Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?
ACompliance with industry standards and best practice
BCompliance with action plans resulting from recent audits
CCompliance with local laws and regulations
DCompliance with the organization's policies and procedures
Evaluating application development projects against a defined maturity model enables an IS auditor to determine whether:
Aeffective security requirements have been designed
Bthe development function’s processes are efficient
Cthe development function follows a robust process
Dthe development project is likely to achieve its objectives
An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:
Aneighboring organizations' operations have been included.
Bthe exercise was completed by local management.
Call identified threats relate to external entities.
Dsome of the identified threats are unlikely to occur.
Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization's security policy?
AReviewing the system log
BReviewing the actual procedures
CReviewing the parameter settings
DInterviewing the firewall administrator
Which of the following should an IS auditor do FIRST when assessing the level of compliance for an organization in the banking industry?
AReview internal documentation to evaluate adherence to external requirements.
BConfirm there are procedures in place to ensure organizational agreements address legal requirements
CDetermine whether the organization has established benchmarks against industry peers for compliance.
DIdentify industry-specific requirements that apply to the organization.
Which of the following is the BEST indication to an IS auditor that management's post-implementation review was effective?
AInternal audit follow-up was completed without any findings.
BLessons learned were documented and applied.
CPost-implementation review is a formal phase in the system development life cycle (SDLC).
DBusiness and IT stakeholders participated in the post-implementation review.
Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?
BPeriodic update of incident response process documentation
CPeriodic cybersecurity training for staff involved in incident response
DPeriodic reporting of cybersecurity incidents to key stakeholders
The use of which of the following is an inherent risk in the application container infrastructure?
AShared data
BShared registries
CShared kernel
DHost operating system
What should an IS auditor review FIRST to verify that an organization’s IT strategy is effectively implemented?
AInformation security procedures
BThe IT governance framework
CProcess maturity of IT general controls
DThe most recent audit results
Which of the following BEST supports an organization’s efforts to reduce the impact of ransomware attacks?
AEnsuring a payment method is available
BConducting periodic internal and external penetration testing
CConducting security awareness training for staff
DDeveloping robust backup and recovery procedures
Which of the following network topologies will provide the GREATEST fault tolerance?
AStar configuration
BBus configuration
CRing configuration
DMesh configuration
Which of the following is the BEST approach to help ensure evidence from a computer forensics investigation is legally admissible?
AThe incident response team reviews and analyzes the evidence, and the evidence file is then securely deleted to avoid further damage.
BThe relevant data is extracted from system, firewall, and intrusion detection system (IDS) logs, then consolidated as evidence.
CThe media involved is preserved using imaging, and further analysis is performed on the image instead of the original.
DThe computer suspected of storing the evidence is isolated, and the incident response team is contacted for investigation.
A white box testing method is applicable with which of the following testing processes?
ASociability testing
BIntegration testing
CParallel testing
DUser acceptance testing (UAT)
Which of the following is a deterrent security control that reduces the likelihood of an insider threat event?
ARemoving malicious code
BDistributing disciplinary policies
CCreating contingency plans
DExecuting data recovery procedures
Which of the following auditing techniques would be used to detect the validity of a credit card transaction based on time, location, and date of purchase?
AIntegrated test facility (ITF)
BData analytics
CHash totals
DCheck sums
An organization recently migrated its data warehouse from a legacy system to a different architecture in the cloud. Which of the following should be GREATEST concern to the IS auditor reviewing the new data architecture?
AThe cloud data warehouse uses a hybrid cloud architecture.
BThere is increased latency in the data source synchronization to the cloud data warehouse.
CThe migration analyst is not fully trained on the new tools.
DThe data was not cleansed before moving from the source to the cloud data warehouse.
The FIRST step in auditing a data communication system is to determine:
Aphysical security for network equipment.
Bbusiness use and types of messages to be transmitted.
Ctraffic volumes and response-time criteria.
Dthe level of redundancy in the various communication paths.
An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?
AViolation of industry standards
BLack of data for measuring compliance
CNoncompliance with documentation requirements
DLack of user accountability
An IS auditor reviewing a job scheduling tool notices performance and reliability problems. Which of the following is MOST likely affecting the tool?
AAdministrator passwords do not meet organizational security and complexity requirements.
BThe number of support staff responsible for job scheduling has been reduced
CMaintenance patches and the latest enhancement upgrades are missing
DThe scheduling tool was not classified as business-critical by the IT department.
Which of the following is the MOST important element of quality control with respect to an audit engagement?
AIncrease of audit quality through multiple follow-up audits
BResponsibility of leadership for quality in audits
CAssignment of engagement teams for audits
DResolution procedures for differences of opinion in audits
An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor’s BEST course of action?
AEnsure a gap analysis is conducted
BEnsure regulatory reporting is completed
CEnsure the risk register is updated
DEnsure risk acceptance is documented
Which of the following is the BEST way for an IS auditor to determine the completeness of data migration?
AReview migration logs to identify possible failures.
BReview the implemented data cleanup process.
CReconcile migrated records with records in the source system.
DExamine formal departmental review of the data migration.
Which of the following is the BEST way to faster continuous improvement of IS audit processes and practices?
AFrequently review IS audit policies, procedures, and instruction manuals.
BEstablish and embed quality assurance (QA) within the IS audit function.
CInvite external auditors and regulators to perform regular assessment of the IS audit function.
DImplement rigorous managerial review and sign-off of IS audit deliverables.
An organization outsourced its IS functions. To meet its responsibility for disaster recovery, the organization should:
Acoordinate disaster recovery administration with the outsourcing vendor
Bdelegate evaluation of disaster recovery to a third party
Cdelegate evaluation of disaster recovery to internal audit
Ddiscontinue maintenance of the disaster recovery plan (DRP)
To develop meaningful recommendations for findings, which of the following is MOST important for an IS auditor to determine and understand?
Preview
