Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

CISAFree trial

By isaca

Verified

25Q per page

Question 151

Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor’s MOST appropriate course of action?

A: Report to audit management that the actions taken have not effectively addressed the original risk.
B: Make an additional recommendation on how to remediate the finding.
C: Perform testing or other audit procedures to confirm the status of the original risk.
D: Recommend external verification of management's preferred actions.

—

Question 152

Which of the following types of testing BEST ensures business requirements are met prior to software release?

A: Load balance testing
B: User acceptance testing (UAT)
C: End-to-end testing
D: Functional testing

—

Question 153

Which of the following methods BEST enforces data leakage prevention in a multi-tenant cloud environment?

A: Monitoring tools are configured to alert in case of downtime.
B: A comprehensive security review is performed every quarter.
C: Data for different tenants is segregated by database schema
D: Tenants are required to implement data classification policies.

—

Question 154

An IS auditor requests direct access to data required to perform audit procedures instead of asking management to provide the data. Which of the following is the PRIMARY advantage of this approach?

A: Professionalism
B: Audit efficiency
C: Audit transparency
D: Data confidentiality

—

Question 155

An IS auditor finds a segregation of duties issue in an enterprise resource planning (ERP) system. Which of the following is the BEST way to prevent the misconfiguration from recurring?

A: Monitoring access rights on a regular basis
B: Referencing a standard user-access matrix
C: Correcting the segregation of duties conflicts
D: Granting user access using a role-based model

—

Question 156

Which of the following should be the FIRST consideration when deciding whether data should be moved to a cloud provider for storage?

A: Data classification
B: Vendor cloud certification
C: Data storage costs
D: Service level agreements (SLAs)

—

Question 157

Which of the following is the MOST cost-effective way to determine the effectiveness of a business continuity plan (BCP)?

A: Stress test
B: Tabletop exercise
C: Full operational test
D: Post-implementation review

—

Question 158

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would
BEST assure compliance with this policy?

A: Number of new hires who have violated enterprise security policies
B: Percentage of new hires that have completed the training
C: Number of reported incidents by new hires
D: Percentage of new hires who report incidents

—

Question 159

An IT balanced scorecard is BEST used for which of the following purposes?

A: Monitoring strategic performance
B: Evaluating IT’s financial position
C: Measuring risk in IT processes
D: Evaluating business processes

—

Question 160

The following findings are the result of an IS auditor’s post-implementation review of a newly implemented system. Which of the following findings is of GREATEST significance?

A: The project’s 10% budget overrun was not reported to senior management.
B: A lessons-learned session was never conducted.
C: Measurable benefits were not defined.
D: Monthly dashboards did not always contain deliverables.

—

Question 161

A company requires that all program change requests (PCRs) be approved and all modifications be automatically logged. Which of the following IS audit procedures will BEST determine whether unauthorized changes have been made to production programs?

A: Use source code comparison software to determine whether any changes have been made to a sample of programs since the last audit date.
B: Review a sample of PCRs for proper approval throughout the program change process.
C: Trace a sample of complete PCR forms to the log of all program changes.
D: Trace a sample of program changes from the log to completed PCR forms.

—

Question 162

Which of the following should be restricted from a network administrator’s privileges in an adequately segregated IT environment?

A: Hardening network ports
B: Monitoring network traffic
C: Changing existing configurations for applications
D: Ensuring transmission protocols are functioning correctly

—

Question 163

An incident response team has been notified of a virus outbreak in a network subnet. Which of the following should be the NEXT step?

A: Remove and restore the affected systems.
B: Verify that the compromised systems are fully functional.
C: Focus on limiting the damage.
D: Document the incident.

—

Question 164

Which of the following is the BEST source of information for examining the classification of new data?

A: Current level of protection
B: Input by data custodians
C: Security policy requirements
D: Risk assessment results

—

Question 165

Which of the following should be of GREATEST concern to an IS auditor who is assessing an organization’s configuration and release management process?

A: The organization does not use an industry-recognized methodology.
B: Changes and change approvals are not documented.
C: There is no centralized configuration management database (CMDB).
D: All changes require middle and senior management approval.

—

Question 166

A web proxy server for corporate connections to external resources reduces organizational risk by:

A: load balancing traffic to optimize data pathways.
B: providing multi-factor authentication for additional security.
C: anonymizing users through changed IP addresses.
D: providing faster response than direct access.

—

Question 167

An organization is planning to hire a third party to develop software. What is the MOST appropriate way for the organization to ensure access to code if the software development company goes out of business?

A: Establish a software escrow agreement.
B: Request a copy of the software.
C: Establish a service level agreement (SLA).
D: Request software licenses.

—

Question 168

An organization is enhancing the security of a client-facing web application following a proposal to acquire personal information for a business purpose. Which of the following is MOST important to review before implementing this initiative?

A: Data ownership assignments
B: Regulatory compliance requirements
C: Customer notification procedures
D: Encryption capabilities

—

Question 169

Which of the following business continuity activities prioritizes the recovery of critical functions?

A: Business impact analysis (BIA)
B: Risk assessment
C: Business continuity plan (BCP) testing
D: Disaster recovery plan (DRP) testing

—

Question 170

An organization is considering using production data for testing a new application’s functionality. Which of the following data protection techniques would BEST ensure that personal data cannot be inadvertently recovered in test environments while also reducing the need for strict confidentiality of the data?

A: Data normalization
B: Data encryption
C: Data minimization
D: Data anonymization

—

Question 171

What should an IS auditor evaluate FIRST when reviewing an organization’s response to new privacy legislation?

A: Implementation plan for restricting the collection of personal information
B: Analysis of systems that contain privacy components
C: Privacy legislation in other countries that may contain similar requirements
D: Operational plan for achieving compliance with the legislation

—

Question 172

Which of the following should be of GREATEST concern to an IS auditor reviewing on-site preventive maintenance for an organization’s business-critical server hardware?

A: The preventive maintenance schedule is based on mean time between failures (MTBF) parameters.
B: Preventive maintenance is outsourced to multiple vendors without requiring nondisclosure agreements (NDAs).
C: Preventive maintenance has not been approved by the information system owner.
D: Preventive maintenance costs exceed the business’s allocated budget.

—

Question 173

An IS auditor is concerned that unauthorized access to a highly sensitive data center might be gained by piggybacking or tailgating. Which of the following is the BEST recommendation?

A: Airlock entrance
B: Intruder alarms
C: Procedures for escorting visitors
D: Biometrics

—

Question 174

Which of the following is MOST likely to increase non-sampling risk?

A: Improperly stratified populations
B: Decreased tolerance rate
C: Inappropriate materiality ratings
D: Poor knowledge of the audit process

—

Question 175

An organization has decided to outsource a critical application due to a lack of specialized resources. Which risk response has been adopted?

A: Mitigation
B: Avoidance
C: Sharing
D: Acceptance

—

Page 7 of 58 • Questions 151-175 of 1449

←

5 6 7 8 9

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!