Certified Information Systems Auditor CISA (CISA) — Questions 751825

984 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
MCQmedium

An organization outsources its help desk to a third-party vendor. The contract includes a service level agreement (SLA) with response times. The auditor wants to ensure that the organization can monitor vendor performance. Which clause is most important?

A.Exit strategy clause
B.Right-to-audit clause
C.Indemnification clause
D.Confidentiality clause
AnswerB

Correct: The right-to-audit clause enables the organization to verify the vendor's compliance with SLAs.

Why this answer

The right-to-audit clause allows the organization to audit the vendor's processes and performance, ensuring SLA compliance.

752
MCQmedium

Which of the following types of audit evidence provides the highest level of assurance?

A.Re-performance of control procedures
B.Inquiry of process owners
C.Observation of processes
D.Inspection of documents
AnswerA

Re-performance independently validates control effectiveness.

Why this answer

Re-performance provides direct evidence that a control is operating effectively.

753
MCQmedium

During the implementation of a new ERP system, the project team discovers that the legacy system data cannot be directly migrated due to incompatible data formats. The project manager proposes building a custom script to extract, transform, and load (ETL) data. Which of the following is the BEST course of action?

A.Manually re-enter all legacy data into the new system.
B.Delay the implementation until a commercial migration tool is available.
C.Proceed with the custom ETL script after thorough testing and validation.
D.Abandon the legacy data and start fresh in the new system.
AnswerC

Custom ETL is appropriate with proper validation.

Why this answer

Option C is correct because building a custom ETL script is a common and acceptable approach when legacy data formats are incompatible with a new ERP system. The key is that the script must undergo thorough testing and validation to ensure data integrity, completeness, and accuracy before migration. This balances the need for timely implementation with the risk of data corruption, which can be mitigated through rigorous quality assurance processes.

Exam trap

The trap here is that candidates may assume custom scripts are inherently risky and choose to delay or abandon data, failing to recognize that with proper testing and validation, custom ETL is a standard and effective solution for incompatible data formats.

How to eliminate wrong answers

Option A is wrong because manual re-entry is error-prone, time-consuming, and impractical for large datasets, violating the principle of data integrity and efficiency in system implementation. Option B is wrong because delaying the implementation for a commercial migration tool is unnecessary when a custom ETL script can be developed and validated in a shorter timeframe, and commercial tools may still require customization for unique legacy formats. Option D is wrong because abandoning legacy data can lead to loss of critical historical records, operational continuity issues, and potential compliance violations, making it a high-risk and generally unacceptable approach.

754
MCQhard

A multinational corporation operates an e-commerce platform hosted in a private cloud environment. The platform consists of web servers, application servers, and a database cluster. The database cluster uses synchronous replication across two data centers (Primary and DR) located 500 km apart. The recovery time objective (RTO) for the platform is 2 hours, and the recovery point objective (RPO) is 15 minutes. During a recent disaster simulation, the primary data center lost power completely. The IT team initiated failover to the DR site. However, the failover process took 3 hours due to a misconfiguration in the DNS failover scripts, and the database was found to be inconsistent because the replication link was broken 30 minutes before the power loss. The team had to restore from a backup that was 4 hours old. After the incident, management requests a review of the disaster recovery plan. Which of the following is the BEST course of action to address the issues identified?

A.Increase the synchronous replication distance limit to ensure link stability over 500 km
B.Conduct a full-scale disaster recovery test including DNS failover and database consistency checks
C.Switch to asynchronous replication to avoid data loss during link failures
D.Implement automated DNS failover with health checks and reduce TTL values to 60 seconds
AnswerB

A comprehensive test would identify both the DNS script error and the replication link vulnerability, allowing corrective actions.

Why this answer

The correct answer is B because the incident revealed failures in DNS failover scripts (causing RTO breach) and database consistency checks (causing RPO breach). A full-scale test that includes DNS failover and database consistency validation is the only option that directly addresses both root causes, ensuring the DR plan meets the stated RTO of 2 hours and RPO of 15 minutes. Without such a test, the organization cannot verify that the failover process and data integrity mechanisms work as intended under realistic conditions.

Exam trap

The trap here is that candidates focus on the technical symptom (DNS failover delay) and choose a quick fix like automated DNS failover (Option D), while ignoring the more critical database inconsistency issue that requires a comprehensive test to validate the entire DR plan.

How to eliminate wrong answers

Option A is wrong because increasing the synchronous replication distance limit does not fix link stability; synchronous replication over 500 km is inherently prone to latency and link failures, and the issue was a broken replication link 30 minutes before the power loss, not a distance limit. Option C is wrong because switching to asynchronous replication would increase the risk of data loss beyond the 15-minute RPO, as asynchronous replication introduces a lag that could exceed the RPO during link failures, and the problem here was inconsistency, not replication mode. Option D is wrong because while automated DNS failover with health checks and reduced TTL values can improve failover speed, it does not address the database inconsistency caused by the broken replication link and the need to restore from a 4-hour-old backup, which requires validation of database consistency and backup integrity.

755
MCQmedium

During the fieldwork phase, an IS auditor uses analytical procedures to compare current year IT expenses to prior year. A significant increase is noted. What should the auditor do next?

A.Report the increase as a finding
B.Ignore the increase if it is within budget
C.Investigate the reason for the increase
D.Expand the sample size for testing
AnswerC

The auditor should gather evidence to explain the variance.

Why this answer

Analytical procedures identify anomalies; the auditor should investigate the cause before concluding.

756
MCQeasy

Which physical security control is most effective for preventing unauthorized individuals from tailgating into a data center?

A.Mantrap (dual-door interlocking system).
B.Security guards at the entrance.
C.Closed-circuit television (CCTV) surveillance.
D.Biometric fingerprint readers.
AnswerA

A mantrap requires entry through one door before the second opens, forcing single occupancy and preventing tailgating.

Why this answer

A mantrap, or dual-door interlocking system, is the most effective physical security control against tailgating because it physically isolates individuals in a small vestibule where both doors cannot be opened simultaneously. This forces authentication and verification for each person before the second door unlocks, preventing an unauthorized person from following an authorized individual through a single entry point.

Exam trap

The trap here is that candidates often choose biometric readers or CCTV because they associate them with high security, but fail to recognize that tailgating exploits the gap between authentication and physical passage, which only a mantrap's interlocking doors can mechanically enforce.

How to eliminate wrong answers

Option B is wrong because security guards, while useful for monitoring and deterrence, are prone to human error, distraction, or social engineering, and cannot guarantee prevention of tailgating in high-traffic scenarios. Option C is wrong because CCTV surveillance is a detective control that records events for after-the-fact review, not a preventive control that stops tailgating in real time. Option D is wrong because biometric fingerprint readers authenticate identity but do not prevent a second person from entering immediately after an authorized user without their own authentication.

757
Matchingmedium

Match each audit risk component to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk without controls

Risk that controls fail

Risk that audit misses errors

Overall risk of incorrect opinion

Why these pairings

Audit risk model is fundamental to CISA.

758
MCQmedium

You are an information security manager for a global financial services company. The organization maintains a hybrid infrastructure with critical customer data stored on an on-premises Oracle database server (DB-SRV-01) and in an AWS S3 bucket (customer-data-prod). At 10:00 AM, the security operations center (SOC) alerts you to an anomalous outbound data transfer from DB-SRV-01 to an unknown IP address in a high-risk country. The transfer started at 9:45 AM and involves 500 MB of data, likely including personally identifiable information (PII). The SOC has already quarantined the server's network egress by blocking all outbound traffic from DB-SRV-01, but the server remains connected to the internal production network. Meanwhile, a separate analysis indicates that the S3 bucket has been accessed via an IAM key that was stolen from a compromised developer workstation three days ago. The key has not been rotated. The incident response team is preparing to act. The primary objective is to protect information assets and minimize data exposure. Given this scenario, which of the following actions should the team take FIRST?

A.Restore DB-SRV-01 from a clean backup taken before the incident and change the IAM keys for the S3 bucket.
B.Notify the appropriate data protection authority within the required 72-hour timeframe.
C.Patch the Oracle database server to the latest version to close any known vulnerabilities.
D.Isolate DB-SRV-01 from the internal network by disconnecting its network cable or disabling the virtual switch port.
AnswerD

Isolating the server halts any ongoing data exfiltration and prevents the attacker from moving laterally to other systems. This preserves the system state for forensic analysis while containing the breach.

Why this answer

Option C is correct because immediately isolating the affected server from the internal network is the most critical first step to prevent lateral movement and further data exfiltration. Option A is incorrect because patching the server without understanding the attack vector could destroy forensic evidence and may not address the active compromise. Option B is incorrect because notifying the data protection authority is a legal requirement but not an immediate containment action.

Option D is incorrect because restoring from backup would eliminate any forensic evidence and may reintroduce the same vulnerability, and it does not address the S3 bucket issue.

759
MCQeasy

Refer to the exhibit. A CISA is reviewing this S3 bucket policy. What is the PRIMARY security concern?

A.The bucket is configured for public read access
B.Encryption is not enforced on the bucket
C.The policy allows unauthorized write access
D.Versioning is not enabled on the bucket
AnswerA

The policy grants anonymous read access to all objects.

Why this answer

The bucket policy explicitly grants `s3:GetObject` to `Principal: "*"` with `Effect: "Allow"`, which means any unauthenticated user on the internet can read objects in the bucket. This is a classic misconfiguration that leads to public read access, exposing sensitive data. While encryption and versioning are important security controls, the immediate and most severe risk is unauthorized data disclosure via public read.

Exam trap

ISACA often tests the distinction between 'public read' and 'public write' — candidates may incorrectly assume the policy allows write access because it uses `"*"`, but the action is specifically `s3:GetObject`, so only read is permitted.

How to eliminate wrong answers

Option B is wrong because the policy does not mention encryption at all; while encryption enforcement is a best practice, the policy's explicit public read grant is a more direct and critical security concern. Option C is wrong because the policy only grants `s3:GetObject` (read) and does not include `s3:PutObject` or any write action, so unauthorized write access is not permitted by this policy. Option D is wrong because versioning is a data protection and recovery feature, not a security control that prevents unauthorized access; the lack of versioning does not create an immediate exposure risk like public read does.

760
MCQhard

An IS auditor reviews the disposal process of hard drives. Which of the following methods provides the HIGHEST assurance that data cannot be recovered?

A.Physical shredding.
B.Overwriting with zeros.
C.Degaussing.
D.Quick format.
AnswerA

Shredding destroys the physical media, ensuring data cannot be recovered.

Why this answer

Option C is correct because physical shredding destroys the media, making data recovery virtually impossible. Option A is incorrect because quick format only removes file pointers. Option B is incorrect because degaussing may not work on SSDs.

Option D is incorrect because overwriting may leave residual data.

761
Multi-Selectmedium

An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)

Select 3 answers
A.Application software
B.Organizational structures
C.Culture, ethics, and behavior
D.Network infrastructure
E.Processes
AnswersB, C, E

Structures are enablers for decision-making.

Why this answer

COBIT defines enablers as factors that influence the effectiveness of governance. Processes, organizational structures, and culture/ethics/behavior are key enablers. Network infrastructure and application software are resources, not enablers in the COBIT framework.

762
MCQeasy

An IS auditor is selecting audit procedures to test controls over user access. Which of the following is an example of a re-performance procedure?

A.Independently creating a test user account and verifying access rights
B.Observing the security administrator adding a user
C.Reviewing the access control policy document
D.Interviewing the security administrator about the process
AnswerA

Correct; re-performance involves the auditor independently performing the control.

Why this answer

Re-performance involves the auditor independently performing a control to verify its effectiveness. For access controls, independently adding a test user and verifying access rights is a re-performance.

763
MCQmedium

During a problem management meeting, the team identifies a recurring issue causing multiple incidents. The root cause is known, but a permanent fix is not yet available. Which of the following is the BEST approach to manage this situation until a permanent fix is implemented?

A.Escalate the problem to senior management
B.Reclassify the problem as an incident
C.Document the known error and implement a workaround
D.Close the problem record and wait for the fix
AnswerC

This is the purpose of a known error database.

Why this answer

Option C is correct because in ITIL-based problem management, when a root cause is known but a permanent fix is unavailable, the known error should be documented in the Known Error Database (KEDB) and a workaround should be implemented to reduce incident impact and restore service. This aligns with the problem management process of controlling the error until a permanent solution (e.g., a patch or change) is deployed, ensuring operational continuity and minimizing recurrence of incidents.

Exam trap

The trap here is that candidates confuse 'problem' with 'incident' and think reclassifying (Option B) is acceptable, but the CISA exam tests the ITIL distinction that a problem is the root cause of multiple incidents and must be managed separately, not reclassified as an incident.

How to eliminate wrong answers

Option A is wrong because escalating to senior management is not the best operational step for a known error with a workaround; escalation is reserved for strategic decisions, resource approval, or when the problem exceeds the team's authority, not for routine workaround implementation. Option B is wrong because reclassifying a problem as an incident violates the ITIL distinction: a problem is the underlying cause of one or more incidents, and reclassifying it would incorrectly treat the root cause as a single event, bypassing proper problem management tracking. Option D is wrong because closing the problem record while waiting for a fix would remove visibility and control, preventing the team from applying the workaround and potentially allowing the same incidents to recur without a documented resolution path.

764
MCQhard

An IS auditor is testing the effectiveness of a control that involves a manual review of exception reports. The population of exceptions is 5,000 items. The auditor wants to achieve a 95% confidence level with a tolerable error rate of 2%. Which sampling method is MOST appropriate?

A.Systematic sampling
B.Judgmental sampling
C.Stratified sampling
D.Statistical attribute sampling
AnswerD

Correct; attribute sampling is used to estimate the proportion of items with a certain characteristic and provides statistical confidence.

Why this answer

Statistical sampling (attribute sampling) is appropriate when the auditor wants to draw a conclusion about the population's error rate with a specified confidence level.

765
MCQeasy

Which backup method copies all data that has changed since the last full backup, regardless of subsequent incremental backups, and is often used to reduce restore time?

A.Full backup
B.Differential backup
C.Incremental backup
D.Mirror backup
AnswerB

Differential copies all changes since last full backup, simplifying restore.

Why this answer

A differential backup copies all data that has changed since the last full backup, regardless of any incremental backups taken in between. This approach reduces restore time because only the last full backup and the most recent differential backup are needed, unlike incremental backups which require the full backup plus every subsequent incremental in sequence.

Exam trap

The trap here is confusing differential backups with incremental backups, as both copy only changed data, but the key distinction is that differentials copy all changes since the last full backup, while incrementals copy changes since the last backup of any type, leading to longer restore chains for incrementals.

How to eliminate wrong answers

Option A is wrong because a full backup copies all data, not just changed data, and is typically the baseline for other backup types, not a method to reduce restore time by copying only changes. Option C is wrong because an incremental backup copies only data changed since the last backup of any type (full, differential, or incremental), requiring the full backup plus all subsequent incremental backups for restore, which increases restore time. Option D is wrong because a mirror backup creates an exact replica of the source data in real-time or near-real-time, often using disk mirroring (e.g., RAID 1), and does not focus on copying only changed data since the last full backup; it is designed for high availability, not backup efficiency or restore time reduction.

766
MCQhard

An organization is selecting an alternate site for disaster recovery. The site must have sufficient equipment to resume operations within a few hours, and the organization is willing to share the site with another business. Which type of alternate site is MOST appropriate?

A.Mobile site
B.Warm site
C.Cold site
D.Hot site
AnswerB

Warm sites have some equipment and can be shared, enabling faster activation than cold sites.

Why this answer

A hot site is fully equipped and can be operational quickly, but sharing is uncommon. A warm site has some equipment. A cold site has no equipment.

A mobile site is not a standard classification.

767
MCQeasy

An IT auditor is reviewing capacity management. The server team monitors CPU utilization and disk space. They receive alerts when thresholds are exceeded. Which practice is most effective for proactive capacity planning?

A.Performing weekly manual checks
B.Analyzing historical utilization trends
C.Increasing server resources quarterly
D.Setting threshold alerts at 90% utilization
AnswerB

Correct: Trend analysis helps forecast future capacity requirements and avoid performance issues.

Why this answer

Analyzing historical utilization trends allows IT to predict future capacity needs and plan upgrades before issues occur.

768
Multi-Selectmedium

An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?

Select 2 answers
A.Performing daily IT operations
B.Defining IT security policies
C.Approving IT project budgets and priorities
D.Conducting technical vulnerability assessments
E.Ensuring IT investments deliver value
AnswersC, E

The IT steering committee provides oversight and approval for major IT investments and priorities.

Why this answer

Options A and D are correct. The IT steering committee is responsible for approving IT project budgets and priorities (A) and ensuring IT investments deliver value (D). Performing daily IT operations (B) is an operational management task.

Defining IT security policies (C) is typically the responsibility of the security function. Conducting technical vulnerability assessments (E) is a technical operational activity.

769
MCQmedium

Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?

A.Number of New Features Delivered
B.System Uptime Percentage
C.Satisfaction Survey Score
D.Complaint Resolution Time
AnswerB

Correct. Uptime is more aligned with internal process perspective.

Why this answer

Option C is correct because system uptime is an operational metric typically aligned with the Internal Process perspective, not directly with customer satisfaction as measured by surveys and complaint resolution. Option A is incorrect because survey scores directly measure customer satisfaction. Option B is incorrect because complaint resolution time is a customer-facing metric.

Option D is incorrect because number of new features may be customer-driven, but it is less directly related than the given metrics; however, it is still more relevant than uptime. Uptime is the least relevant.

770
MCQmedium

A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:

A.Increase the frequency of security reviews for all projects
B.Change the IT steering committee's meeting frequency to weekly with detailed reviews
C.Establish a project management office (PMO) to oversee project governance and reporting
D.Require all projects to use a specific project management software tool
AnswerC

A PMO provides centralized oversight, standardizes processes, and ensures compliance with governance.

Why this answer

Option C is correct because establishing a project management office (PMO) provides standardized project management practices, oversight, and controls to prevent scope creep and improve delivery. Option A is tactical and does not address governance. Option B focuses on security, not project delivery.

Option D may improve business alignment but does not directly address project management issues.

771
MCQhard

An IS auditor is evaluating the change management process for a critical financial application. The auditor finds that all standard changes are approved by the Change Advisory Board (CAB). However, emergency changes are approved by the IT manager and later ratified by the CAB. Which of the following is the greatest risk associated with this process?

A.The IT manager may not have sufficient technical expertise to approve emergency changes.
B.Emergency changes may be delayed while waiting for CAB ratification.
C.The CAB may not have enough time to review emergency changes properly.
D.There is no clear definition of what constitutes an emergency change.
AnswerD

Without a clear definition, non-emergency changes could be inappropriately fast-tracked.

Why this answer

Without a well-defined definition of what constitutes an emergency, changes could be misclassified to bypass CAB scrutiny, weakening controls.

772
MCQmedium

An IS auditor selects a sample of 50 transactions from a population of 1,000 using a random number generator. This is an example of which sampling method?

A.Stratified sampling
B.Random sampling
C.Systematic sampling
D.Judgmental sampling
AnswerB

Random sampling uses a random selection method.

Why this answer

Statistical random sampling gives every item an equal probability of selection.

773
MCQeasy

Which COBIT 2019 governance objective describes the board's responsibility for overseeing IT?

A.Deliver, Service, and Support (DSS)
B.Align, Plan, and Organize (APO)
C.Evaluate, Direct, and Monitor (EDM)
D.Build, Acquire, and Implement (BAI)
AnswerC

EDM is the governance objective for the board.

Why this answer

COBIT 2019 defines the governance objective as Evaluate, Direct, and Monitor (EDM), which is the board's responsibility.

774
MCQeasy

What is the primary purpose of the planning phase in an IS audit?

A.To execute audit tests
B.To issue the final report
C.To identify risks and define audit scope
D.To follow up on findings
AnswerC

Planning includes risk assessment and scope definition.

Why this answer

Planning ensures the audit is focused on high-risk areas and resources are allocated appropriately.

775
Multi-Selecteasy

Which TWO of the following are primary objectives of information classification? (Choose two.)

Select 2 answers
A.Simplify network architecture by segmenting data.
B.Determine appropriate access controls and protection requirements.
C.Improve system performance by prioritizing critical data.
D.Ensure compliance with legal and regulatory requirements.
E.Reduce storage costs by identifying duplicate data.
AnswersB, D

Classification helps define who needs access and what controls apply.

Why this answer

Information classification is a foundational security process that assigns sensitivity labels (e.g., public, internal, confidential, restricted) to data assets. Its primary objectives are to determine the appropriate access controls and protection requirements for each classification level (Option B) and to ensure compliance with legal and regulatory requirements such as GDPR, HIPAA, or PCI DSS (Option D). These objectives directly drive the implementation of security controls like encryption, access control lists (ACLs), and data loss prevention (DLP) policies.

Exam trap

The trap here is that candidates confuse the secondary benefits of classification (like improved storage management or network design) with its primary objectives, which are strictly about determining protection requirements and ensuring compliance.

776
MCQmedium

An IS auditor is reviewing the configuration for a web application. Which of the following is the MOST significant security weakness?

A.The authentication method is Basic
B.Session timeout is set to 600 seconds (10 minutes)
C.The base URL uses HTTPS
D.Encryption uses SSL instead of TLS
AnswerA

Basic authentication sends credentials in plain text if not over TLS; even with TLS, it's weaker than digest or certificate-based.

Why this answer

Basic authentication transmits credentials in Base64-encoded plaintext over the network, which is trivially decoded and captured by any attacker with access to the traffic. Even when used over HTTPS, the credentials are exposed in the browser's cache and server logs, making this the most significant weakness among the options.

Exam trap

The trap here is that candidates often focus on the deprecated SSL protocol (Option D) as the most significant weakness, overlooking that Basic authentication exposes credentials in a trivially reversible format regardless of the transport layer security.

How to eliminate wrong answers

Option B is wrong because a 600-second (10-minute) session timeout is within acceptable limits for many web applications and does not represent a critical security weakness. Option C is wrong because using HTTPS for the base URL is a security best practice, not a weakness. Option D is wrong because while SSL is deprecated and TLS is preferred, using SSL instead of TLS is a configuration weakness but is less severe than transmitting credentials in plaintext via Basic authentication.

777
MCQeasy

A small manufacturing company uses a network-attached storage (NAS) device to store design files, financial records, and employee data. The NAS is backed up weekly to an external hard drive that is stored in the same office. The company has no encryption on the NAS or the backup drive. One weekend, the office is burglarized, and both the NAS and the backup drive are stolen. The company had no remote backup. Which of the following would have best protected the data in this scenario?

A.Enabling full-disk encryption on the NAS
B.Implementing strong passwords and user authentication on the NAS
C.Storing a backup offsite in a secure location
D.Installing a security camera and alarm system
AnswerA

Encryption renders data unreadable without the key.

Why this answer

Full-disk encryption (FDE) on the NAS would render the data unreadable without the decryption key, even if the physical device is stolen. Since the backup drive was also unencrypted and stored in the same location, both were equally vulnerable. FDE protects data at rest, which is the primary risk in a theft scenario where physical access is obtained.

Exam trap

The trap here is that candidates often choose offsite backup (Option C) because it is a best practice for disaster recovery, but the question specifically asks for protection of the data in a theft scenario where both the primary and backup are stolen together, making encryption the only effective control.

How to eliminate wrong answers

Option B is wrong because strong passwords and user authentication protect against unauthorized logical access over the network, but they do nothing to protect data once the physical device is stolen and the attacker can bypass the OS by directly reading the disks. Option C is wrong because storing a backup offsite would protect the backup from being stolen in the same burglary, but it does not protect the primary NAS data that was also stolen; the question asks for the best protection of the data in this scenario, and offsite backup alone leaves the primary copy exposed. Option D is wrong because security cameras and alarm systems are physical deterrents that may reduce the risk of theft, but they do not protect the data if the theft still occurs; they are preventive controls, not data protection controls.

778
MCQhard

During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?

A.Non-compliance with software licensing
B.Increased likelihood of security breaches
C.Inability to calculate total cost of ownership
D.Uncertainty regarding recovery time objectives for critical systems
AnswerD

BIA defines RTOs; without it, recovery priorities are unclear.

Why this answer

Option D is correct because without a BIA, recovery time objectives (RTOs) are uncertain, leading to potential unacceptable downtime. Option A is a consequence but not the primary risk. Option B is incorrect because BIA is for recovery, not cost.

Option C is less direct.

779
Multi-Selectmedium

An IS auditor is reviewing the software asset management (SAM) process. The organization uses a mix of commercial off-the-shelf (COTS) and open-source software. The auditor finds that several servers are running end-of-life (EOL) operating systems that are no longer patched. Which TWO risks are most directly associated with this finding?

Select 2 answers
A.Increased risk of security breaches due to unpatched vulnerabilities.
B.Difficulty in integrating with newer systems.
C.Non-compliance with regulatory requirements for patching.
D.Reduced performance due to outdated software.
E.Higher software licensing costs.
AnswersA, C

EOL software lacks security patches, making it vulnerable.

Why this answer

End-of-life (EOL) operating systems no longer receive security patches from the vendor, leaving known vulnerabilities unmitigated. This directly increases the risk of security breaches because attackers can exploit these unpatched flaws. Additionally, many regulatory frameworks (e.g., PCI DSS, SOX) require timely patching of critical systems, so running EOL software constitutes non-compliance with those requirements.

Exam trap

The trap here is that candidates may confuse operational issues (like integration difficulty or performance) with the primary security and compliance risks that directly stem from unpatched vulnerabilities on EOL systems.

780
Multi-Selectmedium

An organization is evaluating two vendors for a critical cloud-based ERP system. Which TWO contractual clauses are most important to include to ensure the organization can monitor vendor performance and security? (Select TWO)

Select 2 answers
A.Data ownership clause
B.Indemnification clause
C.Audit rights
D.Service level agreements (SLAs)
E.Non-disclosure agreement (NDA)
AnswersC, D

Audit rights allow the organization to assess the vendor's security and operational controls.

Why this answer

Service level agreements (SLAs) define performance metrics and remedies for breaches, ensuring accountability. Audit rights allow the organization to verify the vendor's controls, which is essential for security and compliance.

781
MCQmedium

Based on the exhibit, what is the most likely control weakness that allowed this condition?

A.Weak password complexity requirements
B.Lack of individual accountability for privileged actions
C.Failure to disable the default administrator account
D.Inadequate segregation of duties between IT and security teams
AnswerB

Correct: Using a shared default account prevents attribution of actions to individuals.

Why this answer

The exhibit shows that multiple users are sharing a single privileged account (e.g., 'root' or 'admin') to perform administrative actions. Without unique user IDs for each administrator, it is impossible to map specific actions (e.g., a 'sudo' command or a configuration change) back to an individual. This lack of individual accountability is the core control weakness, as it violates the audit principle of non-repudiation and prevents effective forensic investigation.

Exam trap

The trap here is that candidates confuse 'shared accounts' with 'default accounts' (Option C) or 'weak passwords' (Option A), but the exhibit's key indicator is multiple users logging in with the same non-default privileged account, which directly points to a lack of individual accountability.

How to eliminate wrong answers

Option A is wrong because weak password complexity requirements would allow brute-force attacks, but the exhibit shows shared credentials, not a password cracking scenario. Option C is wrong because failure to disable the default administrator account is a specific vulnerability (e.g., leaving the 'sa' account enabled in SQL Server), but the exhibit indicates multiple users actively using a shared account, not a dormant default account. Option D is wrong because inadequate segregation of duties between IT and security teams would involve conflicting roles (e.g., a network admin also managing firewall rules), but the exhibit focuses on shared credentials, not role separation.

782
MCQmedium

Which of the following is a key objective of the COBIT 2019 management objective 'Align, Plan, and Organize' (APO)?

A.Manage the IT management framework
B.Manage changes
C.Manage security
D.Manage IT operations
AnswerA

APO includes establishing the IT management framework and strategic direction.

Why this answer

APO focuses on strategic planning and alignment of IT with business objectives.

783
MCQhard

An IS auditor is reviewing automated job scheduling controls. A critical batch job failed due to a dependency on a previous job that had not completed. The system did not alert operations staff. Which control weakness is most significant?

A.Missing dependency management in job scheduling.
B.Insufficient capacity management to handle job load.
C.Inadequate rerun procedures for the failed job.
D.Lack of a known error database entry for this issue.
AnswerA

Dependency management should prevent the job from starting if prerequisites are not met.

Why this answer

Job scheduling should include dependency management and failure alerts. The lack of an alert means the issue went unnoticed, potentially causing delays.

784
MCQmedium

During user acceptance testing (UAT) of a new financial system, users report that the system fails to enforce a segregation of duties rule where the same user should not be able to create a purchase order and approve it. The requirement was documented in the functional specifications. Which of the following is the MOST likely cause of this issue?

A.Performance testing was prioritized over functional testing.
B.The functional requirements were incomplete.
C.The requirements were ambiguous and misinterpreted by developers.
D.The system was not configured to enforce the control.
AnswerD

The system likely has the capability but was not properly configured.

Why this answer

Option D is correct because the segregation of duties (SoD) rule is a functional control that must be explicitly configured in the system's authorization or workflow engine. Since the requirement was documented in the functional specifications, the most likely cause is that the system was not configured to enforce the control, meaning the access control list (ACL) or role-based access control (RBAC) settings did not prevent the same user from both creating and approving a purchase order.

Exam trap

The trap here is that candidates may assume the issue is due to incomplete or ambiguous requirements (options B or C) when the requirement was clearly documented, but the real cause is a failure to configure the control in the system's security settings.

How to eliminate wrong answers

Option A is wrong because performance testing focuses on system responsiveness and throughput, not on functional controls like segregation of duties; prioritizing performance testing over functional testing would not directly cause a missing SoD enforcement. Option B is wrong because the requirement was documented in the functional specifications, so the functional requirements were complete; the issue is not incompleteness but a failure in implementation or configuration. Option C is wrong because the requirement to prevent the same user from creating and approving a purchase order is unambiguous and not open to misinterpretation; the developers likely understood the requirement but did not configure the system to enforce it.

785
MCQeasy

Refer to the exhibit. An IS auditor is reviewing backup error logs. The error indicates a failed backup due to a missing file. What is the MOST likely cause?

A.The backup job was scheduled during peak hours causing timeout
B.The destination path '\\BackupServer01\Backup\Shares' is invalid
C.A file in the source volume was moved or deleted during the backup window
D.Insufficient disk space on the backup destination
AnswerC

File not found during backup is common when files change.

Why this answer

The error indicates a failed backup due to a missing file. The most likely cause is that a file in the source volume was moved or deleted during the backup window. Backup processes that use file-level snapshots or open-file managers (e.g., Volume Shadow Copy Service on Windows) capture a point-in-time view; if a file is moved or deleted after the snapshot is taken but before it is read by the backup agent, the backup will fail with a 'missing file' error.

This is a classic race condition in file-level backups without proper snapshot consistency.

Exam trap

The trap here is that candidates may confuse a 'missing file' error with a destination path issue or resource constraint, but the error message specifically points to a source-side file inconsistency, not a connectivity or capacity problem.

How to eliminate wrong answers

Option A is wrong because a timeout due to peak hours would typically produce a 'timeout' or 'operation aborted' error, not a 'missing file' error. Option B is wrong because an invalid destination path would cause a 'path not found' or 'access denied' error at the start of the backup, not a mid-backup missing file error. Option D is wrong because insufficient disk space on the destination would generate a 'disk full' or 'out of space' error, not a 'missing file' error.

786
MCQhard

During a review of the incident management process, the IS auditor finds that the incident response (IR) team conducts tabletop exercises annually, but the scenarios are limited to malware outbreaks. Which of the following should be the auditor's GREATEST concern?

A.The IR team may not have adequate forensic capabilities
B.The exercises are not conducted quarterly
C.The IR team is not following the defined procedures
D.The IR plan may not address all relevant incident types
AnswerD

If exercises only cover malware, other incident types may not be tested, leaving gaps in preparedness.

Why this answer

Limited scenarios mean the IR team may not be prepared for other types of incidents, such as data breaches or insider threats, which require different response procedures.

787
MCQhard

An IS auditor is reviewing the incident management process. The organization has a policy that all security incidents must be reported within one hour. However, the average reporting time is four hours. Which is the BEST corrective action?

A.Reduce the reporting time requirement
B.Increase penalties for non-compliance
C.Implement automated incident detection
D.Provide additional training to staff
AnswerD

Training improves awareness and compliance with reporting requirements.

Why this answer

The root cause of the average reporting time exceeding the policy is likely a lack of awareness or skill in identifying and escalating incidents. Providing additional training directly addresses the human factor, improving staff ability to recognize security events and follow the one-hour reporting procedure, which is the most effective corrective action for a process gap.

Exam trap

The trap here is that candidates often choose 'Implement automated incident detection' (Option C) because it seems technologically advanced, but they overlook that the policy requires human reporting within one hour, and automation does not fix the human reporting delay or compliance with the specific time requirement.

How to eliminate wrong answers

Option A is wrong because reducing the reporting time requirement lowers the standard without fixing the underlying process deficiency, potentially increasing risk exposure. Option B is wrong because increasing penalties for non-compliance may create a culture of fear and under-reporting, but does not address the root cause of why staff are unable to report within one hour. Option C is wrong because while automated incident detection can speed up identification, it does not address the reporting process itself; the policy requires human reporting within one hour, and automation may not cover all incident types or integrate with the existing reporting workflow.

788
MCQeasy

An organization is replacing its legacy customer relationship management (CRM) system. Which of the following is the MOST important control to ensure data integrity during the data conversion process?

A.Perform reconciliation of total record counts and key field sums before and after conversion.
B.Implement encryption for data in transit during migration.
C.Conduct user acceptance testing on the new system.
D.Ensure data mapping documents are approved by business owners.
AnswerA

Reconciliation verifies accuracy and completeness of data conversion.

Why this answer

Option A is correct because reconciliation and validation ensures all records are accurately transferred. Option B focuses on completeness but not accuracy. Option C is security, not integrity.

Option D is about functionality, not conversion accuracy.

789
MCQeasy

Which of the following is a principle of ISO/IEC 38500 for corporate governance of IT?

A.Start where you are
B.Optimise and automate
C.Strategy
D.Focus on value
AnswerC

Strategy is one of the six principles in ISO/IEC 38500.

Why this answer

ISO/IEC 38500 outlines six principles: responsibility, strategy, acquisition, performance, conformance, and human behavior.

790
MCQmedium

An IS auditor is performing a walkthrough of the accounts payable process. Which audit procedure is the auditor primarily executing?

A.Walkthrough
B.Re-performance
C.Inquiry
D.Observation
AnswerA

Correctly identifies the procedure.

Why this answer

A walkthrough involves tracing a transaction from initiation to completion, often combining inquiry, observation, and inspection.

791
MCQhard

During data conversion from a legacy system to a new ERP, the project team decides to clean data during extraction but not during loading. What is the PRIMARY risk associated with this approach?

A.Data integrity issues may remain undetected in the target system.
B.The legacy system performance may degrade.
C.The project may exceed its budget due to rework.
D.The conversion process will be significantly slower.
AnswerA

Errors can be introduced after extraction, so cleaning only at source is insufficient.

Why this answer

Cleaning data only during extraction and not during loading means that any data quality issues introduced during the extraction process or that become apparent only after mapping to the target schema will not be caught. This creates a primary risk that data integrity issues—such as referential integrity violations, duplicate keys, or format mismatches—will remain undetected in the new ERP system, potentially corrupting business operations and reporting.

Exam trap

The trap here is that candidates focus on operational concerns like speed or cost, rather than the core IS audit principle that data integrity is the paramount risk when data is not validated at the final point of entry into the target system.

How to eliminate wrong answers

Option B is wrong because legacy system performance degradation is not a primary risk of the data cleaning approach; it is more related to the extraction method (e.g., full table scans) rather than the cleaning phase. Option C is wrong because while rework could occur, the primary risk is not budget overrun but undetected data integrity issues that could cause systemic failures. Option D is wrong because cleaning during extraction can actually slow the extraction process, but the question asks about the primary risk, and performance speed is secondary to data integrity.

792
MCQmedium

An organization is implementing an ERP system and is concerned about segregation of duties conflicts. What is the most effective control to address this risk during implementation?

A.Implementing role-based access controls
B.Performing a data migration risk assessment
C.Reviewing vendor SOC 2 reports
D.Conducting user acceptance testing
AnswerA

Correct. Role-based access controls enforce segregation of duties by limiting user permissions.

Why this answer

Segregation of duties conflicts are best addressed by designing and implementing role-based access controls tailored to the organization's processes.

793
MCQhard

An IS auditor is evaluating a system development project that uses an outsourced team. The contract allows the vendor to reuse some of the developed code in other projects. What is the auditor's PRIMARY concern?

A.The vendor might not deliver on time.
B.The organization may lose control of intellectual property.
C.The vendor may not maintain the code after the project ends.
D.The vendor may use substandard development practices.
AnswerB

Reuse rights could dilute exclusivity and security control.

Why this answer

The contract clause allowing the vendor to reuse developed code in other projects directly transfers ownership or licensing rights of the intellectual property (IP) to the vendor. This means the organization may lose exclusive control over the code, potentially allowing competitors to access proprietary logic or algorithms. The IS auditor's primary concern is safeguarding the organization's IP assets, as this loss can have long-term strategic and competitive implications.

Exam trap

The trap here is that candidates focus on operational risks (delays, maintenance, quality) rather than the contractual and legal risk of losing intellectual property rights, which is the auditor's primary concern when the vendor is explicitly allowed to reuse code.

How to eliminate wrong answers

Option A is wrong because delivery timelines are a project management risk, not the primary audit concern when IP reuse rights are granted; the contract clause directly addresses IP, not schedule. Option C is wrong because post-project maintenance is a separate contractual issue (e.g., SLA for support) and is not inherently tied to the vendor's right to reuse code; the auditor's focus is on ownership, not ongoing maintenance. Option D is wrong because substandard development practices are a quality risk that can be mitigated through code reviews and testing, but the explicit permission to reuse code is a direct IP concern, not a quality concern.

794
MCQeasy

When implementing a commercial off-the-shelf (COTS) system, what is the MOST important factor?

A.Customization to fit all requirements
B.Lowest total cost
C.Vendor reputation
D.Alignment with business processes with minimal modification
AnswerD

Minimal modification reduces risk and cost.

Why this answer

When implementing a commercial off-the-shelf (COTS) system, the most important factor is alignment with business processes with minimal modification. COTS systems are designed to provide standardized functionality; extensive customization undermines the core benefits of reduced cost, faster deployment, and easier vendor support. Modifying the COTS codebase creates a 'forked' version that complicates patch management, increases testing overhead, and risks incompatibility with future vendor updates, directly contradicting the acquisition rationale.

Exam trap

The trap here is that candidates confuse 'customization' (modifying source code) with 'configuration' (using built-in parameters), and mistakenly believe that tailoring the software to every requirement is the goal, when in fact minimizing modification is the key to preserving the COTS benefits of low cost and easy maintenance.

How to eliminate wrong answers

Option A is wrong because extensive customization of a COTS system negates its primary advantages—lower total cost of ownership, faster time-to-market, and simplified maintenance—by creating a unique codebase that requires custom testing, documentation, and support, often leading to vendor lock-in and upgrade failures. Option B is wrong because while total cost is a consideration, prioritizing the lowest initial cost can lead to hidden expenses from necessary modifications, integration work, or poor vendor support; the most important factor is ensuring the COTS product fits business processes to avoid costly rework. Option C is wrong because vendor reputation is secondary to functional fit; a reputable vendor's product that requires heavy customization will still incur significant long-term costs and risks, whereas a less-known vendor with a product that aligns closely with business needs can deliver greater value.

795
MCQhard

What is the primary security concern in this architecture?

A.Traffic between application and database servers is not encrypted
B.Web servers are directly accessible from the internet
C.Database port is exposed to application servers
D.Lack of intrusion detection
AnswerA

Sensitive data in transit should be encrypted.

Why this answer

The primary security concern is that traffic between the application and database servers is not encrypted. In a typical three-tier web architecture, sensitive data such as authentication credentials, SQL queries, and result sets are transmitted in cleartext if TLS/SSL is not enforced between the application layer and the database layer. This exposes the data to eavesdropping or man-in-the-middle attacks on the internal network, which is a direct violation of the principle of defense in depth and common compliance requirements like PCI DSS or HIPAA.

Exam trap

The trap here is that candidates often focus on perimeter defenses (like web server exposure) or operational controls (like intrusion detection) instead of recognizing that unencrypted internal traffic between trusted tiers is a critical and often overlooked vulnerability in application architecture.

How to eliminate wrong answers

Option B is wrong because web servers being directly accessible from the internet is a standard and expected design in a three-tier architecture; they are placed in a DMZ and are meant to serve public traffic, so this is not a primary security concern. Option C is wrong because exposing the database port (e.g., TCP 3306 for MySQL or 1433 for MSSQL) to application servers is necessary for the application to function; the risk is mitigated by firewall rules and network segmentation, not by hiding the port. Option D is wrong because lack of intrusion detection is a monitoring deficiency, not the primary security concern; while important, it is a detective control, whereas the unencrypted traffic is a direct exposure of data in transit.

796
Multi-Selectmedium

Which THREE of the following are best practices for managing system testing in an IS development project?

Select 3 answers
A.Create test data that mirrors production data.
B.Perform testing in a environment identical to production.
C.Implement automated regression tests for critical functions.
D.Use an independent test team separate from developers.
E.Developers should test their own code thoroughly.
AnswersA, C, D

Realistic test data uncovers more issues.

Why this answer

Creating test data that mirrors production data is a best practice because it ensures that the test environment closely reflects real-world data volumes, distributions, and edge cases. This approach helps uncover defects that might only appear under production-like data conditions, such as performance bottlenecks, data integrity issues, or boundary value errors. It also validates that the system handles the actual data formats and constraints it will encounter in production.

Exam trap

The trap here is that candidates may assume a production-identical environment is always a best practice, but the CISA exam emphasizes cost-benefit analysis and practical constraints, making 'identical' too absolute; instead, the focus is on using a representative environment and independent testing to ensure quality.

797
MCQhard

An IS auditor is evaluating the design of controls over a critical financial application. The auditor performs a walkthrough and identifies that a control is missing but management has compensating controls. Which of the following is the auditor's BEST next step?

A.Increase the sample size for substantive testing to compensate.
B.Test the compensating controls to determine if they adequately mitigate the risk.
C.Immediately report the missing control as a material weakness.
D.Ignore the missing control since compensating controls exist.
AnswerB

Compensating controls can reduce the severity of the deficiency.

Why this answer

Assessing the effectiveness of compensating controls is appropriate to determine if the control deficiency is mitigated.

798
Multi-Selecteasy

Which TWO of the following are benefits of using a version control system in software development?

Select 2 answers
A.Generate test cases
B.Eliminate all bugs
C.Automate deployment
D.Rollback to previous versions
E.Track changes made by developers
AnswersD, E

Core feature.

Why this answer

Option D is correct because version control systems (e.g., Git, SVN) allow developers to revert code to a previous commit or tag, enabling recovery from bugs or regressions. This rollback capability is a core feature that preserves the history of the codebase and supports safe experimentation.

Exam trap

The trap here is that candidates confuse version control with CI/CD or testing tools, mistakenly thinking VCS can automate deployment or generate test cases, when its primary purpose is change tracking and history management.

799
MCQhard

A company outsources its data center operations. Which IT governance practice is MOST critical to ensure the outsourcing arrangement meets business requirements?

A.Establishing a service level agreement (SLA) with key performance indicators
B.Performing a total cost of ownership analysis
C.Creating a RACI matrix for the outsourced processes
D.Conducting background checks on outsourcer employees
AnswerA

SLAs define expectations and enable performance measurement.

Why this answer

Service level management ensures that the outsourcer's performance is monitored against agreed-upon metrics.

800
MCQhard

A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?

A.IT balanced scorecard
B.Internal audit reports
C.IT risk register
D.Service organization control (SOC) reports
AnswerD

SOC reports provide independent assurance on controls.

Why this answer

Service organization control (SOC) reports are independent audits of control effectiveness, highly regarded by regulators. Internal audit reports are valuable but may lack independence; risk register and balanced scorecard are not direct evidence of control effectiveness.

801
MCQeasy

An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?

A.Training hours per employee
B.System uptime percentage
C.User satisfaction survey results
D.Project completion rate
AnswerC

Correct. Directly measures customer perception.

Why this answer

Option C is correct because the customer perspective focuses on user satisfaction and service responsiveness. Option A is incorrect as system uptime is an internal process metric. Option B is incorrect as project completion rate is an internal efficiency metric.

Option D is incorrect as training hours relate to learning and growth perspective.

802
MCQeasy

Which of the following is a key objective of a post-implementation review?

A.To conduct penetration testing
B.To approve the project budget
C.To determine if the system meets user requirements
D.To select the vendor
AnswerC

Correct. The review evaluates whether objectives were met.

Why this answer

A post-implementation review assesses whether the system meets its objectives and identifies lessons learned.

803
MCQmedium

Refer to the exhibit. An auditor reviews the security log of a sensitive server. Which of the following is the MOST suspicious event?

A.The use of Negotiate authentication package
B.The logoff event at 23:45:12
C.The remote interactive logon from IP 192.168.10.50 using NTLM
D.The logon from workstation WS-FINANCE at 10.0.0.15
AnswerC

Remote interactive logon allows interactive access, and the source IP is different from the usual internal range; NTLM is less secure.

Why this answer

Option B is correct because a logon type 10 (Remote Interactive) from an unknown IP (192.168.10.50) using NTLM could indicate an unauthorized remote desktop session, especially if the employee is not on shift or the IP is unfamiliar. Option A is a normal network logon; Option C is not an event; Option D is not logged here.

804
Multi-Selecteasy

Which THREE of the following are typical phases in the system development life cycle (SDLC)?

Select 3 answers
A.Unit testing.
B.Implementation.
C.Patch management.
D.Requirements analysis.
E.Design.
AnswersB, D, E

Implementation phase involves coding, testing, and deployment.

Why this answer

Implementation is a standard phase in the SDLC where the designed system is built, coded, and deployed into the production environment. This phase follows design and precedes testing and maintenance, ensuring the solution is operational and meets the specified requirements.

Exam trap

The trap here is confusing operational activities like patch management or specific testing techniques with the high-level phases of the SDLC, leading candidates to select activities that occur post-deployment or are sub-steps of a phase.

805
MCQhard

A multinational corporation's data center in the European Union (EU) stores personal data of EU citizens. The company must comply with the General Data Protection Regulation (GDPR), which requires that personal data be protected and that data subjects have the right to erasure ('right to be forgotten'). The company's IT team uses a centralized identity management system that stores user credentials and personal data in an active directory (AD) forest. The AD forest is replicated across multiple data centers worldwide, including a non-EU country. The data protection officer (DPO) is concerned that personal data might be inadvertently replicated to jurisdictions without adequate protection. Which of the following is the most effective way to address this concern?

A.Pseudonymize all personal data before storing it in AD
B.Encrypt all personal data at rest and in transit, with keys held solely within the EU
C.Implement data residency controls to ensure EU personal data is only stored and processed within the EU
D.Obtain explicit consent from all EU data subjects for international data transfer
AnswerC

Technical controls can enforce geographic boundaries for data replication.

Why this answer

Option C is correct because GDPR mandates that personal data of EU citizens must not be transferred to countries without adequate protection unless specific safeguards are in place. Implementing data residency controls ensures that EU personal data is stored and processed only within the EU, preventing inadvertent replication to non-EU jurisdictions via AD replication. This directly addresses the DPO's concern by enforcing geographic boundaries on data storage and processing.

Exam trap

The trap here is that candidates often confuse encryption (Option B) with data residency, thinking encryption alone prevents data exposure, but encryption does not stop replication and may still allow data to be stored in non-EU jurisdictions where it could be subject to local access laws.

How to eliminate wrong answers

Option A is wrong because pseudonymization reduces identifiability but does not prevent data from being replicated to non-EU jurisdictions; the pseudonymized data remains personal data under GDPR and could still be subject to inadequate protection. Option B is wrong because encryption protects data confidentiality but does not prevent replication; if keys are held solely within the EU, the data can still be replicated to non-EU servers, and the encrypted data may be accessible if the key management is compromised or if the encryption is bypassed during replication. Option D is wrong because explicit consent for international data transfer is a possible lawful basis but is not the most effective technical control; it does not prevent inadvertent replication and can be withdrawn by data subjects, making it unreliable for ongoing compliance.

806
Multi-Selectmedium

An IS auditor is evaluating the controls over program changes. Which TWO of the following are essential controls?

Select 2 answers
A.Management authorization for the change
B.Documented change request
C.Automated deployment scripts
D.Regression testing of all changes
E.Post-change review by independent party
AnswersA, B

Authorization ensures changes are approved by appropriate parties.

Why this answer

Management authorization (A) is essential because it ensures that only approved changes are implemented, preventing unauthorized modifications that could introduce security vulnerabilities or operational disruptions. A documented change request (B) provides an audit trail and formal record of what was changed, why, and by whom, which is critical for accountability and traceability in the change management process.

Exam trap

The trap here is that candidates often confuse 'essential controls' with 'best practices' or 'automation tools,' leading them to select options like automated deployment scripts or regression testing, which are valuable but not mandatory for every change in a well-controlled environment.

807
Multi-Selecthard

An IS auditor is reviewing the end-of-life (EOL) software policy. Which THREE risks are associated with running unsupported software? (Select THREE).

Select 3 answers
A.Reduced need for data backups
B.Regulatory non-compliance
C.Higher software licensing costs
D.Compatibility issues with newer systems
E.Increased vulnerability to security breaches
AnswersB, D, E

Some regulations require the use of supported software.

Why this answer

Unsupported software no longer receives security patches, increasing vulnerability risk. It also may cause compatibility issues with other systems. Additionally, it may lead to non-compliance with regulations that require supported software.

808
Multi-Selecteasy

During the design phase of an SDLC, which TWO activities should be performed to ensure security is integrated into the system? (Select TWO)

Select 2 answers
A.User acceptance testing (UAT)
B.Code review
C.Threat modeling
D.Architecture review
E.Penetration testing
AnswersC, D

Threat modeling helps identify and mitigate security threats during design.

Why this answer

Architecture review ensures the system design meets security requirements, and threat modeling identifies potential threats and vulnerabilities early. Both are proactive security controls in the design phase.

809
MCQeasy

An organization's IT service desk categorizes incidents based on severity levels. A P1 incident is defined as a critical system outage affecting all users. Which of the following is the MOST appropriate target for the initial response time for a P1 incident?

A.Within 15 minutes
B.Within 4 hours
C.Within 1 business day
D.Within 30 minutes
AnswerA

Immediate response is expected for critical incidents.

Why this answer

P1 incidents are critical and require immediate response, typically within minutes, not hours.

810
MCQmedium

An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?

A.Yes, because 45 minutes is within 0.1% of the total time.
B.Yes, because the SLA is calculated per day, not per month.
C.No, because any downtime exceeding 30 minutes is a violation.
D.No, because the allowed downtime for 99.9% uptime is approximately 43 minutes.
AnswerD

The SLA allows 43.2 minutes; 45 minutes is over the limit.

Why this answer

The SLA guarantees 99.9% uptime per month. For a 30-day month (43,200 minutes), 99.9% uptime allows only 0.1% downtime, which is 43.2 minutes. The actual outage of 45 minutes exceeds this threshold, so the SLA was not met.

Option D correctly identifies the allowed downtime as approximately 43 minutes.

Exam trap

The trap here is that candidates may incorrectly round 43.2 minutes to 43 minutes and then assume 45 minutes is close enough, or they may mistakenly think 0.1% of a month is 30 minutes, leading them to choose option C.

How to eliminate wrong answers

Option A is wrong because 45 minutes is not within 0.1% of the total time; 0.1% of 43,200 minutes is 43.2 minutes, so 45 minutes exceeds the allowed downtime. Option B is wrong because the SLA explicitly states 'per month,' not per day, and calculating per day would allow even less downtime (e.g., 0.1% of 1,440 minutes = 1.44 minutes per day). Option C is wrong because the SLA does not specify a 30-minute threshold; the allowed downtime is derived from the 99.9% uptime calculation, not an arbitrary 30-minute limit.

811
MCQhard

You are the IT audit manager for a multinational corporation. The company recently implemented a new enterprise resource planning (ERP) system using a phased rollout approach. The first phase (finance module) was deployed to three regional offices six months ago. During a post-implementation review, you discovered that the user acceptance testing (UAT) for the finance module was completed in only two days instead of the planned two weeks. The UAT was performed by a small group of power users selected by the project manager, and they reported no critical issues. However, after go-live, several finance staff in one region found that the system does not support a statutory reporting requirement specific to that country, which was not tested. The project manager argues that the requirement was never documented in the business requirements specification. The system has been live for six months, and the missing functionality requires a significant customization that will take three months and cost $200,000. Management is reluctant to fund the customization because the budget is exhausted. As the IT auditor, what is the BEST course of action?

A.Report the project manager to senior management for failing to include the requirement
B.Recommend that the organization accept the risk and proceed without the customization
C.Advise the project manager to retroactively document the requirement and request a change order for the customization
D.Recommend that management implement a formal UAT process with representatives from all regions and include a checklist of statutory requirements for future rollouts
AnswerD

This addresses the root cause—inadequate UAT—and prevents similar issues in future phases.

Why this answer

Option D is correct because the root cause is a deficient UAT process, not just a missing requirement. A formal UAT process with representatives from all regions and a statutory requirements checklist would have caught the country-specific reporting need before go-live. As an IT auditor, recommending process improvements for future rollouts addresses the systemic control weakness, which is more effective than blaming individuals or accepting risk without remediation.

Exam trap

The trap here is that candidates focus on the missing requirement or blame the project manager, rather than recognizing that the core issue is a weak UAT process that failed to include all regional stakeholders and statutory requirements, which is a systemic control weakness the auditor should address.

How to eliminate wrong answers

Option A is wrong because the project manager correctly notes the requirement was never documented in the business requirements specification; reporting him without addressing the process gap does not fix the underlying UAT deficiency. Option B is wrong because accepting the risk of non-compliance with a statutory reporting requirement could lead to regulatory penalties, which is not a prudent recommendation for an auditor. Option C is wrong because retroactively documenting a requirement and requesting a change order after six months of live operation is a project management action, not an audit recommendation; it does not prevent recurrence and may not be feasible given budget exhaustion.

812
MCQhard

An IS auditor is testing the effectiveness of a preventive control that rejects invalid transactions. The auditor uses a computer-assisted audit technique (CAAT) to create a set of test transactions. What is the primary risk associated with this approach?

A.The audit may disrupt system performance
B.Test transactions may be processed as real transactions
C.Test transactions may not be representative
D.The CAAT may corrupt production data
AnswerB

If test data is not properly isolated, it can be accepted as actual data, causing data integrity issues.

Why this answer

The primary risk is that test transactions may be processed as real transactions if the CAAT does not properly isolate them from the production environment. This could result in unintended data corruption, financial misstatements, or operational disruptions. The auditor must ensure that test data is clearly flagged or run in a separate test environment to avoid integration with live processing.

Exam trap

The trap here is that candidates often confuse the risk of test transactions being processed as real (option B) with the risk of CAATs corrupting production data (option D), but corruption is a consequence of the processing error, not the direct risk of the CAAT tool itself.

How to eliminate wrong answers

Option A is wrong because system performance disruption is a secondary operational risk, not the primary risk specific to using test transactions; CAATs are designed to minimize performance impact. Option C is wrong because while representativeness is a concern for test data validity, it is not the primary risk of the approach—the core risk is that test transactions could be processed as real. Option D is wrong because CAATs themselves do not corrupt production data; the corruption occurs only if test transactions are mistakenly processed as real, which is already covered by option B.

813
MCQeasy

During the feasibility study for a new inventory system, the project team identifies that the expected benefits are significantly lower than the initial estimates. What is the MOST appropriate action for the IS auditor to recommend?

A.Proceed with the project as planned, focusing on cost reduction.
B.Cancel the project immediately and document lessons learned.
C.Continue with the project but postpone the benefits realization.
D.Re-evaluate the feasibility study and update the business case.
AnswerD

Re-evaluation ensures accurate decision-making based on current data.

Why this answer

When expected benefits fall significantly below initial estimates, the IS auditor should recommend re-evaluating the feasibility study and updating the business case. This ensures that the project's justification is based on current, accurate data before proceeding, which is a key control in the systems development lifecycle (SDLC) to prevent investment in a project that may no longer deliver adequate value.

Exam trap

The trap here is that candidates may confuse the need for immediate project cancellation (Option B) with proper project governance, but the correct approach is to first re-evaluate the feasibility study to determine if the project can be salvaged with a revised business case.

How to eliminate wrong answers

Option A is wrong because proceeding as planned while focusing on cost reduction ignores the fundamental issue that the benefits no longer justify the investment, which could lead to a failed project. Option B is wrong because canceling the project immediately is premature without first reassessing the feasibility study and exploring whether the business case can be revised to reflect realistic benefits. Option C is wrong because continuing the project while postponing benefits realization does not address the root cause of the benefit shortfall and may result in wasted resources on a project that cannot achieve its intended objectives.

814
MCQmedium

An IS auditor is planning an audit of a small organization with limited IT staff. Which approach is most appropriate?

A.Rely solely on inquiry to reduce workload
B.Use a risk-based approach to focus on high-risk areas
C.Postpone the audit until more staff are available
D.Audit all areas equally to ensure full coverage
AnswerB

Risk-based auditing is effective and efficient.

Why this answer

A risk-based approach prioritizes areas with highest risk, efficient for limited resources.

815
MCQhard

An organization is adopting ISO/IEC 38500 to govern IT. Which of the following best illustrates the application of the 'Human Behaviour' principle?

A.Providing security awareness training to all employees
B.Aligning IT strategy with business strategy
C.Ensuring IT investments deliver value and manage risk
D.Assigning clear responsibility for IT decisions
AnswerA

Training addresses human behavior to ensure policies are understood and followed.

Why this answer

The Human Behaviour principle requires that IT policies respect human behavior and include training and awareness to ensure compliance.

816
MCQmedium

An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?

A.Higher IT staff turnover.
B.Increased number of security incidents.
C.Inconsistent IT policies across departments.
D.Delayed decision-making on IT investments.
AnswerD

The committee's primary role is to make strategic decisions.

Why this answer

Option B is correct because the steering committee is responsible for approving and prioritizing IT investments; lack of meetings delays decision-making. Option A may occur but is less direct. Option C is unrelated.

Option D may happen but is secondary.

817
Multi-Selecthard

Which THREE of the following are components of the ITIL 4 service value system? (Select THREE)

Select 3 answers
A.Continual improvement
B.Four dimensions of service management
C.Service value chain
D.Service level agreements
E.Guiding principles
AnswersA, C, E

Continual improvement is a component of the service value system.

Why this answer

ITIL 4's service value system includes the service value chain, guiding principles, governance, practices, and continual improvement. The service value chain, guiding principles, and continual improvement are key components. Service level agreements are outputs, not components of the system.

The four dimensions are part of the service value system but are not listed as components; they are dimensions. The question asks for three, and the correct ones are: service value chain, guiding principles, and continual improvement.

818
Multi-Selecteasy

Which TWO of the following are benefits of establishing an IT steering committee?

Select 2 answers
A.Improved operational efficiency of IT systems
B.Enhanced prioritization of IT investments
C.Better alignment between IT and business strategy
D.Reduction of management overhead
E.Direct control over technical IT decisions
AnswersB, C

Prioritization is a core benefit.

Why this answer

Options B and D are correct because an IT steering committee provides strategic alignment and prioritization of IT initiatives. Option A is not a benefit; it may increase bureaucracy. Option C is not a direct benefit; operational efficiency is management's role.

Option E is not a primary benefit; detailed technical decisions are outside committee scope.

819
MCQmedium

An organization's availability management team reports that a critical server has an MTBF of 720 hours and an MTTR of 4 hours. What is the availability percentage for this server?

A.99.45%
B.99.56%
C.99.72%
D.99.89%
AnswerA

Correct: 720/(720+4) = 720/724 ≈ 99.45%.

Why this answer

Availability = MTBF / (MTBF + MTTR) = 720 / (720 + 4) = 720/724 ≈ 0.9945, or 99.45%.

820
Multi-Selecteasy

Which TWO of the following are components of an IT balanced scorecard? (Select TWO)

Select 2 answers
A.Customer perspective
B.Competitor perspective
C.Security perspective
D.Financial perspective
E.Vendor perspective
AnswersA, D

Customer perspective is a standard component.

Why this answer

The IT balanced scorecard typically includes four perspectives: financial, customer, internal process, and learning & growth. Financial and customer are two of these. Security and vendor management are not standard perspectives.

821
MCQeasy

During which phase of the IS audit process does the auditor perform walkthroughs and test controls?

A.Reporting
B.Planning
C.Follow-up
D.Fieldwork
AnswerD

Fieldwork is the phase where audit procedures such as walkthroughs and testing are performed.

Why this answer

Walkthroughs and control testing are performed during fieldwork, where the auditor executes planned audit procedures.

822
Multi-Selecteasy

Which TWO of the following are primary objectives of the audit planning phase? (Select TWO.)

Select 2 answers
A.Develop detailed audit procedures
B.Identify and assess risks relevant to the audit
C.Test the effectiveness of internal controls
D.Issue the final audit report
E.Define audit scope and objectives
AnswersB, E

Risk assessment is a key planning activity.

Why this answer

During the audit planning phase, the primary objectives are to define the audit scope and objectives (Option E) and to identify and assess risks relevant to the audit (Option B). This sets the foundation for the entire audit engagement, ensuring resources are focused on high-risk areas and that the audit is aligned with organizational goals. Detailed procedures are developed later, and testing controls or issuing reports occur in subsequent phases.

Exam trap

The trap here is confusing the planning phase with the execution phase, leading candidates to select 'develop detailed audit procedures' (Option A) as a planning objective, when it is actually a step in the audit program development after planning is complete.

823
MCQeasy

Which of the following is the PRIMARY objective of an operational audit?

A.To identify security vulnerabilities
B.To evaluate financial reporting
C.To verify compliance with laws
D.To assess the efficiency and effectiveness of operations
AnswerD

Operational audits evaluate how well resources are used and objectives are met.

Why this answer

Option A is correct because operational audit focuses on efficiency and effectiveness. Options B, C, and D are objectives of other types of audits.

824
MCQmedium

An organization uses automated job scheduling with dependency management. A critical nightly batch job failed because a prerequisite job did not complete successfully. The job scheduler automatically attempted to rerun the failed job three times, each time failing due to the same dependency. The operations team was not alerted until the next morning. What control should the auditor recommend to improve this process?

A.Increase the number of automatic rerun attempts.
B.Implement real-time alerts for job failures and dependency issues.
C.Remove dependency management for critical jobs.
D.Schedule all critical jobs to run sequentially without dependencies.
AnswerB

Alerts would enable timely intervention.

Why this answer

The core issue is the lack of timely notification, not the number of retries or the dependency logic itself. The job scheduler correctly identified the dependency failure and attempted reruns, but the operations team remained unaware until the next morning. Implementing real-time alerts for job failures and dependency issues (Option B) ensures that the operations team can intervene immediately, rather than discovering the problem hours later during a manual check.

Exam trap

The trap here is that candidates focus on the retry mechanism (Option A) or the dependency structure (Options C and D) instead of recognizing that the fundamental control gap is the absence of real-time notification, which is a core operations resilience requirement.

How to eliminate wrong answers

Option A is wrong because increasing the number of automatic rerun attempts does not address the root cause—the prerequisite job failed, and retrying the dependent job without fixing the dependency is futile and wastes system resources. Option C is wrong because removing dependency management for critical jobs would break the logical execution order, potentially causing data integrity issues or cascading failures where downstream jobs run on incomplete or erroneous data. Option D is wrong because scheduling all critical jobs to run sequentially without dependencies ignores the reality that many jobs rely on the output of others; this would either force artificial delays or require manual coordination, defeating the purpose of automated scheduling.

825
MCQhard

A system has a Mean Time Between Failures (MTBF) of 500 hours and a Mean Time To Repair (MTTR) of 20 hours. What is the availability of the system?

A.97.50%
B.92.00%
C.96.15%
D.95.00%
AnswerC

Correct calculation.

Why this answer

Availability is calculated as MTBF / (MTBF + MTTR). With MTBF = 500 hours and MTTR = 20 hours, availability = 500 / (500 + 20) = 500 / 520 ≈ 0.9615, or 96.15%. This formula measures the proportion of time the system is operational, directly reflecting its resilience and recoverability.

Exam trap

The trap here is that candidates may incorrectly compute availability as (MTBF - MTTR)/MTBF or simply subtract MTTR/MTBF from 1 without using the correct denominator, leading to plausible but wrong percentages like 96% or 95%.

How to eliminate wrong answers

Option A is wrong because 97.50% would result from incorrectly using MTBF / (MTBF + MTTR) but miscalculating the denominator as 512.82 or misplacing the decimal. Option B is wrong because 92.00% might come from subtracting MTTR/MTBF (20/500 = 0.04) from 1 and rounding incorrectly, or from a confusion with a different metric like inherent availability. Option D is wrong because 95.00% could be obtained by using MTBF / (MTBF + 2*MTTR) or by mistakenly treating MTTR as a percentage of MTBF (20/500 = 4%, then 100% - 4% = 96%, but rounding down to 95%).

Page 10

Page 11 of 14

Page 12