An organization plans to centrally decommission end-of-life databases and migrate the data to the latest model of hardware. Which of the following BEST ensures data integrity is preserved during the migration?

Reconciling sample data to most recent backups

During a closing meeting, the IT manager disagrees with a valid audit finding presented by the IS auditor and requests the finding be excluded from the final report. Which of the following is the auditor's BEST course of action?

Provide the evidence which supports the finding and keep the finding in the report.

Request that the IT manager be removed from the remaining meetings and future audits.

Modify the finding to include the IT manager's comments and inform the audit manager of the changes.

Remove the finding from the report and continue presenting the remaining findings.

Provide the evidence which supports the finding and keep the finding in the report.

During which IT project phase is it MOST appropriate to conduct a benefits realization analysis?

Post-implementation review phase

User acceptance testing (UAT) phase

When planning a review of IT governance, an IS auditor is MOST likely to:

obtain information about the control framework adopted by management.

assess whether business process owner responsibilities are consistent.

obtain information about the control framework adopted by management.

examine audit committee minutes for IT-related controls.

define key performance indicators (KPIs).

Which of the following is the BEST indicator that a third-party vendor adheres to the controls required by the organization?

Regular independent assessment of the vendor

Review of monthly performance reports submitted by the vendor

Certifications maintained by the vendor

Regular independent assessment of the vendor

Substantive log file review of the vendor's system

Which of the following would BEST prevent an arbitrary application of a patch?

Established maintenance windows

Which of the following would be MOST important to include in an IS audit report?

The level of unmitigated risk along with business impact

Observations not reported as findings due to inadequate evidence

The roadmap for addressing the various risk areas

The level of unmitigated risk along with business impact

Specific technology solutions for each audit observation

An organization has implemented a new data classification scheme and asks the IS auditor to evaluate its effectiveness. Which of the following would be ofGREATEST concern to the auditor?

The organization classifies most of its information as confidential.

End-user managers determine who should access what information.

The organization has created a dozen different classification categories.

The compliance manager decides how the information should be classified.

The organization classifies most of its information as confidential.

An organization's business continuity plan (BCP) should be:

updated based on changes to personnel and environments.

updated before an independent audit review.

tested after an intrusion attempt into the organization's hot site.

tested whenever new applications are implemented.

updated based on changes to personnel and environments.

Which of the following presents the GREATEST risk associated with end-user computing (EUC) applica-tions over financial reporting?

Calculation errors in spreadsheets

Inability to quickly modify and deploy a solution

Loss of time due to manual processes

Calculation errors in spreadsheets

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following is the BEST course of action for the IS auditor?

Conduct further discussions with the auditee to develop a mitigation plan.

Accept the auditee's response and perform additional testing.

Suggest hiring a third-party consultant to perform a current state assessment.

Conduct further discussions with the auditee to develop a mitigation plan.

Issue a final report without including the opinion of the auditee.

Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?

Established criteria exist for accepting and approving risk.

A communication plan exists for informing parties impacted by the risk.

Potential impact and likelihood are adequately documented.

Identified risk is reported into the organization's risk committee.

Established criteria exist for accepting and approving risk.

During an information security review, an IS auditor learns an organizational policy requires all employ-ees to attend information security training during the first week of each new year. What is the auditor's BEST recommendation to ensure employees hired after January receive adequate guid-ance regarding security awareness?

Revise the policy to include security training during onboarding.

Ensure new employees read and sign acknowledgment of the acceptable use policy.

Revise the policy to include security training during onboarding.

Revise the policy to require security training every six months for all employees.

Require management of new employees to provide an overview of security awareness.

Which of the following procedures for testing a disaster recovery plan (DRP) is MOST effective?

Testing at a secondary site using offsite data backups

Performing a quarterly tabletop exercise

Reviewing recovery time and recovery point objectives

Reviewing documented backup and recovery procedures

Which of the following would an IS auditor find to be the GREATEST risk associated with the server room in a remote office location?

The server room does not have temperature controls.

The server room is secured by a key lock instead of an electronic lock.

The server room's location is known by people who work in the area.

The server room does not have temperature controls.

The server room does not have biometric controls.

Which of the following should be of GREATEST concern to an IS auditor when using data analytics?

The data source lacks integrity.

The data analytics software is open source.

The data set contains irrelevant fields.

The data was not extracted by the auditor.

An IS auditor finds that a number of key patches have not been applied in a timely manner due to re-source constraints. Which of the following is the GREATEST risk to the organization in this situation?

Known security vulnerabilities may not be mitigated.

Systems may not be supported by the vendor.

Known security vulnerabilities may not be mitigated.

Different systems may not be compatible.

The systems may not meet user requirements.

Which of the following should be the PRIMARY purpose of conducting tabletop exercises when re-viewing a security incident response plan?

To determine process improvement options for the incident response plan

To provide efficiencies for alignment with incident response test scenarios

To determine process improvement options for the incident response plan

To gather documentation for responding to security audit inquiries

To confirm that technology is in place to support the incident response plan

A security review focused on data loss prevention (DLP) revealed the organization has no visibility to data stored in the cloud. What is the IS auditor's BEST recommendation to address this issue?

Employ a cloud access security broker (CASB).

Enhance the firewall at the network perimeter.

Implement a file system scanner to discover data stored in the cloud.

Employ a cloud access security broker (CASB).

Utilize a DLP tool on desktops to monitor user activities.

Which of the following is MOST important to review during the project initiation phase of developing and deploying a new application?

User acceptance testing (UAT) plans

Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

Performing independent reviews of responsible parties engaged in the project

Shortlisting vendors to perform renovations

Ensuring the project progresses as scheduled and milestones are achieved

Implementing data center operational controls

Which of the following findings would be of GREATEST concern to an IS auditor reviewing firewall security for an organization's corporate network?

The production configuration does not conform to corporate policy.

Responsibility for the firewall administration rests with two different divisions.

Industry hardening guidance has not been considered.

The firewall configuration file is extremely long and complex.

Which of the following is MOST helpful for evaluating benefits realized by IT projects?

Comparing planned versus actual return on investment (ROI)

Benchmarking IT project management practices with industry peers

Evaluating compliance with key security controls

Comparing planned versus actual return on investment (ROI)

Reviewing system development life cycle (SDLC) processes

Which of the following non-audit activities may impair an IS auditor's independence and objectivity?

Designing security controls for a new cloud-based workforce management system

Evaluating a third-party customer satisfaction survey

Providing advice on an IT project management framework

Designing security controls for a new cloud-based workforce management system

Reviewing secure software development guidelines adopted by an organization

Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor's NEXT course of action?

Document management's acceptance in the audit report.

Escalate the acceptance to the board.

Ensure a follow-up audit is on next year's plan.

Escalate acceptance to the audit committee.

The PRIMARY goal of capacity management is to:

provide necessary IT resources to meet business requirements.

minimize data storage needs across the organization.

provide necessary IT resources to meet business requirements.

minimize system idle time to optimize cost.

ensure that IT teams have sufficient personnel.

Which of the following is the PRIMARY benefit of benchmarking an organization's software development lifecycle practices against a capability maturity model?

Repeatable software development procedures are established.

Reliable products are guaranteed.

Repeatable software development procedures are established.

Programmers' efficiency is improved.

Security requirements are added to software development processes.

An IS auditor finds a user account where privileged access is not appropriate for the user's role. Which of the following would provide the BEST evidence to determine whether the risk of this access has been exploited?

Interview with the user's manager

Last logon date for the account

Documented approval for the account

A telecommunications company has recently created a new fraud department with three employees and acquired a fraud detection system that uses artificial intelligence (AI) modules. Which of the following would be of GREATEST concern to an IS auditor reviewing the system?

A small number of false negatives

A very large number of true negatives

A small number of false negatives

A small number of true positives

A large number of false positives

Which of the following technology trends can lead to more robust data loss prevention (DLP) tools?

Robotic process automation (RPA)

An IS auditor is reviewing a machine learning algorithm-based system for loan approvals and is preparing a data set to test the algorithm for bias. Which of the following is MOST important for the auditor's test data set to include?

Applicants from a range of geographic areas and income levels

Incomplete records and incorrectly formatted data

Which of the following BEST enables an organization to standardize its IT infrastructure to align with business goals?

Robotic process automation (RPA)

Which of the following is MOST helpful for understanding an organization's key driver to modernize application platforms?

Inventory of end-of-life software

Which type of testing is used to identify security vulnerabilities in source code in the development environment?

Static analysis security testing (SAST)

Interactive application security testing (IAST)

Runtime application self-protection (RASP)

Dynamic analysis security testing (DAST)

Static analysis security testing (SAST)

Isaca CISA Practice Test 23 - Free Online Exam Prep & Questions

An IS auditor discovers that a developer has used the same key to grant access to multiple applications making calls to an application programming interface (API). Which of the following is the BEST recommendation to address this situation?

Become a Premium Member for full access

Unlock Premium Member

Isaca CISA Practice Test 23

Question

Isaca CISA Practice Tests

Practice Tests