having access to production files.
D: using an emergency user ID.

—

Question 86

Which of the following provides the MOST protection against emerging threats?

A: Real-time updating of antivirus software
B: Signature-based intrusion detection system (IDS)
C: Demilitarized zone (DMZ)
D: Heuristic intrusion detection system (IDS)

—

Question 87

Which of the following is MOST important to ensure when removing a financial application from production?

A: The data retention period is still observed.
B: End user requests for changes are canceled.
C: End user training is updated.
D: Software license agreements are retained.

—

Question 88

Which of the following should be of concern to an IS auditor reviewing an organization's network to ensure attack vectors from the Internet are minimized?

A: The organization employs different types of firewalls in the demilitarized zone (DMZ).
B: The organization's email server is in the demilitarized zone (DMZ).
C: A data loss prevention (DLP) system is behind the organization's firewalls.
D: A router is Internet-facing at the network perimeter.

—

Question 89

Which of the following controls associated with software development would be classified as a preventive control to address scope creep?

A: Iteration retrospective
B: System demo
C: Iteration review
D: Backlog grooming

—

Question 90

A web application is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

A: Database application monitoring logs
B: Code review by a third party
C: Penetration test results
D: Web application firewall implementation

—

Question 91

Which of the following is an IS auditor's GREATEST concern when an organization does not regularly update software on individual workstations in the internal environment?

A: The organization may not be in compliance with licensing agreements.
B: System functionality may not meet business requirements.
C: The system may have version control issues.
D: The organization may be more susceptible to cyber-attacks.

—

Question 92

Which of the following provides the BEST audit evidence that a firewall is configured in compliance with the organization's security policy?

A: Analyzing how the configuration changes are performed
B: Performing penetration testing
C: Reviewing the rule base
D: Analyzing log files

—

Question 93

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

A: Report the deviation by the control owner in the audit report.
B: Cancel the follow-up audit and reschedule for the next audit period.
C: Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.
D: Request justification from management for not implementing the recommended control.

—

Question 94

Which of the following is MOST important for an IS auditor to verify when reviewing a management information system (MIS)?

A: Backup frequency
B: Data quality
C: Data access
D: System performance

—

Question 95

Which of the following BEST enables an IS auditor to combine and compare access control lists from various applications and devices?

A: Audit hooks
B: Integrated test facility (ITF)
C: Snapshots
D: Data analytics

—

Question 96

An organization's database administrator (DBA) has implemented native database auditing. Which of the following is the GREATEST concern with this situation?

A: Configuration management resilience may be impaired.
B: Development of supplementary tools for database monitoring may be required.
C: Production database performance may be negatively affected.
D: Policy-driven event logging may be impaired.

—

Question 97

When protecting the confidentiality of information assets, the MOST effective control practice is the:

A: awareness training of personnel on regulatory requirements.
B: enforcement of a need-to-know access control philosophy.
C: utilization of a dual-factor authentication mechanism.
D: configuration of read-only access to all users.

—

Question 98

Which of the following is the MOST important consideration when relying on the work of the prior auditor?

A: Management agreement with recommendations
B: Qualifications of the prior auditor
C: Duration of the prior audit
D: Number of findings identified by the prior auditor

—

Question 99

A bank uses a system that requires monetary amounts found on check images to be input twice by two separate individuals. The system then identifies any mismatches between the first and second input. Which type of control has the bank implemented?

A: Detective
B: Corrective
C: Compensating
D: Deterrent

—

Question 100

An organization is migrating its HR application to an Infrastructure as a Service (IaaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application's operating system?

A: The cloud provider
B: The cloud provider's external auditor
C: The operating system vendor
D: The organization

—

Page 4 of 58 • Questions 76-100 of 1449

←

2 3 4 5 6

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!