Which of the following is the PRIMARY reason for an IS auditor to perform a risk assessment?
An IS auditor discovers a box of hard drives in a secured location that are overdue for physical destruction. The vendor responsible for this task was never made aware of these hard drives.
Which of the following is the BEST course of action to address this issue?
An IS auditor learns that an organization's business continuity plan (BCP) has not been updated in the last 18 months and that the organization recently closed a production plant. Which of the following is the auditor's BEST course of action?
To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications. Which of the following is MOST helpful to review when identifying which servers are no longer required?
Which of the following is the MAIN responsibility of the IT steering committee?
A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?
An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about
risk appetite?
Which of the following controls is MOST important for ensuring the integrity of system interfaces?
An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?
To ensure confidentiality through the use of asymmetric encryption, a message is encrypted with which of the following?
Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?
Which of the following would provide an IS auditor with the GREATEST assurance that data disposal controls support business strategic objectives?
During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?
When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?
Which of the following is an audit reviewer's PRIMARY role with regard to evidence?
Which of the following findings from a database security audit presents the GREATEST risk of critical security exposures?
An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?
Which of the following strategies BEST optimizes data storage without compromising data retention practices?
Which of the following demonstrates the use of data analytics for a loan origination process?
Which of the following data would be used when performing a business impact analysis (BIA)?
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of the following is the auditor's BEST course of action?
Which of the following is MOST helpful to an IS auditor reviewing the alignment of planned IT budget with the organization's goals and strategic objectives?
Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?
During an operational audit on the procurement department, the audit team encounters a key system that uses an artificial intelligence (Al) algorithm. The audit team does not have the necessary knowledge to proceed with the audit. Which of the following is the BEST way to handle this situation?
Which of the following is an IS auditor's BEST recommendation to mitigate the risk of eavesdropping
associated with an application programming interface (API) integration implementation?
The decision to accept an IT control risk related to data quality should be the responsibility of the:
When an IS audit reveals that a firewall was unable to recognize a number of attack attempts, the auditor's BEST recommendation is to place an intrusion detection system (IDS) between the firewall and:
During the evaluation of controls over a major application development project, the MOST effective use of an IS auditor's time would be to review and evaluate:
Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization's disaster recovery plan (DRP)?
Which of the following is the MOST important control for virtualized environments?
Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
Compared to developing a system in-house, acquiring a software package means that the need for testing by end users is:
Which type of risk would MOST influence the selection of a sampling methodology?
Which of the following would be an auditor's GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?
Which of the following is an example of a preventive control for physical access?
Which of the following is the MOST important prerequisite for implementing a data loss prevention (DLP) tool?
Which type of attack poses the GREATEST risk to an organization's most sensitive data?
Which of the following helps to ensure the integrity of data for a system interface?
The BEST way to evaluate the effectiveness of a newly developed application is to:
During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?
Which of the following is the MOST important area of focus for an IS auditor when developing a risk-based audit strategy?
Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?
Which of the following is MOST important for an IS auditor to look
for in a project feasibility study?
Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?
When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?
Which of the following should be the FRST step when developing a data toes prevention (DIP) solution for a large organization?