- An IS audit director is allocating the limited hours of a three-person audit team across forty auditable systems for the coming year. The approach most consistent with risk-based audit planning is to assign hours according to:
- Each system's assessed likelihood of failure and the business impact if it fails
- The alphabetical order of the system names
- An equal split so every system receives the same coverage
- The personal interest of each auditor in the technology
Correct answer: Each system's assessed likelihood of failure and the business impact if it fails
Assigning hours according to each system's assessed likelihood of failure and the business impact if it fails is the essence of risk-based audit planning, which directs scarce resources to the areas of greatest exposure. Alphabetical ordering, equal splits, and auditor preference all ignore relative risk.
- Before finalizing the annual audit plan, an IS auditor maps each auditable area against the organization's risk register and enterprise risk appetite. The primary benefit of grounding the plan in the organization's own risk assessment is that it:
- Guarantees that no material weaknesses will be found
- Aligns audit coverage with the risks management considers most significant to objectives
- Removes the need to obtain audit committee approval
- Allows the auditor to skip understanding the business processes
Correct answer: Aligns audit coverage with the risks management considers most significant to objectives
Grounding the plan in the organization's risk assessment aligns audit coverage with the risks management considers most significant to objectives, which is the goal of risk-based planning. It does not guarantee findings, eliminate the need for governance approval, or excuse the auditor from understanding the processes.
- An IS auditor argues that the annual audit universe should be reprioritized after the company acquires a new subsidiary with weak IT controls. This argument reflects the principle that risk-based planning must:
- Respond to changes in the organization's risk landscape during the year
- Stay frozen once management signs off at year start
- Depend only on the count of prior-year findings
- Be set entirely by the size of the audit budget
Correct answer: Respond to changes in the organization's risk landscape during the year
Reprioritizing after an acquisition reflects that risk-based planning must respond to changes in the organization's risk landscape during the year. Freezing the plan, relying solely on prior-year finding counts, or letting budget size dictate scope would all ignore newly emerged risk.
- An IS auditor wants to determine whether the disbursement-approval control operated for every payment during the period, without yet judging whether the payment amounts are correct. This objective calls for:
- Substantive testing of payment amounts
- A business impact analysis
- Compliance testing of the approval control
- A penetration test of the payment gateway
Correct answer: Compliance testing of the approval control
Determining whether the approval control operated for every payment is compliance testing, which evaluates whether a control functioned as intended. Substantive testing would judge the correctness of amounts, while a business impact analysis and a penetration test serve resilience and security purposes unrelated to control operation.
- An IS auditor finds that compliance testing of a key automated control produced an unacceptably high deviation rate. The most appropriate consequence for the related substantive procedures is to:
- Eliminate substantive testing because the control was tested
- Leave substantive testing unchanged regardless of the result
- Expand substantive testing because reliance on the control is no longer justified
- Replace substantive testing with management inquiry
Correct answer: Expand substantive testing because reliance on the control is no longer justified
A high deviation rate means reliance on the control is no longer justified, so the auditor should expand substantive testing to obtain direct evidence about the affected transactions. Eliminating substantive work, leaving it unchanged, or substituting weaker inquiry would each fail to compensate for the unreliable control.
- Which of the following procedures is a compliance test rather than a substantive test?
- Recomputing the interest accrued on a sample of loans
- Inspecting a sample of user-access requests to verify each had documented approval
- Confirming the existence of receivable balances directly with customers
- Tracing recorded inventory to physical counts
Correct answer: Inspecting a sample of user-access requests to verify each had documented approval
Inspecting access requests to verify each had documented approval is a compliance test, because it evaluates whether a control operated as designed. Recomputing interest, confirming receivables, and tracing inventory to counts are substantive procedures that test the integrity of amounts and balances.
- An IS auditor seeks direct evidence about whether the quantities recorded in a fixed-asset register actually exist and are accurate, independent of any control over the register. The auditor should perform:
- Compliance testing of the asset-tagging approval workflow
- Substantive procedures such as physically verifying a sample of assets against the register
- A review of the IT steering committee's charter
- Inquiry of the procurement clerk about purchasing volumes
Correct answer: Substantive procedures such as physically verifying a sample of assets against the register
Physically verifying a sample of assets against the register is substantive testing, which provides direct evidence about the existence and accuracy of the recorded quantities. Compliance testing of the workflow, reviewing a charter, and inquiry about volumes do not directly establish whether the recorded data is correct.
- An IS auditor recalculates a sample of customer invoices and compares the results to the amounts stored in the billing system to detect overbilling. This work is substantive testing because it:
- Confirms that billing staff completed annual training
- Documents whether an approval control exists on paper
- Measures the deviation rate of a single control activity
- Yields direct evidence about the accuracy of the recorded invoice amounts
Correct answer: Yields direct evidence about the accuracy of the recorded invoice amounts
Recalculating invoices and comparing them to stored amounts yields direct evidence about the accuracy of the recorded invoice amounts, which is the purpose of substantive testing. It is not aimed at confirming training, documenting an approval control, or measuring a control's deviation rate, all of which concern controls rather than transaction integrity.
- In a small IT department, the same engineer must both write code and move it into production because no separate release operator exists. To address the resulting segregation weakness, management requires an independent peer to review and sign off on every deployment. This independent sign-off is best described as a:
- Control that fully restores segregation of duties
- Compensating control that offsets the missing segregation of duties
- Preventive control that removes the inherent risk entirely
- Detective control with no relationship to segregation
Correct answer: Compensating control that offsets the missing segregation of duties
The independent peer sign-off is a compensating control that offsets the missing segregation of duties, providing alternative assurance where true separation is impractical. It does not fully restore segregation, remove the inherent risk entirely, or stand unrelated to segregation; it mitigates the specific weakness left by combining roles.
- When evaluating whether a proposed compensating control is adequate, an IS auditor's overriding question should be whether the compensating control:
- Reduces the residual risk left by the missing primary control to an acceptable level
- Was recommended by the system vendor
- Costs less than the control it replaces
- Is implemented in the same software as existing controls
Correct answer: Reduces the residual risk left by the missing primary control to an acceptable level
The overriding question is whether the compensating control reduces the residual risk left by the missing primary control to an acceptable level, since mitigating that exposure is its entire purpose. Cost, the source of the recommendation, and technology consistency are secondary to whether the control actually addresses the risk.
- An IS auditor notes that a compensating control is justified only when:
- The organization wishes to reduce documentation
- A management preference exists for additional reports
- All primary controls are already operating effectively
- The ideal or primary control cannot be feasibly implemented, leaving a risk needing other mitigation
Correct answer: The ideal or primary control cannot be feasibly implemented, leaving a risk needing other mitigation
A compensating control is justified only when the ideal or primary control cannot be feasibly implemented, leaving a risk that needs other mitigation. It is not a tool to cut documentation, satisfy a preference for reports, or supplement controls that are already fully effective.
- In the audit risk model, the component that exists before any controls are considered and stems from the nature of the activity or account itself is:
- Control risk
- Inherent risk
- Detection risk
- Sampling risk
Correct answer: Inherent risk
Inherent risk exists before any controls are considered and stems from the nature of the activity or account itself, such as susceptibility to error or fraud. Control risk concerns the failure of controls, while detection and sampling risk relate to the auditor's own procedures.
- An IS auditor concludes that a process is highly complex and prone to error even before evaluating its controls. Within the audit risk model, this conclusion describes a high level of:
- Detection risk
- Sampling risk
- Inherent risk
- Control risk
Correct answer: Inherent risk
Concluding that a process is complex and error-prone before evaluating controls describes high inherent risk, which arises from the nature of the process independent of controls. It is not detection risk, which depends on the auditor's procedures, nor sampling or control risk, which relate to sample selection and control effectiveness.
- An IS auditor wants to keep overall audit risk at a constant low target. If both inherent risk and control risk are assessed as high for a system, the auditor must set detection risk:
- Low, by performing more extensive substantive testing
- High, by performing less substantive testing
- At the same level as inherent risk
- Equal to zero, eliminating all testing
Correct answer: Low, by performing more extensive substantive testing
To hold overall audit risk low when inherent and control risk are both high, the auditor must set detection risk low by performing more extensive substantive testing. Raising detection risk through less testing, matching it to inherent risk, or driving it to zero would not keep overall audit risk at the target.
- Which statement most accurately describes control risk in the audit risk model?
- It is the risk that the auditor's sample misrepresents the population
- It is the risk that the entity's internal controls fail to prevent or detect a material misstatement
- It is the risk arising solely from the auditor choosing the wrong procedure
- It is identical to the inherent risk of the activity
Correct answer: It is the risk that the entity's internal controls fail to prevent or detect a material misstatement
Control risk is the risk that the entity's internal controls fail to prevent or detect a material misstatement on a timely basis. It is not sampling risk, not the auditor's procedural error, and not the same as inherent risk, which exists independently of the entity's controls.
- An IS auditor downloads an entire year of access logs and runs a custom routine to flag every login that occurred outside approved business hours. Applying a programmed routine to analyze a full data population in this way is an example of:
- A computer-assisted audit technique
- A disaster recovery exercise
- A control self-assessment workshop
- A service level agreement review
Correct answer: A computer-assisted audit technique
Running a programmed routine to flag off-hours logins across a full population is a computer-assisted audit technique, applying automated tooling to test data for exceptions. It is not a disaster recovery exercise, a control self-assessment workshop, or a service level agreement review, which serve resilience, self-evaluation, and vendor-management purposes.
- An IS auditor wants to confirm that no duplicate or fictitious employees exist in a payroll file of 50,000 records. The most efficient and reliable approach is to:
- Interview the payroll manager about controls
- Read the payroll system's user manual
- Select ten records at random and inspect them by hand
- Use a CAAT to test the entire population for duplicate identifiers and invalid records
Correct answer: Use a CAAT to test the entire population for duplicate identifiers and invalid records
Using a CAAT to test the entire population for duplicate identifiers and invalid records is the most efficient and reliable approach, because it examines every record consistently rather than relying on a small manual sample. Interviewing the manager, hand-inspecting ten records, or reading the manual would not provide the same population-wide assurance.
- An IS auditor uses test data, submitting known transactions through the live application to see whether the program processes them as expected. The integrity of the conclusions from this CAAT depends most on the auditor ensuring that:
- The report is formatted with the audit department's logo
- The test data exercises the relevant conditions and the version tested is the one in production
- The test was performed on the last day of the engagement
- The application vendor approves of the testing approach
Correct answer: The test data exercises the relevant conditions and the version tested is the one in production
The validity of test-data results depends most on the auditor ensuring the test data exercises the relevant conditions and that the version tested is the one running in production. Report formatting, the timing within the engagement, and vendor approval do not affect whether the test yields valid evidence about the real system.
- An IS auditor wants to estimate, with a stated confidence level, the proportion of change tickets in a large population that were deployed without the required testing sign-off. The most suitable sampling method is:
- Haphazard selection of suspicious tickets
- Variable sampling
- Monetary unit sampling
- Attribute sampling
Correct answer: Attribute sampling
Estimating the proportion of change tickets missing a required sign-off is an attribute-sampling objective, because the auditor measures the rate of a yes-or-no control condition across the population. Variable and monetary unit sampling estimate amounts, and haphazard selection cannot support a statistically projectable rate.
- An IS auditor expects almost no exceptions in a control population and wants to minimize the number of items examined by testing in stages and stopping early once results support reliance. The technique designed for this is:
- Variable sampling
- Stratified mean estimation
- Full-population reperformance
- Stop-or-go sampling
Correct answer: Stop-or-go sampling
Testing in stages and stopping early once results support reliance is stop-or-go sampling, which minimizes sample size when few exceptions are expected. Variable sampling and stratified mean estimation address monetary amounts, and full-population reperformance is the opposite of minimizing effort.
- An IS auditor needs to project the most likely total dollar misstatement in a population of inventory valuations. The sampling method designed to estimate a numeric amount is:
- Attribute sampling
- Discovery sampling
- Variable sampling
- Stop-or-go sampling
Correct answer: Variable sampling
Projecting the most likely total dollar misstatement is a variable-sampling objective, because variable sampling estimates a numeric value or amount. Attribute and discovery sampling measure occurrence rates of control conditions, and stop-or-go sampling is a method for minimizing sample size rather than estimating amounts.
- An IS auditor explains that even a properly designed statistical sample carries sampling risk, which is best defined as the risk that:
- The audit software will malfunction during extraction
- The conclusion based on the sample differs from the conclusion that testing the entire population would reach
- Management will dispute the audit findings
- The auditor lacks the appropriate professional certification
Correct answer: The conclusion based on the sample differs from the conclusion that testing the entire population would reach
Sampling risk is the risk that the conclusion based on the sample differs from the conclusion that testing the entire population would reach, because the sample may not perfectly represent the whole. Software malfunctions, management disputes, and auditor credentials are unrelated to the statistical representativeness of a sample.
- An organization's internal audit team operates automated routines that independently gather and evaluate evidence on a near-real-time basis to provide assurance to the audit committee. This activity is best described as:
- Continuous monitoring
- A management control self-assessment
- A post-implementation review
- Continuous auditing
Correct answer: Continuous auditing
Automated, independent routines run by the audit team to gather and evaluate evidence near-real-time for assurance purposes describe continuous auditing. Continuous monitoring is a management activity, while a post-implementation review and a control self-assessment are point-in-time and management-led respectively.
- Which characteristic most clearly distinguishes continuous monitoring from continuous auditing?
- Continuous monitoring can only be done annually
- Continuous monitoring is performed by management to oversee its own controls, while continuous auditing is performed independently to provide assurance
- Continuous auditing is always performed by management
- Continuous monitoring produces audit opinions for external regulators
Correct answer: Continuous monitoring is performed by management to oversee its own controls, while continuous auditing is performed independently to provide assurance
The key distinction is that continuous monitoring is performed by management to oversee its own controls, while continuous auditing is performed independently by the audit function to provide assurance. The other statements wrongly limit monitoring to annual frequency, assign continuous auditing to management, or claim monitoring produces external audit opinions.
- An IS audit function plans to introduce continuous auditing for high-volume transactions. The most essential enabling condition is:
- A promise from management that exceptions will never occur
- Reliable, automated, and timely access to the relevant transaction data
- The permanent discontinuation of all periodic audits
- Removal of all preventive controls from the process
Correct answer: Reliable, automated, and timely access to the relevant transaction data
Continuous auditing requires reliable, automated, and timely access to the relevant transaction data so evidence can be gathered and evaluated frequently. It does not depend on a promise of zero exceptions, the elimination of periodic audits, or the removal of preventive controls.
- Under the ISACA Code of Professional Ethics, when an IS auditor discovers a significant control deficiency during fieldwork, the auditor is expected to:
- Omit it from the report if management objects
- Wait until the next year's audit to mention it
- Disclose it only to the auditor's personal contacts
- Report the deficiency truthfully to the appropriate parties
Correct answer: Report the deficiency truthfully to the appropriate parties
The ISACA Code requires the auditor to report the deficiency truthfully to the appropriate parties, supporting the principles of integrity and proper communication of results. Omitting it under pressure, disclosing it improperly, or deferring it would violate the Code's requirements for honest and timely reporting.
- An IS auditor is invited to invest in a startup that the auditor is about to audit on behalf of a client. To uphold the ISACA Code of Professional Ethics, the auditor should:
- Accept the investment because it is unrelated to the fee
- Audit the startup more leniently to protect the investment
- Proceed with the audit and keep the investment confidential
- Disclose the conflict and avoid auditing an entity in which the auditor has a financial interest
Correct answer: Disclose the conflict and avoid auditing an entity in which the auditor has a financial interest
The auditor should disclose the conflict and avoid auditing an entity in which the auditor has a financial interest, preserving objectivity and independence as the Code requires. Accepting the investment, hiding it, or softening the audit to protect it would all compromise the auditor's independence.
- How do ISACA's mandatory IS audit and assurance standards relate to its IS audit and assurance guidelines?
- Guidelines are mandatory and standards are optional
- Both are voluntary suggestions with no binding force
- Standards set mandatory requirements, while guidelines offer non-mandatory direction on applying them
- Guidelines override standards whenever they conflict
Correct answer: Standards set mandatory requirements, while guidelines offer non-mandatory direction on applying them
Standards set mandatory requirements, while guidelines offer non-mandatory direction on how to apply those requirements. Guidelines are not mandatory, standards are not optional, both are not merely voluntary, and guidelines do not override the standards.
- A door badge reader that denies physical entry to anyone lacking authorized credentials, thereby stopping an unauthorized person from reaching the server room, is acting as which type of control?
- Detective control
- Corrective control
- Preventive control
- Recovery control
Correct answer: Preventive control
A badge reader that denies entry to stop an unauthorized person from reaching the server room is a preventive control, because it keeps the undesirable event from happening. Detective controls identify events afterward, while corrective and recovery controls restore normal operation after an event, none of which describe blocking entry up front.
- Security software that compares activity against known signatures and raises an alert when it identifies that a malicious file has already entered the network is functioning primarily as a:
- Preventive control
- Detective control
- Directive control
- Deterrent control
Correct answer: Detective control
Software that raises an alert after identifying that a malicious file has already entered is a detective control, because it identifies an event that has already occurred. A preventive control would have blocked the file, a directive control instructs behavior, and a deterrent discourages rather than detects the activity.
- After a ransomware incident encrypts production files, an organization restores the data from backups and rebuilds the affected servers. Restoring and rebuilding in this way is best classified as which control type?
- Corrective control
- Detective control
- Preventive control
- Directive control
Correct answer: Corrective control
Restoring data and rebuilding servers after an incident is a corrective control, because it remediates and recovers from an event that has already occurred. A preventive control would have stopped the incident, a detective control would have identified it, and a directive control instructs desired behavior rather than restoring operations.
- An IS auditor classifies a written policy that instructs employees to encrypt laptops as a directive control. The distinguishing feature of a directive control is that it:
- Restores systems after a failure
- Identifies incidents after they happen
- Instructs or mandates desired behavior to reduce the likelihood of an undesirable event
- Physically prevents any device from connecting
Correct answer: Instructs or mandates desired behavior to reduce the likelihood of an undesirable event
A directive control instructs or mandates desired behavior to reduce the likelihood of an undesirable event, as a laptop-encryption policy does. It does not restore systems, identify incidents after the fact, or physically prevent connections, which describe corrective, detective, and preventive controls respectively.
- When judging the reliability of audit evidence, an IS auditor should generally regard evidence the auditor obtains and validates directly as:
- Less reliable than an unsupported verbal assurance
- Irrelevant unless management agrees with it
- Equally reliable as a draft prepared by the auditee
- More reliable than evidence supplied only by the auditee
Correct answer: More reliable than evidence supplied only by the auditee
Evidence the auditor obtains and validates directly is generally more reliable than evidence supplied only by the auditee, because it is least subject to auditee influence. It is not less reliable than a verbal assurance, equal to an auditee-prepared draft, or dependent on management's agreement to have value.
- An IS auditor wants the strongest evidence that a system correctly applies a tiered discount calculation. The most reliable technique is to:
- Accept a written assurance from the programmer
- Rely on a management representation letter
- Read the functional specification document
- Independently reperform the discount calculation and compare it to the system's output
Correct answer: Independently reperform the discount calculation and compare it to the system's output
Independently reperforming the calculation and comparing it to the system's output is the most reliable technique, because evidence the auditor generates directly is least subject to auditee influence. A programmer's written assurance, the specification document, and a representation letter are weaker, auditee-sourced forms of evidence.
- An IS auditor extracts a configuration file directly from a production server instead of accepting a printout prepared by the system owner. The principal advantage of obtaining the evidence directly is that it:
- Lowers the engagement's cost
- Removes the obligation to document the procedure
- Lessens the chance the evidence was modified before reaching the auditor
- Ensures management will accept the finding
Correct answer: Lessens the chance the evidence was modified before reaching the auditor
Obtaining the configuration directly lessens the chance the evidence was modified before reaching the auditor, strengthening its reliability. It is not primarily about cost, does not remove the documentation obligation, and does not guarantee management acceptance of any finding.
- Of the following sources, which would an IS auditor generally consider the LEAST reliable form of audit evidence?
- An unsupported oral statement from the process owner
- The auditor's own reperformance of a control
- A confirmation received directly from an independent third party
- A document the auditor inspected and independently corroborated
Correct answer: An unsupported oral statement from the process owner
An unsupported oral statement from the process owner is generally the least reliable, because it is uncorroborated and easily influenced by the auditee. An independent third-party confirmation, auditor reperformance, and an independently corroborated document are all stronger, more objective forms of evidence.
- An IS auditor planning the year's coverage notices that a legacy system processing the company's highest-value contracts has never been audited and supports a heavily regulated revenue stream. Prioritizing this system in the plan exemplifies risk-based planning because the decision is driven by:
- The combination of high business impact and regulatory exposure if the system fails
- The age of the programming language used
- The number of users who like the interface
- The order in which systems were originally purchased
Correct answer: The combination of high business impact and regulatory exposure if the system fails
Prioritizing the system because of the combination of high business impact and regulatory exposure if it fails exemplifies risk-based planning, which targets effort where exposure is greatest. The programming language's age, user satisfaction with the interface, and purchase order have no bearing on the system's risk.
- An IS auditor reviewing a high-risk financial application sets assessed control risk at maximum after concluding the controls cannot be relied upon. To keep overall audit risk within the acceptable target, the auditor should:
- Treat the overall audit risk as automatically acceptable
- Reduce substantive testing to save engagement hours
- Perform extensive substantive testing to reduce detection risk
- Raise inherent risk to offset the control weakness
Correct answer: Perform extensive substantive testing to reduce detection risk
With control risk set at maximum, the auditor should perform extensive substantive testing to reduce detection risk and keep overall audit risk acceptable. Reducing substantive testing, assuming audit risk is acceptable, or attempting to raise inherent risk would each fail to manage the elevated risk.
- An IS auditor needs to determine whether the change-management approval control functioned for each production change during the year. This objective is fundamentally a matter of:
- Verifying the integrity of the code in each change
- Assessing the strength of encryption used in transit
- Measuring the recovery time objective of the affected system
- Confirming that the control operated as designed throughout the period
Correct answer: Confirming that the control operated as designed throughout the period
Determining whether the approval control functioned for each change is fundamentally about confirming that the control operated as designed throughout the period, which is the aim of compliance testing. It is not about code integrity, recovery objectives, or encryption strength, all of which fall outside control-operation testing.
- An IS auditor selects forty new-user accounts and verifies only whether each was activated by an authorized approver. Because the test measures the presence or absence of a yes-or-no control condition across a population, it is best described as:
- Variable sampling for a monetary amount
- A penetration test of the identity store
- Attribute sampling for a control condition
- A recovery point objective assessment
Correct answer: Attribute sampling for a control condition
Verifying only whether each account was activated by an authorized approver is attribute sampling for a control condition, measuring the presence or absence of a control attribute. It is not variable sampling, which estimates amounts, nor a penetration test or recovery point objective assessment, which serve security and resilience purposes.
- An IS auditor observes operations staff performing the end-of-day reconciliation rather than relying on a written description of how it is supposedly done. Direct observation is valuable here because it provides evidence about:
- The market value of the reconciliation software
- The recovery point objective of the database
- How the control is actually performed, which may differ from the documented procedure
- The encryption algorithm protecting the network
Correct answer: How the control is actually performed, which may differ from the documented procedure
Direct observation provides evidence about how the control is actually performed, which may differ from the documented procedure, revealing whether practice matches what is written. It does not establish the software's market value, the database's recovery point objective, or the network's encryption algorithm.
- An IS auditor distinguishes the two purposes behind two test types: one verifies that a control operated, and the other verifies that the recorded amounts are correct. These two purposes correspond respectively to:
- Substantive testing and compliance testing
- Walkthroughs and penetration tests
- Compliance testing and substantive testing
- Inquiry and confirmation
Correct answer: Compliance testing and substantive testing
Verifying that a control operated is the purpose of compliance testing, while verifying that recorded amounts are correct is the purpose of substantive testing. The reversed pairing misassigns the purposes, and walkthroughs, penetration tests, inquiry, and confirmation are techniques rather than this pair of objectives.
- An IS auditor must obtain assurance that the balances in an accounts-payable subledger are valid and accurately stated, independent of any control over the subledger. The appropriate testing strategy is:
- Substantive testing of the subledger balances themselves
- Compliance testing of the invoice-approval control
- A review of the organization chart for reporting lines
- Confirming the audit team's continuing-education hours
Correct answer: Substantive testing of the subledger balances themselves
Obtaining assurance that the subledger balances are valid and accurately stated, independent of controls, requires substantive testing of those balances themselves. Compliance testing of the approval control, reviewing the organization chart, and confirming the team's education hours give no direct assurance about the correctness of the balances.
- An IS auditor uses a CAAT to scan every accounts-payable transaction for payments to vendors whose bank details match an employee's bank account. The audit benefit of testing the full population rather than a sample is that it:
- Guarantees management will agree with the results
- Eliminates the need to assess control design
- Makes working-paper documentation unnecessary
- Removes sampling risk for that particular test
Correct answer: Removes sampling risk for that particular test
Testing the full population removes sampling risk for that particular test, since no items are left unexamined and the sample cannot misrepresent the whole. It does not eliminate the need to assess control design, remove documentation requirements, or guarantee that management agrees with the findings.
- An IS auditor concludes that, because controls in an area are weak and cannot be relied upon, detection risk must be driven lower. The action most consistent with that conclusion is to:
- Perform fewer procedures to conserve effort
- Perform more extensive and rigorous substantive procedures
- Rely chiefly on management's verbal representations
- Drop the area from the audit plan entirely
Correct answer: Perform more extensive and rigorous substantive procedures
Driving detection risk lower in the face of weak controls is achieved by performing more extensive and rigorous substantive procedures, raising the chance of catching any material issue. Performing fewer procedures, relying on verbal representations, or dropping the area would each increase rather than reduce detection risk.
- An IS auditor designs a sampling plan that draws an initial sample, evaluates the results, and only expands the sample if early results are unfavorable, otherwise concluding without further testing. This plan is an example of:
- Variable sampling
- Stop-or-go sampling
- Monetary unit sampling
- Full reperformance
Correct answer: Stop-or-go sampling
A plan that draws an initial sample, evaluates results, and expands only if early results are unfavorable describes stop-or-go sampling, which minimizes the sample when results are favorable. Variable and monetary unit sampling estimate amounts, and full reperformance examines every item rather than concluding early.
- An IS auditor reviewing the engagement notes that the audit charter has not been formally approved by the board or audit committee. The most significant concern is that, without an approved charter, the audit function may lack:
- A documented mandate establishing its authority, responsibility, and independence
- Adequate desks and office supplies for fieldwork
- Access to the building's parking facilities
- A subscription to industry news publications
Correct answer: A documented mandate establishing its authority, responsibility, and independence
Without an approved charter, the audit function may lack a documented mandate establishing its authority, responsibility, and independence, which the charter formally provides. Desks, parking, and publications are operational amenities unrelated to the audit function's mandate and standing.
- An IS auditor is assigned to audit a specialized blockchain platform but lacks the technical knowledge it requires. Under ISACA standards on proficiency and due care, the appropriate course of action is to:
- Acquire the necessary competence or engage a qualified specialist before performing the work
- Proceed regardless to avoid delaying the schedule
- Issue conclusions based on assumptions about the technology
- Avoid documenting the limitation in the working papers
Correct answer: Acquire the necessary competence or engage a qualified specialist before performing the work
ISACA standards on proficiency and due care require the auditor to acquire the necessary competence or engage a qualified specialist before performing the work. Proceeding without competence, basing conclusions on assumptions, or omitting the limitation from the working papers would breach the standards.
- An IS auditor wants to project a single conclusion about whether a yes-or-no control operated within an acceptable deviation rate across the whole population at a 90 percent confidence level. The appropriate statistical sampling approach is:
- Attribute sampling
- Variable sampling
- Monetary unit sampling
- Convenience sampling
Correct answer: Attribute sampling
Projecting a conclusion about a yes-or-no control's deviation rate at a stated confidence level calls for attribute sampling, which measures the rate of occurrence of a control attribute. Variable and monetary unit sampling estimate amounts, and convenience sampling cannot support a statistically valid projection.
- An IS auditor compares two controls applied to data-entry errors in an order system: a mandatory field-format check that blocks invalid entries at the point of input, and a weekly exception report listing errors that were entered anyway. These two controls are respectively:
- Detective and corrective
- Corrective and preventive
- Preventive and detective
- Directive and deterrent
Correct answer: Preventive and detective
A field-format check that blocks invalid entries at input is preventive because it stops the error up front, while a weekly exception report listing entered errors is detective because it identifies them afterward. The other pairings misclassify one or both controls relative to whether they prevent, detect, or correct.
- An IS auditor uses a CAAT to recompute commission payments across the entire population and finds the recomputed totals match the system. Before reporting that commissions are accurate, the auditor must still confirm that:
- The output report uses the audit department's preferred font
- The CAAT vendor provided supplementary training
- The audit was completed under the allotted budget
- The data input to the CAAT was the complete and unaltered production commission data
Correct answer: The data input to the CAAT was the complete and unaltered production commission data
The auditor must still confirm that the data input to the CAAT was the complete and unaltered production commission data, because matching totals only prove accuracy if the source data was correct and complete. The report's font, the budget, and vendor training have no bearing on the validity of the evidence.
- An IS auditor explains that, holding overall audit risk constant, lowering the assessed control risk after favorable control testing permits the auditor to:
- Disregard detection risk because it no longer applies
- Be required to increase substantive testing and lower detection risk
- Accept a higher detection risk and reduce the extent of substantive testing
- Raise inherent risk to keep the model in balance
Correct answer: Accept a higher detection risk and reduce the extent of substantive testing
Lowering assessed control risk after favorable testing permits the auditor to accept a higher detection risk and reduce the extent of substantive testing while keeping overall audit risk constant. The auditor would not increase substantive work, disregard detection risk, or alter inherent risk, which is a characteristic of the area rather than a lever the auditor adjusts.
- An IS auditor must select a procedure that gives direct evidence about whether recorded transactions are valid and accurate, regardless of how any control operated. The procedure that meets this need is:
- Compliance testing of the related authorization control
- Substantive testing of the transactions themselves
- Reviewing the IT department's reporting hierarchy
- Confirming the audit team's certification status
Correct answer: Substantive testing of the transactions themselves
Providing direct evidence that recorded transactions are valid and accurate, regardless of any control, requires substantive testing of the transactions themselves. Compliance testing addresses control operation, while reviewing the reporting hierarchy or confirming certification status gives no direct assurance about transaction validity.
- An IS auditor implementing a CAAT to identify split purchase orders that evade an approval threshold reasons that the technique is preferable to manual review because manual review of that population would be:
- Impractical and error-prone given the transaction volume
- Just as fast and accurate as automated analysis
- Forbidden under ISACA audit standards
- Incapable of identifying any exceptions
Correct answer: Impractical and error-prone given the transaction volume
The CAAT is preferable because manual review of the full population would be impractical and error-prone given the transaction volume, whereas automated analysis can examine everything quickly and consistently. Manual review is not equally fast, is not forbidden by standards, and is not inherently incapable of finding exceptions.
- During an access-control review, an IS auditor performs two tests: one confirms the access-request approval control operated all year, and the other directly examines the current list of privileged accounts to verify only authorized users hold access. The second test, examining the actual account list, is:
- Compliance testing of the approval control
- A walkthrough of the provisioning narrative
- Substantive testing of the underlying access data
- An inquiry directed to the access administrator
Correct answer: Substantive testing of the underlying access data
Directly examining the current privileged-account list to verify only authorized users hold access is substantive testing of the underlying access data, because it examines the integrity of the data itself rather than a control's operation. Confirming the approval control operated is compliance testing, while a walkthrough and an inquiry assess process understanding rather than data integrity.
- An IS auditor reviewing the ethics expectations for the engagement observes that the ISACA Code of Professional Ethics requires members to perform their duties with:
- Loyalty to management above all other considerations
- Strict secrecy that prevents reporting any issues
- A goal of minimizing the number of reported findings
- Objectivity, due professional care, and diligence
Correct answer: Objectivity, due professional care, and diligence
The ISACA Code requires members to perform their duties with objectivity, due professional care, and diligence. Prioritizing loyalty to management, minimizing reported findings, or maintaining secrecy that blocks reporting would all conflict with the Code's principles of integrity and proper communication.
- An IS auditor wants to understand a complex provisioning process end to end before designing detailed tests, so the auditor traces a single new-hire request from submission through to active access, observing each step. This evidence-gathering technique is best described as a:
- Walkthrough that helps the auditor understand the process and identify control points
- Variable sampling of monetary amounts
- Recovery time objective calculation
- Penetration test of the directory service
Correct answer: Walkthrough that helps the auditor understand the process and identify control points
Tracing a single transaction end to end to understand the process and identify control points is a walkthrough, a technique used to confirm understanding before designing detailed tests. It is not variable sampling, which estimates amounts, nor a recovery time objective calculation or a penetration test, which serve resilience and security purposes.
- An IS auditor is contrasting the components of the audit risk model to explain which one the auditor most directly controls through the nature, timing, and extent of procedures. That component is:
- Detection risk
- Control risk
- Inherent risk
- Business risk
Correct answer: Detection risk
Detection risk is the component the auditor most directly controls through the nature, timing, and extent of procedures, since it reflects the chance the auditor's own work fails to find a material issue. Inherent and control risk are properties of the auditee, and business risk is not a component of the audit risk model.
- An IS auditor uses embedded audit modules that capture and evaluate selected transactions automatically as they are processed, alerting the audit team to exceptions in near real time. This technique is characteristic of:
- A one-time post-implementation review
- A periodic year-end financial audit only
- Continuous auditing
- A management-led control self-assessment workshop
Correct answer: Continuous auditing
Embedded audit modules that capture and evaluate transactions automatically and alert the audit team to exceptions in near real time are characteristic of continuous auditing, which gathers evidence on an ongoing basis. A one-time review, a year-end audit, and a self-assessment workshop are periodic or management-led rather than continuous audit activities.
- An IS auditor builds the annual plan by scoring each auditable unit on impact and likelihood and then allocating effort accordingly. The primary purpose of this scoring step is to ensure that:
- Every auditable unit receives an identical number of hours
- Audit effort concentrates on the units posing the greatest risk to the organization
- The most recently deployed systems are deliberately excluded
- A finding is produced for every unit in the universe
Correct answer: Audit effort concentrates on the units posing the greatest risk to the organization
Scoring units on impact and likelihood ensures audit effort concentrates on the units posing the greatest risk to the organization, the core aim of risk-based planning. It does not allocate identical hours, exclude new systems, or guarantee a finding for every unit, all of which would contradict risk-based prioritization.
- An IS auditor classifies a programmed range check that blocks a payroll entry exceeding a defined maximum before it can be saved. The auditor identifies this as a preventive control because it:
- Stops the erroneous entry from being recorded in the first place
- Lists the rejected entries in a monthly management report
- Restores the correct value after the entry has posted
- Discourages staff from errors through periodic training
Correct answer: Stops the erroneous entry from being recorded in the first place
The programmed range check is preventive because it stops the erroneous entry from being recorded in the first place. Listing rejected entries in a report would be detective, restoring a value after posting would be corrective, and discouraging errors through training would be directive, none of which describe blocking the bad entry at the point of input.
- An IS auditor breaks detection risk into sampling risk and nonsampling risk. Nonsampling risk in this context most directly arises from:
- The drawn sample failing to represent the population
- The effectiveness of the entity's internal controls
- The inherent complexity of the auditee's transactions
- The auditor selecting an unsuitable procedure or misinterpreting the evidence
Correct answer: The auditor selecting an unsuitable procedure or misinterpreting the evidence
Nonsampling risk arises most directly from the auditor selecting an unsuitable procedure or misinterpreting the evidence, factors independent of how the sample was drawn. The sample failing to represent the population is sampling risk, while transaction complexity and control effectiveness drive inherent and control risk rather than detection risk's nonsampling component.
- An IS auditor finds that, because a transaction population is small and fully accessible through a CAAT, every item can be tested rather than sampled. The principal audit consequence of examining the entire population is that the auditor:
- No longer needs to evaluate the design of related controls
- No longer faces sampling risk for that test
- Is relieved of documenting the procedure performed
- Is assured that management will accept the conclusion
Correct answer: No longer faces sampling risk for that test
Examining the entire population means the auditor no longer faces sampling risk for that test, since every item is tested and there is no chance an unexamined remainder is misrepresented. It does not relieve the auditor of evaluating control design, documenting the procedure, or earning management's acceptance of the conclusion.
- An IS auditor is studying the COBIT framework and notes that COBIT 2019 introduced a way to tailor the framework to an enterprise's specific context. What are these tailoring inputs called?
- Design factors
- Control objectives
- Capability levels
- Maturity gates
Correct answer: Design factors
The tailoring inputs are design factors. COBIT 2019 uses design factors such as enterprise strategy, goals, risk profile, threat landscape, and sourcing model to shape a customized governance system. Capability levels measure how well a process performs, control objectives are an older concept, and maturity gates are not a COBIT term.
- An IS auditor reviewing a COBIT-based program wants to assess how well a specific governance process is performed. Which COBIT mechanism rates a process on a scale from incomplete through optimized?
- Annualized loss expectancy
- The capability (and maturity) level rating of processes
- The recovery time objective
- The data classification matrix
Correct answer: The capability (and maturity) level rating of processes
The mechanism is the capability and maturity level rating of processes. COBIT 2019 measures each governance or management process against a capability scale and rolls these up into maturity levels for focus areas, letting auditors gauge how well processes are performed. Annualized loss expectancy, recovery time objective, and a classification matrix measure risk, recovery, and data sensitivity instead.
- An IS auditor is explaining why an enterprise selected COBIT rather than ITIL for its overall IT governance. Which distinction best supports that choice?
- ITIL is a governance and management framework while COBIT covers only incident handling
- Both frameworks address only software development
- COBIT provides an end-to-end governance and management framework, while ITIL focuses primarily on IT service management practices
- COBIT is a hardware standard and ITIL is a network protocol
Correct answer: COBIT provides an end-to-end governance and management framework, while ITIL focuses primarily on IT service management practices
The supporting distinction is that COBIT provides an end-to-end governance and management framework, while ITIL focuses primarily on IT service management. COBIT spans governance objectives across the enterprise, whereas ITIL details service delivery and support processes. The other options reverse the two, mislabel them as hardware or network standards, or wrongly limit both to development.
- An IS auditor finds that an enterprise has adopted COBIT but cannot show how its IT-related goals connect upward to enterprise objectives. Which COBIT feature is designed to make that linkage explicit?
- The penetration testing schedule
- The disaster recovery runbook
- The firewall rule base
- The goals cascade, which links stakeholder needs to enterprise goals, alignment goals, and governance and management objectives
Correct answer: The goals cascade, which links stakeholder needs to enterprise goals, alignment goals, and governance and management objectives
The feature is the goals cascade, which links stakeholder needs to enterprise goals, then to alignment goals, and finally to governance and management objectives. It traces a clear line of sight from what stakeholders want down to the IT objectives that support it. A recovery runbook, firewall rule base, and penetration testing schedule are operational artifacts, not the mechanism for linking IT goals to enterprise goals.
- An IS auditor reviewing governance components under COBIT notes that the framework treats more than just processes as the building blocks of a governance system. Which option lists examples of COBIT governance and management components beyond processes?
- Organizational structures, policies and procedures, information flows, culture and behavior, skills, and services or infrastructure
- Only encryption keys and certificates
- Only network switches and routers
- Only annual budgets and timesheets
Correct answer: Organizational structures, policies and procedures, information flows, culture and behavior, skills, and services or infrastructure
The examples are organizational structures, policies and procedures, information flows, culture and behavior, skills, and services or infrastructure. COBIT treats these components, alongside processes, as the interrelated factors that make a governance system work. Encryption keys, network hardware, and budgets are narrow items that do not capture COBIT's full set of governance components.
- An IS auditor is comparing enterprise architecture frameworks and is asked which one organizes architecture as a matrix of stakeholder perspectives against interrogatives such as what, how, where, who, when, and why. Which framework is this?
- The OWASP Top Ten
- The Zachman Framework
- The OSI reference model
- The Kanban method
Correct answer: The Zachman Framework
The framework is the Zachman Framework. It arranges enterprise architecture as a matrix of stakeholder perspectives (such as planner, owner, and designer) against interrogatives like what, how, where, who, when, and why. The OSI model describes network layers, OWASP Top Ten ranks web risks, and Kanban is a workflow method, none of which is an enterprise architecture matrix.
- An IS auditor reviewing an enterprise architecture program sees the team use TOGAF's iterative method for developing and managing the architecture. What is this method called?
- The annualized rate of occurrence
- The change advisory board
- The Architecture Development Method (ADM)
- The service catalog
Correct answer: The Architecture Development Method (ADM)
The method is the Architecture Development Method, or ADM. TOGAF's ADM is an iterative cycle of phases that guides developing, governing, and maintaining an enterprise architecture. The annualized rate of occurrence is a risk metric, a change advisory board reviews changes, and a service catalog lists services, none of which is TOGAF's development method.
- An IS auditor is assessing how enterprise architecture supports rationalizing a sprawling application portfolio. Which architecture activity most directly identifies redundant or overlapping applications for consolidation?
- Rotating backup tapes off-site
- Tuning database indexes for speed
- Running a quarterly phishing simulation
- Application portfolio analysis that maps applications to business capabilities to reveal duplication and gaps
Correct answer: Application portfolio analysis that maps applications to business capabilities to reveal duplication and gaps
The activity is application portfolio analysis that maps applications to business capabilities to reveal duplication and gaps. By tying each application to the capabilities it supports, architects can spot overlapping systems that are candidates for consolidation. Tape rotation, index tuning, and phishing simulations are operational or security tasks unrelated to portfolio rationalization.
- An IS auditor reviewing enterprise architecture documentation finds detailed technology diagrams but no description of business capabilities, processes, or information needs. Which architecture domain is missing, and why does its absence matter?
- The business (and information) architecture domain is missing, so technology choices are not anchored to what the enterprise actually needs to do
- The network cabling domain is missing, which only affects facilities
- The honeypot domain is missing, which only affects deception
- Nothing is missing because technology diagrams fully describe an enterprise
Correct answer: The business (and information) architecture domain is missing, so technology choices are not anchored to what the enterprise actually needs to do
The missing element is the business and information architecture domain, so technology choices are not anchored to what the enterprise needs to do. Enterprise architecture spans business, information or data, application, and technology layers; omitting the business layer disconnects systems from purpose. Technology diagrams alone do not describe an enterprise, and there is no cabling or honeypot architecture domain in this context.
- An IS auditor evaluating an enterprise architecture initiative sees that architects defined a current state and a target state but documented nothing about how to move between them. What essential architecture deliverable is absent?
- A list of employee birthdays
- A transition or migration roadmap describing the sequenced steps to move from the current state to the target state
- A copy of the office floor plan
- A schedule of cafeteria menus
Correct answer: A transition or migration roadmap describing the sequenced steps to move from the current state to the target state
The absent deliverable is a transition or migration roadmap describing the sequenced steps to move from current to target state. Without a roadmap, the gap between as-is and to-be cannot be closed in a planned, prioritized way. Floor plans, menus, and birthday lists have no bearing on how the architecture will be realized.
- An IS auditor is reviewing how an organization decides which staff may grant access to classified data. According to data classification governance, who is normally responsible for approving access to a given data set?
- Any user who requests it
- The external penetration tester
- The data owner, who authorizes access based on the data's classification and business need
- The facilities security guard
Correct answer: The data owner, who authorizes access based on the data's classification and business need
The responsible party is the data owner, who authorizes access based on the data's classification and business need. Ownership carries accountability for deciding who may use the data, applying least privilege against its sensitivity. Requesters cannot approve their own access, and penetration testers and facilities guards have no authority over data access decisions.
- An IS auditor reviewing a data governance program wants to confirm the organization manages how long data is kept and when it is destroyed. Which governance element addresses this?
- Capacity planning for servers
- The network topology diagram
- The single sign-on configuration
- A data retention and disposal schedule defining how long each data type is kept and how it is securely destroyed
Correct answer: A data retention and disposal schedule defining how long each data type is kept and how it is securely destroyed
The element is a data retention and disposal schedule defining how long each data type is kept and how it is securely destroyed. Governing retention limits legal and storage risk and ensures obsolete data is purged rather than hoarded. Capacity planning, network diagrams, and single sign-on configuration address resources, topology, and authentication, not retention and disposal.
- An IS auditor reviewing data governance finds the organization measures data quality only by accuracy. Which set of dimensions provides a more complete view of data quality?
- Accuracy, completeness, consistency, timeliness, and validity
- Color, font, file size, and folder depth
- Latency, bandwidth, jitter, and packet loss
- Voltage, temperature, humidity, and noise
Correct answer: Accuracy, completeness, consistency, timeliness, and validity
A fuller set of data quality dimensions is accuracy, completeness, consistency, timeliness, and validity. Measuring only accuracy misses whether data is complete, internally consistent, current, and conformant to defined formats. Network metrics, environmental readings, and presentation attributes do not describe data quality.
- An IS auditor reviewing how an organization governs its data assets sees a council of business and IT leaders that sets data policies, resolves ownership disputes, and approves standards. What is this body typically called?
- A change advisory board
- A data governance council (or committee)
- A security operations center
- A help desk steering group
Correct answer: A data governance council (or committee)
The body is a data governance council or committee. It brings together business and IT leaders to set data policies, settle ownership questions, and approve standards across the enterprise. A change advisory board reviews IT changes, a security operations center monitors threats, and a help desk steering group oversees support, none of which governs data policy.
- An IS auditor is reviewing classification practices and finds documents are labeled but the labels do not travel with the data when it is copied or exported. What capability would best preserve classification as data moves?
- Painting the server racks a different color per classification
- Storing classified files only on the fastest disks
- Persistent classification metadata or labels embedded with the data so the label follows it across copies and systems
- Renaming the network so the label appears in the SSID
Correct answer: Persistent classification metadata or labels embedded with the data so the label follows it across copies and systems
The capability is persistent classification metadata or labels embedded with the data so the label follows it across copies and systems. When the label is bound to the file rather than to a folder or screen, downstream handling controls can still recognize sensitivity. Rack colors, disk speed, and network names do not keep a classification label attached to the data.
- An IS auditor reviewing access design in a payroll application finds one administrator can create a vendor, approve payments to that vendor, and reconcile the bank statement. Which control objective is most clearly defeated?
- Network throughput optimization
- Backup window minimization
- Screen resolution standardization
- Segregation of duties, because creation, authorization, and reconciliation of payments should be divided among different people
Correct answer: Segregation of duties, because creation, authorization, and reconciliation of payments should be divided among different people
The defeated objective is segregation of duties, because creating a vendor, authorizing payments, and reconciling the bank statement should be split among different people. Concentrating all three lets one person create and conceal a fraudulent payment. Throughput, backup windows, and screen resolution are unrelated to this control concern.
- An IS auditor finds that a small IT team cannot fully separate incompatible duties because of limited staff. According to good governance, what is the most appropriate response?
- Implement compensating controls such as independent reviews and detailed activity logging to offset the unavoidable conflict
- Ignore the conflict because small teams are exempt
- Grant everyone full administrator rights to simplify work
- Stop performing the conflicting functions altogether
Correct answer: Implement compensating controls such as independent reviews and detailed activity logging to offset the unavoidable conflict
The appropriate response is to implement compensating controls such as independent reviews and detailed activity logging to offset the unavoidable conflict. When separation is impractical, monitoring and oversight reduce the risk that the combined duties create. Small teams are not exempt, granting universal admin rights worsens the problem, and abandoning needed functions is not viable.
- An IS auditor reviewing a periodic access recertification process wants to confirm it supports segregation of duties over time. What does effective recertification accomplish?
- It permanently locks all access so it never changes
- It periodically reviews and reconfirms that each user's access is still appropriate, removing accumulated or conflicting entitlements
- It deletes the audit logs to save space
- It grants every reviewer additional access as a reward
Correct answer: It periodically reviews and reconfirms that each user's access is still appropriate, removing accumulated or conflicting entitlements
Effective recertification periodically reviews and reconfirms that each user's access is still appropriate, removing accumulated or conflicting entitlements. This counters privilege creep, where role changes leave users with incompatible combined access. It does not freeze access permanently, delete logs, or reward reviewers with more access.
- An IS auditor reviewing entitlements discovers that an employee who transferred from accounts payable to procurement retained the old AP permissions on top of new procurement rights, creating an incompatible combination. What condition has occurred?
- A recovery point objective breach
- A denial-of-service condition
- Privilege creep (accumulation of access across role changes) producing a segregation-of-duties conflict
- A successful key rotation
Correct answer: Privilege creep (accumulation of access across role changes) producing a segregation-of-duties conflict
The condition is privilege creep, the accumulation of access across role changes, which here produces a segregation-of-duties conflict by combining accounts payable and procurement rights. Access from prior roles should be revoked when duties change. A recovery point objective breach, denial of service, and key rotation are recovery, availability, and cryptography events, not access accumulation.
- An IS auditor reviewing enterprise risk management examines how the organization chooses to respond to an identified risk. Which set correctly names the common risk response options?
- Encrypt, hash, sign, and tokenize
- Backup, restore, replicate, and archive
- Detect, prevent, correct, and deter
- Avoid, mitigate (reduce), transfer (share), and accept
Correct answer: Avoid, mitigate (reduce), transfer (share), and accept
The common risk response options are avoid, mitigate or reduce, transfer or share, and accept. After assessing a risk, management selects among these treatments based on appetite and cost. Encryption methods, backup operations, and control types are different concepts and are not the standard risk-response choices.
- An IS auditor reviews an organization that buys cyber insurance to cover potential losses from a data breach. Which risk response does this represent?
- Risk transfer (sharing the financial impact with a third party)
- Risk acceptance
- Risk avoidance
- Risk mitigation through technical controls
Correct answer: Risk transfer (sharing the financial impact with a third party)
Buying insurance is risk transfer, sharing the financial impact with a third party. The organization shifts part of the potential loss to the insurer rather than reducing the likelihood itself. Acceptance takes no action, avoidance eliminates the activity, and mitigation reduces risk through controls, none of which describes insuring against the loss.
- An IS auditor reviewing risk visualization sees the organization plot risks on a grid of likelihood against impact to prioritize them. What is this tool commonly called?
- A data flow diagram
- A risk heat map (risk matrix)
- A network topology map
- A Gantt chart
Correct answer: A risk heat map (risk matrix)
The tool is a risk heat map, also called a risk matrix. Plotting likelihood against impact lets leadership see at a glance which risks are most severe and warrant priority. A data flow diagram shows data movement, a network topology map shows infrastructure, and a Gantt chart shows schedules, none of which prioritizes risk by likelihood and impact.
- An IS auditor reviewing a quantitative risk model sees an asset valued at 200,000 dollars with an estimated exposure factor of 25 percent for a particular threat. What is the single loss expectancy?
- 8,000 dollars
- 200,000 dollars
- 50,000 dollars
- 250,000 dollars
Correct answer: 50,000 dollars
The single loss expectancy is 50,000 dollars, calculated as asset value multiplied by exposure factor, or 200,000 dollars times 25 percent. Single loss expectancy estimates the dollar loss from one occurrence of the threat. The other figures ignore the formula or confuse single loss expectancy with the full asset value.
- An IS auditor reviewing governance over risk acceptance finds that a project team unilaterally decided to accept a high residual risk without management approval. Why is this a governance problem?
- Risk acceptance is never permitted under any circumstances
- Only external auditors may accept any risk
- Risk acceptance must always be the cheapest option
- Risk acceptance should be made by an accountable owner at an appropriate authority level, since accepting risk commits the enterprise to bear it
Correct answer: Risk acceptance should be made by an accountable owner at an appropriate authority level, since accepting risk commits the enterprise to bear it
The governance problem is that risk acceptance should be made by an accountable owner at an appropriate authority level, since accepting risk commits the enterprise to bear the consequences. Decisions to accept significant risk must rest with someone authorized to take on that exposure. Acceptance is a legitimate response, is not reserved for auditors, and is chosen on risk grounds rather than cost alone.
- An IS auditor is mapping the lines of accountability in an enterprise risk program and encounters the three lines model. In that model, which line owns and manages risk day to day?
- The first line, operational management that owns and manages risks and controls in daily activities
- The internal audit function
- The external regulator
- The board of directors acting alone
Correct answer: The first line, operational management that owns and manages risks and controls in daily activities
In the three lines model, the first line is operational management that owns and manages risks and controls in daily activities. The second line provides risk and compliance oversight, and the third line, internal audit, gives independent assurance. Regulators and the board sit outside the three operating lines, so neither owns day-to-day risk management.
- An IS auditor reviewing IT governance structure wants to understand the IT steering committee's primary purpose. What does an IT steering committee chiefly do?
- Write application source code
- Prioritize and oversee IT investments and major projects to ensure they align with business priorities
- Patch servers each night
- Answer end-user help desk calls
Correct answer: Prioritize and oversee IT investments and major projects to ensure they align with business priorities
An IT steering committee chiefly prioritizes and oversees IT investments and major projects to ensure alignment with business priorities. It brings business and IT leaders together to direct where IT effort and funding go. Writing code, patching servers, and answering help desk calls are operational tasks, not the committee's governance role.
- An IS auditor reviewing membership of an IT steering committee finds it consists solely of IT staff with no business representation. Why is this a weakness?
- Business leaders are not permitted to discuss IT
- All committees must be exactly five people
- Without business membership the committee cannot ensure IT investments reflect business priorities, defeating its alignment purpose
- IT staff cannot understand technology decisions
Correct answer: Without business membership the committee cannot ensure IT investments reflect business priorities, defeating its alignment purpose
The weakness is that without business membership the committee cannot ensure IT investments reflect business priorities, which defeats its alignment purpose. The steering committee exists to bridge business and IT, so business voices are essential. There is no fixed required size, business leaders may certainly discuss IT, and IT staff are capable of understanding technology decisions.
- An IS auditor reviewing IT strategy wants to confirm it is properly anchored. What is the most important relationship a sound IT strategy should demonstrate?
- Independence from any business goals
- Agreement with the newest available hardware catalog
- Conformance to the personal preferences of the IT director
- Alignment with and support of the overall business strategy and objectives
Correct answer: Alignment with and support of the overall business strategy and objectives
A sound IT strategy should demonstrate alignment with and support of the overall business strategy and objectives. IT exists to enable the business, so its strategic direction must derive from business goals. Independence from business goals, chasing the latest hardware, or following one person's preferences would all detach IT strategy from its purpose.
- An IS auditor reviewing IT governance roles wants to know what distinguishes the role of the chief information officer in governance. Which statement best describes the CIO's governance role?
- The CIO provides executive leadership for IT, setting IT direction and ensuring IT supports enterprise strategy and risk objectives
- The CIO repairs end-user hardware
- The CIO performs the independent audit of IT
- The CIO writes all the organization's software
Correct answer: The CIO provides executive leadership for IT, setting IT direction and ensuring IT supports enterprise strategy and risk objectives
The CIO provides executive leadership for IT, setting IT direction and ensuring IT supports enterprise strategy and risk objectives. This is a senior governance and leadership role, not a hands-on technical one. Repairing hardware, writing all software, and performing the independent audit are not the CIO's governance responsibilities; auditing IT must remain independent of IT management.
- An IS auditor reviewing IT investment governance finds projects are funded individually with no view of how they fit together or compete for resources. Which governance discipline addresses selecting and balancing the full set of IT investments?
- Tape backup rotation
- IT portfolio management, which selects, prioritizes, and balances the collection of IT investments against value and risk
- Stateful packet inspection
- Help desk ticket triage
Correct answer: IT portfolio management, which selects, prioritizes, and balances the collection of IT investments against value and risk
The discipline is IT portfolio management, which selects, prioritizes, and balances the collection of IT investments against value and risk. Viewing investments as a portfolio reveals competition for resources and overall alignment that project-by-project funding hides. Backup rotation, packet inspection, and ticket triage are operational activities unrelated to investment selection.
- An IS auditor reviewing IT performance reporting is asked to distinguish a key performance indicator from a key goal indicator. Which statement is correct?
- Both terms mean exactly the same thing
- A key performance indicator measures share price and a key goal indicator measures headcount
- A key performance indicator measures how well a process is performing toward a goal, while a key goal indicator measures whether the goal itself was achieved
- A key goal indicator measures network speed and a key performance indicator measures office temperature
Correct answer: A key performance indicator measures how well a process is performing toward a goal, while a key goal indicator measures whether the goal itself was achieved
The correct statement is that a key performance indicator measures how well a process is performing toward a goal, while a key goal indicator measures whether the goal itself was achieved. Performance indicators are forward-looking process measures, and goal indicators confirm outcomes. The other options conflate the two or attach them to irrelevant measures like temperature.
- An IS auditor reviewing an IT balanced scorecard wants to recall how many perspectives the classic balanced scorecard uses and what they are. Which option is correct?
- Two perspectives: hardware and software
- Three perspectives: people, process, and technology
- Five perspectives based on the senses
- Four perspectives: financial, customer, internal process, and learning and growth
Correct answer: Four perspectives: financial, customer, internal process, and learning and growth
The classic balanced scorecard uses four perspectives: financial, customer, internal process, and learning and growth. Together they give a balanced view beyond purely financial results, and an IT scorecard adapts them to IT's contribution. A two-way hardware and software split, a people-process-technology triad, and a five-senses model are not the balanced scorecard's perspectives.
- An IS auditor reviewing the customer perspective of an IT balanced scorecard wants to know what it captures for an internal IT department. What does this perspective primarily measure?
- How satisfied internal business users (IT's customers) are with the services IT delivers
- The depreciation of network switches
- The number of lines of code written
- The square footage of the data center
Correct answer: How satisfied internal business users (IT's customers) are with the services IT delivers
For an internal IT department the customer perspective primarily measures how satisfied internal business users, who are IT's customers, are with the services IT delivers. It reflects service quality and responsiveness from the user's viewpoint. Switch depreciation, lines of code, and data center floor space relate to financial, process, or facility measures rather than customer satisfaction.
- An IS auditor reviewing IT metrics finds the team tracks dozens of measures that no one ties to a target or to business objectives. What characteristic should a useful IT metric possess to support governance?
- It should be as technical and obscure as possible
- It should be relevant to an objective, measurable, and compared against a defined target or threshold
- It should change definition every reporting period
- It should be reported without any context
Correct answer: It should be relevant to an objective, measurable, and compared against a defined target or threshold
A useful IT metric should be relevant to an objective, measurable, and compared against a defined target or threshold. These properties let leadership judge whether performance is acceptable and act on gaps. Obscurity, shifting definitions, and context-free reporting all undermine a metric's usefulness for governance.
- An IS auditor reviewing how IT performance information reaches the board finds raw metrics flow up with no comparison to objectives or prior periods. Which reporting practice would most improve the board's ability to govern?
- Send only the single most favorable number each meeting
- Replace all metrics with anecdotes
- Present trends and variances against targets and prior periods so the board can see direction and exceptions
- Report metrics in raw log files for the board to parse
Correct answer: Present trends and variances against targets and prior periods so the board can see direction and exceptions
The improvement is to present trends and variances against targets and prior periods so the board can see direction and exceptions. Context turns raw numbers into insight the board can act on. Cherry-picking favorable numbers, replacing data with anecdotes, or dumping raw logs all reduce the board's ability to govern.
- An IS auditor reviewing vendor onboarding wants to confirm that risk is assessed before a contract is signed. Which activity occurs during pre-contract vendor due diligence?
- Decommissioning the vendor's systems
- Paying the final invoice
- Returning all data to the vendor
- Evaluating the prospective vendor's financial stability, security posture, and control environment before engaging them
Correct answer: Evaluating the prospective vendor's financial stability, security posture, and control environment before engaging them
Pre-contract due diligence involves evaluating the prospective vendor's financial stability, security posture, and control environment before engaging them. Assessing these factors up front prevents onboarding a vendor that introduces unacceptable risk. Paying a final invoice, returning data, and decommissioning systems are activities tied to the end of a relationship, not onboarding.
- An IS auditor reviewing a service contract wants to verify that the organization can examine the vendor's controls or have them examined. Which contract provision provides this?
- A right-to-audit clause permitting the organization or its representatives to assess the vendor's controls
- A clause setting the office dress code
- A clause naming the vendor's holiday schedule
- A clause specifying the color of the invoices
Correct answer: A right-to-audit clause permitting the organization or its representatives to assess the vendor's controls
The provision is a right-to-audit clause permitting the organization or its representatives to assess the vendor's controls. This preserves the ability to verify the vendor's security and compliance during the relationship. Dress codes, holiday schedules, and invoice colors have no bearing on the organization's ability to audit the vendor.
- An IS auditor reviewing an outsourcing arrangement notes that the organization has delegated operation of a critical service to a vendor. Which statement about accountability is correct?
- Outsourcing transfers all accountability for the function to the vendor
- The organization remains accountable for the outsourced function even though day-to-day operation is delegated
- Accountability disappears once a contract is signed
- Only the vendor's regulator is accountable
Correct answer: The organization remains accountable for the outsourced function even though day-to-day operation is delegated
The correct statement is that the organization remains accountable for the outsourced function even though day-to-day operation is delegated. Responsibility for execution can be outsourced, but ultimate accountability to stakeholders and regulators cannot. Accountability does not vanish at signing, is not wholly transferred to the vendor, and does not rest solely with the vendor's regulator.
- An IS auditor reviewing concentration risk in vendor governance is concerned the organization depends on a single provider for multiple critical services. What is the most effective governance response to this concentration risk?
- Ignore it because one trusted vendor is always safest
- Sign even more contracts with the same vendor
- Develop contingency and exit options, such as a viable alternative provider or in-house fallback, to reduce dependence on the single vendor
- Stop monitoring the vendor to save effort
Correct answer: Develop contingency and exit options, such as a viable alternative provider or in-house fallback, to reduce dependence on the single vendor
The effective response is to develop contingency and exit options, such as a viable alternative provider or in-house fallback, to reduce dependence on the single vendor. Reducing concentration limits the damage if that vendor fails or underperforms. Adding more dependence, ignoring the risk, or ceasing monitoring all increase exposure.
- An IS auditor reviewing a cloud sourcing decision wants to identify which service model leaves the customer responsible for the operating system and applications while the provider manages only the underlying compute, storage, and network. Which model is this?
- Software as a service (SaaS)
- Business process outsourcing
- A managed security service
- Infrastructure as a service (IaaS)
Correct answer: Infrastructure as a service (IaaS)
The model is infrastructure as a service, or IaaS, where the provider manages the underlying compute, storage, and network while the customer remains responsible for the operating system and applications. This division is central to allocating control and audit responsibility. Software as a service shifts far more to the provider, while business process outsourcing and managed security services are broader service arrangements, not this specific split.
- An IS auditor reviewing a privacy program wants to confirm the organization applies data minimization. What does the data minimization principle require?
- Collecting and retaining only the personal data that is necessary for the specified purpose
- Collecting as much personal data as possible in case it becomes useful
- Sharing personal data with all departments by default
- Keeping personal data indefinitely regardless of need
Correct answer: Collecting and retaining only the personal data that is necessary for the specified purpose
Data minimization requires collecting and retaining only the personal data that is necessary for the specified purpose. Limiting collection reduces exposure and aligns processing with what the purpose actually needs. Hoarding data, sharing it by default, or keeping it indefinitely all contradict minimization.
- An IS auditor reviewing a privacy program evaluates the purpose limitation principle. Which practice violates purpose limitation?
- Using customer data for the order fulfillment it was collected for
- Using customer data collected for order fulfillment to build marketing profiles without a new lawful basis or consent
- Deleting customer data once the order is complete and retention expires
- Informing customers at collection of the purpose of processing
Correct answer: Using customer data collected for order fulfillment to build marketing profiles without a new lawful basis or consent
The violation is using customer data collected for order fulfillment to build marketing profiles without a new lawful basis or consent. Purpose limitation restricts personal data to the purposes for which it was collected, so repurposing it requires fresh justification. Using data for its original purpose, deleting it after retention expires, and disclosing the purpose at collection all comply with the principle.
- An IS auditor reviewing a privacy program wants to identify the assessment performed before launching a new system that processes large volumes of sensitive personal data. Which assessment is appropriate?
- A network penetration test only
- A capacity stress test only
- A data protection (privacy) impact assessment that evaluates privacy risks before the high-risk processing begins
- A data center cooling audit
Correct answer: A data protection (privacy) impact assessment that evaluates privacy risks before the high-risk processing begins
The appropriate assessment is a data protection or privacy impact assessment that evaluates privacy risks before the high-risk processing begins. It identifies and mitigates privacy risks proactively for new or significantly changed processing of personal data. A penetration test, capacity stress test, or cooling audit address security, performance, or facilities rather than privacy risk.
- An IS auditor reviewing how an organization honors individuals' privacy rights finds no process to act when a person asks for their personal data to be corrected or deleted. Which privacy capability is missing?
- A spare parts inventory process
- A meeting room booking process
- A printer toner replacement process
- A data subject rights (access, correction, and erasure) request handling process
Correct answer: A data subject rights (access, correction, and erasure) request handling process
The missing capability is a data subject rights request handling process covering access, correction, and erasure. Privacy regimes give individuals rights over their data, and the organization must have a process to receive and fulfill such requests. Inventory, room booking, and toner replacement processes have nothing to do with honoring privacy rights.
- An IS auditor reviewing IT governance documentation needs to distinguish a policy from a procedure. Which statement is correct?
- A policy states management's high-level intent and rules, while a procedure gives the detailed step-by-step instructions to carry the policy out
- A procedure is approved by the board and a policy is written by interns
- Policies and procedures are interchangeable terms
- A policy lists exact command-line steps and a procedure states broad intent
Correct answer: A policy states management's high-level intent and rules, while a procedure gives the detailed step-by-step instructions to carry the policy out
The correct statement is that a policy states management's high-level intent and rules, while a procedure gives the detailed step-by-step instructions to carry it out. Policies set direction; procedures operationalize it. The other options reverse the two, treat them as identical, or misattribute who writes them.
- An IS auditor evaluating governance maturity finds that IT processes work only because of individual heroics, with no documented or repeatable approach. On a typical capability or maturity scale, this best reflects which level?
- The highest, optimized level
- A low, ad hoc or initial level where processes are unpredictable and depend on individual effort
- A managed and measured level
- A defined and standardized level
Correct answer: A low, ad hoc or initial level where processes are unpredictable and depend on individual effort
This best reflects a low, ad hoc or initial level where processes are unpredictable and depend on individual effort. At this stage there is no documented, repeatable approach, so outcomes vary with the people involved. Defined, managed, and optimized levels each imply progressively documented, measured, and continuously improved processes that this organization lacks.
- An IS auditor reviewing enterprise architecture governance wants to confirm that architecture principles guide decision-making. What is the role of enterprise architecture principles?
- They are the vendor's pricing terms
- They are the daily backup schedules
- They are high-level statements that guide and constrain architecture and design decisions across the enterprise
- They are individual server hostnames
Correct answer: They are high-level statements that guide and constrain architecture and design decisions across the enterprise
Enterprise architecture principles are high-level statements that guide and constrain architecture and design decisions across the enterprise. They embody enduring rules, such as favoring reuse or standardization, that keep individual decisions consistent with the target state. Pricing terms, backup schedules, and hostnames are operational details, not guiding principles.
- An IS auditor reviewing data governance finds personal and regulated data scattered without any inventory, so the organization cannot answer where its most sensitive data resides. Considering data classification and governance, what is the most logical first step to remediate this?
- Encrypt every byte the company owns before doing anything else
- Delete all data older than one year immediately
- Move all data to a single shared folder for convenience
- Identify and inventory data assets and then classify them by sensitivity so protection can be applied appropriately
Correct answer: Identify and inventory data assets and then classify them by sensitivity so protection can be applied appropriately
The most logical first step is to identify and inventory data assets and then classify them by sensitivity so protection can be applied appropriately. You cannot protect or govern what you have not located and categorized. Encrypting everything blindly, mass deletion, or consolidating into one folder act before knowing what the data is and would create new risks.
- An IS auditor reviewing an enterprise risk program finds that risk owners report progress, but no one independently challenges whether the reported risk levels and treatments are realistic. Which governance line should provide this independent challenge and assurance?
- The independent assurance from internal audit (the third line), reporting to the board or audit committee
- The same operational managers who own the risks
- The vendors who supply the affected systems
- The marketing department
Correct answer: The independent assurance from internal audit (the third line), reporting to the board or audit committee
The independent challenge and assurance should come from internal audit, the third line, reporting to the board or audit committee. Independence from the risk owners and the oversight functions lets internal audit objectively evaluate whether reported risk levels and treatments are realistic. The risk owners themselves, vendors, and marketing lack the independence or remit to provide this assurance.
- An IS auditor reviewing IT governance finds the enterprise has many overlapping committees and roles, yet no clarity on who is responsible, accountable, consulted, or informed for key IT decisions. Which tool would most directly clarify these governance responsibilities?
- A subnet mask calculator
- A RACI (responsible, accountable, consulted, informed) chart mapping roles to decisions and activities
- A patch deployment ring schedule
- A backup retention table
Correct answer: A RACI (responsible, accountable, consulted, informed) chart mapping roles to decisions and activities
The most direct tool is a RACI chart mapping roles to decisions and activities, clarifying who is responsible, accountable, consulted, and informed. Assigning these roles removes overlap and gaps in governance responsibility. A subnet calculator, patch ring schedule, and backup retention table address networking, deployment, and recovery, not responsibility assignment.
- An IS auditor reviewing vendor governance learns that a critical vendor will store and process the organization's regulated data overseas. Which contract element most directly governs how that data must be protected and handled by the vendor?
- A clause about the vendor's annual company picnic
- A clause listing the vendor's parking arrangements
- A data protection and security addendum specifying confidentiality, security controls, breach notification, and data location or transfer requirements
- A clause describing the vendor's logo usage
Correct answer: A data protection and security addendum specifying confidentiality, security controls, breach notification, and data location or transfer requirements
The relevant element is a data protection and security addendum specifying confidentiality, security controls, breach notification, and data location or transfer requirements. This binds the vendor to protect and handle regulated data appropriately, including across borders. Picnic, parking, and logo clauses have no bearing on how the data is safeguarded.
- An IS auditor reviewing IT performance governance sees the organization wants to compare its IT cost and service metrics against peers to judge competitiveness. Which technique supports this comparison?
- Defragmenting the production database
- Rotating encryption keys
- Conducting a fire drill
- Benchmarking IT metrics against industry peers or recognized standards
Correct answer: Benchmarking IT metrics against industry peers or recognized standards
The technique is benchmarking IT metrics against industry peers or recognized standards. Comparing cost and service performance externally helps leadership judge whether IT is competitive and where to improve. Database defragmentation, key rotation, and fire drills are operational, security, and safety activities, not performance comparison methods.
- An IS auditor reviewing privacy governance finds the organization relies on broad consent gathered years ago to justify new and unrelated uses of personal data. From a privacy principles standpoint, what is the core problem?
- Consent should be specific to defined purposes, so reusing old, broad consent for new unrelated purposes is not a valid basis
- Consent never expires and can justify any future use
- Consent is irrelevant to privacy programs
- Only the IT department can give consent on users' behalf
Correct answer: Consent should be specific to defined purposes, so reusing old, broad consent for new unrelated purposes is not a valid basis
The core problem is that consent should be specific to defined purposes, so reusing old, broad consent for new unrelated purposes is not a valid basis. Valid consent must be informed and tied to the purposes presented at the time. Consent is highly relevant, does not endure indefinitely for any use, and cannot be granted by IT on users' behalf.
- An IS auditor reviewing data governance finds that decisions about who may access and use a particular data domain are made inconsistently by whoever is asked. Which governance structure would best establish consistent authority over that data?
- Letting the fastest-responding employee decide each time
- Formally appointing a data owner and supporting data stewards with defined authority and accountability for the data domain
- Routing all data decisions to the building maintenance team
- Allowing each requester to grant their own access
Correct answer: Formally appointing a data owner and supporting data stewards with defined authority and accountability for the data domain
The best structure is formally appointing a data owner and supporting data stewards with defined authority and accountability for the data domain. Clear ownership creates a consistent decision-maker for access and use rather than ad hoc rulings. Letting the quickest responder decide, routing decisions to maintenance, or self-granted access all reproduce the inconsistency.
- An IS auditor reviewing enterprise architecture governance finds the organization defined a strong target architecture but has no body to assess deviations as projects unfold. Considering enterprise architecture governance, what should the auditor recommend to keep projects aligned over time?
- Let each project define its own architecture independently
- Freeze the target architecture and refuse all change forever
- Establish an architecture review board or governance gate that evaluates project designs against the target architecture and manages exceptions
- Delete the target architecture since projects vary
Correct answer: Establish an architecture review board or governance gate that evaluates project designs against the target architecture and manages exceptions
The recommendation is to establish an architecture review board or governance gate that evaluates project designs against the target architecture and manages exceptions. Ongoing governance keeps individual projects aligned and handles legitimate deviations in a controlled way. Independent per-project architectures, freezing the target permanently, or deleting it would all sacrifice alignment.
- An IS auditor reviewing segregation of duties in change management finds that the developer who writes a change also approves it and deploys it to production with no independent review. Analyzing this control weakness, what is the most significant exposure?
- The production servers will run out of disk space
- The network will experience higher latency
- The user interface colors may be inconsistent
- Unauthorized or erroneous changes can reach production undetected because no independent party approves or moves the code
Correct answer: Unauthorized or erroneous changes can reach production undetected because no independent party approves or moves the code
The most significant exposure is that unauthorized or erroneous changes can reach production undetected because no independent party approves or moves the code. Separating who writes, who approves, and who deploys creates the independent checkpoint that this arrangement removes. Disk space, latency, and interface colors are not the core control concern raised by combining these duties.
- An IS auditor reviewing IT governance is asked who holds ultimate accountability for governance of enterprise IT. Which body bears that ultimate accountability?
- The board of directors (the governing body), which is ultimately accountable for IT governance
- The network administration team
- The external software vendors
- The end users of the systems
Correct answer: The board of directors (the governing body), which is ultimately accountable for IT governance
Ultimate accountability for governance of enterprise IT rests with the board of directors, the governing body. The board sets direction, ensures alignment and risk oversight, and answers to stakeholders for how IT is governed. Network administrators, software vendors, and end users carry out or use IT but do not hold ultimate governance accountability.
- An IS auditor reviewing risk governance finds that management's stated risk appetite is contradicted in practice by routine approval of high-risk projects with no escalation. Analyzing this, what does the gap most likely indicate?
- The risk appetite is well understood and consistently applied
- Risk appetite is not operationalized or enforced, so day-to-day decisions diverge from the enterprise's stated tolerance
- High-risk projects automatically reduce overall enterprise risk
- Risk appetite only applies to the finance department
Correct answer: Risk appetite is not operationalized or enforced, so day-to-day decisions diverge from the enterprise's stated tolerance
The gap most likely indicates that risk appetite is not operationalized or enforced, so day-to-day decisions diverge from the enterprise's stated tolerance. A meaningful appetite must shape approvals and trigger escalation when exceeded. The pattern is not a sign of consistent application, high-risk projects do not lower overall risk, and appetite applies enterprise-wide, not only to finance.
- An IS auditor reviewing IT performance governance sees that a service-availability metric improved sharply, but user complaints rose at the same time. Analyzing this inconsistency, what is the most appropriate auditor conclusion?
- Rising complaints always prove the systems improved
- Metrics should be ignored whenever users complain
- The metric may be poorly defined or gamed and should be validated against the outcomes it is meant to represent
- Availability and user experience are unrelated and need no reconciliation
Correct answer: The metric may be poorly defined or gamed and should be validated against the outcomes it is meant to represent
The most appropriate conclusion is that the metric may be poorly defined or gamed and should be validated against the outcomes it is meant to represent. When a favorable measure contradicts the experience it should reflect, the auditor questions the metric's definition and integrity. Rising complaints do not prove improvement, metrics should not simply be discarded, and availability is clearly tied to user experience.
- An IS auditor reviewing vendor governance finds that a critical provider had a major security incident, yet the organization learned of it months later through the news. Analyzing the contract and oversight, what control gap does this most clearly reveal?
- An overly fast notification process that should be slowed down
- Excessive monitoring that should be reduced
- Too many vendors competing for the same service
- The absence of a timely breach or incident notification requirement and ongoing vendor monitoring
Correct answer: The absence of a timely breach or incident notification requirement and ongoing vendor monitoring
This most clearly reveals the absence of a timely breach or incident notification requirement and ongoing vendor monitoring. Contracts should obligate vendors to report incidents promptly, and the organization should monitor vendor risk continuously. Slowing notification, reducing monitoring, or framing it as too many vendors would all worsen rather than address the gap.
- An IS auditor reviewing data governance over highly sensitive records sees the organization wants to reduce risk by removing direct identifiers so the data can be analyzed without identifying individuals. Which technique best supports this goal?
- De-identification (anonymization or pseudonymization) that removes or replaces identifiers so data can be used with lower privacy risk
- Increasing the network bandwidth to the analytics cluster
- Replacing the production servers with faster models
- Scheduling more frequent full backups of the records
Correct answer: De-identification (anonymization or pseudonymization) that removes or replaces identifiers so data can be used with lower privacy risk
The technique is de-identification, through anonymization or pseudonymization, which removes or replaces identifiers so data can be used with lower privacy risk. Stripping or masking identifiers lets analysts work with the data while limiting exposure of individuals. Adding bandwidth, faster servers, or more backups improves performance and recovery, not privacy of the records.
- An IS auditor reviewing IT governance finds the enterprise has no overarching set of rules expressing management's expectations for acceptable IT use, security, and conduct. Which governance instrument should be established first to set that direction?
- A spreadsheet of server warranty dates
- A formal IT policy framework approved by management that defines acceptable use, security, and conduct expectations
- A list of the data center's emergency exits
- A catalog of approved screen savers
Correct answer: A formal IT policy framework approved by management that defines acceptable use, security, and conduct expectations
The instrument is a formal IT policy framework approved by management that defines acceptable use, security, and conduct expectations. Policies are the authoritative expression of management's intent from which standards and procedures flow. Warranty dates, emergency exits, and screen saver catalogs are operational or trivial records that do not set governance direction.
- An IS auditor reviewing enterprise risk governance wants to confirm the organization tracks indicators that warn when a risk is trending toward an unacceptable level. What are such forward-looking risk warning signals called?
- Recovery time objectives
- Service level credits
- Key risk indicators (KRIs) that signal rising exposure before a risk fully materializes
- Function points
Correct answer: Key risk indicators (KRIs) that signal rising exposure before a risk fully materializes
These warning signals are key risk indicators, or KRIs, that signal rising exposure before a risk fully materializes. KRIs give early warning so management can act before a threshold is breached. Recovery time objectives, service level credits, and function points are recovery, contractual, and sizing measures, not forward-looking risk warning signals.
- An IS auditor is mapping the order of activities in a structured system development life cycle. Which sequence correctly reflects the typical progression of phases for building a new application?
- Feasibility and requirements, design, development, testing, implementation
- Coding, requirements definition, feasibility, deployment
- Implementation, design, requirements, feasibility
- Testing, deployment, requirements, design
Correct answer: Feasibility and requirements, design, development, testing, implementation
The correct progression is feasibility and requirements, design, development, testing, implementation, because each phase builds on a completed predecessor. The other sequences place coding, deployment, or testing ahead of requirements and design, which inverts the disciplined order that keeps later work grounded in agreed needs.
- An IS auditor wants to confirm that an organization can demonstrate accountability for who built and approved each part of a new system. The SDLC characteristic that most directly supports this is the requirement that every phase produce:
- A press release describing the system
- A larger budget than the previous phase
- Defined, reviewable deliverables that are formally approved before the next phase begins
- A reduction in the number of project staff
Correct answer: Defined, reviewable deliverables that are formally approved before the next phase begins
Accountability rests on each phase producing defined, reviewable deliverables that are formally approved before the next phase begins, creating an evidence trail of decisions and sign-offs. A press release, a larger budget, or fewer staff have no bearing on whether the work of each phase was reviewed and authorized.
- An IS auditor reviewing a project notes that the design phase produced detailed data models, screen layouts, and program specifications. The principal reason these design artifacts matter to the auditor is that they:
- Determine the company's stock price
- Replace the need to write any code
- Decide the marketing budget
- Translate approved requirements into a concrete blueprint that construction and later testing can be checked against
Correct answer: Translate approved requirements into a concrete blueprint that construction and later testing can be checked against
Design artifacts matter because they translate approved requirements into a concrete blueprint that construction and later testing can be checked against, giving the auditor a reference for verifying that the build matches what was agreed. They do not set a stock price, eliminate coding, or determine a marketing budget.
- An IS auditor evaluating a rapid application development effort sees the team build, demonstrate, and refine working increments quickly with heavy user involvement. The greatest control risk an auditor should watch for with this accelerated approach is that:
- The speed pressure may cause documentation, security, and control requirements to be shortchanged
- The users will be unable to see any of the software
- No requirements can ever be gathered
- The project will be forced to last for many years
Correct answer: The speed pressure may cause documentation, security, and control requirements to be shortchanged
With rapid, increment-driven development the greatest control risk is that the speed pressure may cause documentation, security, and control requirements to be shortchanged as the team races to deliver. Rapid approaches actually increase user visibility and gather requirements iteratively, and they shorten rather than lengthen timelines, so the other options are incorrect.
- An IS auditor is reviewing how an organization decides whether to buy a packaged solution or build one in-house. Within the acquisition process, the formal document used to solicit detailed proposals and pricing from candidate vendors is the:
- Disaster recovery plan
- Chain of custody form
- Request for proposal
- Recovery point objective
Correct answer: Request for proposal
The document used to solicit detailed proposals and pricing from candidate vendors is the request for proposal, which lets the organization compare offerings against defined requirements. A disaster recovery plan addresses outages, a chain of custody form tracks evidence, and a recovery point objective sets data-loss tolerance, none of which solicits vendor bids.
- An IS auditor reviewing a software acquisition finds that the organization selected a vendor package without first writing down the functional and technical requirements the package needed to satisfy. The most significant risk of this omission is that:
- The vendor will be unable to send an invoice
- The package will install faster than expected
- The function point count will become negative
- There is no objective basis to evaluate whether the chosen package actually meets the organization's needs
Correct answer: There is no objective basis to evaluate whether the chosen package actually meets the organization's needs
Without documented requirements there is no objective basis to evaluate whether the chosen package actually meets the organization's needs, so selection becomes subjective and gaps surface only after purchase. Missing requirements do not stop invoicing, speed up installation, or produce a negative function point count, which are unrelated to the evaluation gap.
- An IS auditor reviewing an agile project examines a short, recurring time-boxed cycle at the end of which the team aims to deliver a potentially shippable increment. This fixed-length development cycle is most commonly called a:
- Recovery window
- Maintenance window
- Sprint (iteration)
- Cutover
Correct answer: Sprint (iteration)
A short, fixed-length cycle ending in a potentially shippable increment is a sprint, also called an iteration, the basic delivery unit in agile. A recovery window relates to outages, a maintenance window schedules downtime, and a cutover is a changeover event, none of which describes the agile development cycle.
- An IS auditor is assessing change control on a waterfall project versus an agile project. Compared with waterfall, the way agile handles changing requirements is best described as:
- Agile absorbs changing requirements iteration by iteration rather than freezing scope at the outset
- Agile forbids any change once a project starts
- Agile requires every change to wait until the project ends
- Agile and waterfall treat requirement changes identically
Correct answer: Agile absorbs changing requirements iteration by iteration rather than freezing scope at the outset
Agile absorbs changing requirements iteration by iteration rather than freezing scope at the outset, which is its defining contrast with waterfall's fixed up-front scope. It does not forbid all change, defer change to project end, or treat changes the same way waterfall does, so the other options misstate the methodology.
- An IS auditor is concerned that an agile team has no clear point at which a feature is considered complete and properly controlled. The agile practice that establishes shared, consistent completion criteria for work items is the:
- Service level agreement
- Business impact analysis
- Recovery time objective
- Definition of done
Correct answer: Definition of done
The practice that establishes shared, consistent completion criteria for work items is the definition of done, which tells the team when an item is truly finished, including tests and documentation. A service level agreement sets service commitments, a business impact analysis assesses disruption, and a recovery time objective sets restoration targets, none of which defines work completion in agile.
- An IS auditor compares two projects: one must satisfy a regulator that every requirement was specified, approved, and traced through formal sign-offs, and the other is an experimental product whose features will be discovered through user feedback. The most appropriate methodology pairing is:
- Agile for the regulated project and waterfall for the experimental product
- Waterfall for both projects regardless of context
- Waterfall for the regulated project and agile for the experimental product
- Agile for both projects regardless of context
Correct answer: Waterfall for the regulated project and agile for the experimental product
The appropriate pairing is waterfall for the regulated project and agile for the experimental product, because waterfall's formal, traceable phase sign-offs suit compliance while agile's iterative discovery suits evolving features. Reversing them or forcing one methodology on both ignores the requirement stability and traceability needs that drive the choice.
- An IS auditor reviewing an agile engagement notes that the team holds a brief recurring meeting to review what was completed and to inspect the increment with stakeholders at the end of each cycle. From an audit perspective, the principal value of this end-of-cycle review is that it:
- Removes the obligation to keep any records
- Guarantees the project will never exceed its budget
- Provides frequent, visible checkpoints where progress and quality can be inspected and corrected early
- Eliminates the need for testing
Correct answer: Provides frequent, visible checkpoints where progress and quality can be inspected and corrected early
The end-of-cycle review provides frequent, visible checkpoints where progress and quality can be inspected and corrected early, which is a control strength of iterative delivery. It does not remove record-keeping, guarantee the budget, or eliminate testing, which remain necessary regardless of the review cadence.
- An IS auditor is asked why a waterfall project committed so much effort to producing complete specifications before construction began. The auditor should explain that, in waterfall, thorough up-front specification is intended to:
- Make user feedback impossible to collect
- Allow each phase to proceed only when the prior phase is fully defined and approved, reducing costly downstream rework
- Replace the need for any deployment activity
- Guarantee the project will use fewer servers
Correct answer: Allow each phase to proceed only when the prior phase is fully defined and approved, reducing costly downstream rework
Thorough up-front specification in waterfall is intended to allow each phase to proceed only when the prior phase is fully defined and approved, reducing costly downstream rework once requirements are locked. It is not designed to block user feedback, replace deployment, or reduce server counts, which are unrelated to the rationale for detailed specification.
- An IS auditor reviewing a software sizing exercise notes that the team adjusted its raw function point count using factors such as transaction complexity, performance needs, and reusability before deriving an effort estimate. These adjustment factors are applied so that the sizing measure:
- Matches the company's quarterly revenue
- Equals the number of physical servers
- Reflects the technical and complexity characteristics that affect the size and effort of the software
- Becomes identical for every project
Correct answer: Reflects the technical and complexity characteristics that affect the size and effort of the software
Adjustment factors are applied so that the sizing measure reflects the technical and complexity characteristics that affect the size and effort of the software, refining a raw count into a more realistic estimate. They are not meant to align with revenue, server counts, or to make every project's size identical, which would defeat the purpose of measuring functionality.
- An IS auditor evaluating a vendor's claim that its package can be delivered cheaply wants an objective way to compare the functional size of competing solutions independent of the programming language used. The technique that measures functionality from the user's perspective rather than lines of code is:
- Penetration testing
- Recovery point objective analysis
- Capacity planning
- Function point analysis
Correct answer: Function point analysis
The technique that measures functionality from the user's perspective independent of programming language is function point analysis, which counts what the system does rather than how much code it contains. Penetration testing probes security, a recovery point objective sets data-loss tolerance, and capacity planning sizes resources, none of which measures language-independent functional size.
- An IS auditor questions why one development team's productivity, measured as function points delivered per labor month, should not be compared directly with another team's lines of code per month. The most accurate reason is that:
- Function points and lines of code measure different things, so the two metrics are not directly comparable
- Lines of code can only be counted on weekends
- Function points are illegal to use commercially
- Productivity can never be measured at all
Correct answer: Function points and lines of code measure different things, so the two metrics are not directly comparable
The metrics are not directly comparable because function points and lines of code measure different things, function points capturing delivered functionality and lines of code capturing implementation volume. The comparison is not barred by a scheduling rule, a legal prohibition, or an inability to measure productivity, which are not real constraints here.
- An IS auditor is verifying that acceptance testing was driven by what users actually need. The most appropriate basis against which user acceptance test cases should be evaluated for completeness is the:
- Number of developers on the team
- Vendor's advertising claims
- Documented, agreed user requirements and acceptance criteria
- Size of the data center
Correct answer: Documented, agreed user requirements and acceptance criteria
User acceptance test cases should be evaluated for completeness against the documented, agreed user requirements and acceptance criteria, since acceptance testing exists to confirm those needs are met. Developer headcount, vendor advertising, and data center size provide no authoritative statement of what users agreed the system must do.
- An IS auditor reviewing readiness for go-live finds that users were given the new system and asked to confirm it satisfied their business needs, but the testing exercised only a handful of common transactions and ignored exception and error conditions. The most significant concern is that:
- The system will automatically refuse to start
- Acceptance is based on incomplete coverage, so defects in untested paths may reach production undetected
- The vendor contract becomes void
- Function points can no longer be measured
Correct answer: Acceptance is based on incomplete coverage, so defects in untested paths may reach production undetected
The concern is that acceptance is based on incomplete coverage, so defects in untested paths may reach production undetected, because exception and error handling were never exercised. Limited test coverage does not stop the system from starting, void a contract, or prevent function point measurement, which are unrelated to test scope.
- An IS auditor wants to confirm that defects found during implementation testing were actually resolved rather than simply noted. The control that best provides this assurance is a:
- Marketing approval form
- Network bandwidth report
- Vendor brochure
- Defect tracking and resolution log showing each issue through to retest and closure
Correct answer: Defect tracking and resolution log showing each issue through to retest and closure
Assurance that defects were resolved comes from a defect tracking and resolution log showing each issue through to retest and closure, giving evidence that problems were not just recorded but fixed and verified. A marketing form, a bandwidth report, and a vendor brochure say nothing about whether testing defects were remediated.
- An IS auditor reviewing pre-implementation testing observes that testers deliberately submitted invalid, out-of-range, and malformed inputs to confirm the application rejected or handled them safely. This kind of testing, which checks behavior under invalid and unexpected conditions, is best described as:
- Business case analysis
- Negative (error-condition) testing
- Capacity planning
- Configuration baselining
Correct answer: Negative (error-condition) testing
Submitting invalid, out-of-range, and malformed inputs to confirm safe handling is negative, or error-condition, testing, which verifies the system behaves correctly when given bad data. Business case analysis justifies investment, capacity planning sizes resources, and configuration baselining records approved state, none of which tests invalid-input handling.
- An IS auditor reviews the sign-off step that authorizes a tested system to move into live operation. The most appropriate party to provide the final acceptance approving the move to production is:
- The external advertising agency
- The data center cleaning contractor
- The business owner or sponsor who confirms the system meets the agreed requirements
- Any developer who happens to be available
Correct answer: The business owner or sponsor who confirms the system meets the agreed requirements
Final acceptance to move to production should come from the business owner or sponsor who confirms the system meets the agreed requirements, because they are accountable for whether it fits the business need. An advertising agency, a cleaning contractor, and an arbitrary developer lack the authority and accountability to accept the system on the business's behalf.
- An IS auditor evaluating a planned data conversion wants assurance that no records will be silently dropped or duplicated as data moves from the old system to the new one. The conversion control most directly aimed at completeness is:
- Checking that the new building has enough parking
- Confirming the project manager attended a conference
- Comparing source and target record counts and control totals before and after the load
- Verifying the marketing team approves the screen colors
Correct answer: Comparing source and target record counts and control totals before and after the load
The control most directly aimed at completeness is comparing source and target record counts and control totals before and after the load, which detects dropped or duplicated records. Parking capacity, conference attendance, and screen-color approval have nothing to do with whether every record converted completely.
- An IS auditor reviewing a migration finds the team kept the source legacy system intact and fully recoverable until after the converted data in the new system had been validated and accepted. The principal control benefit of preserving the source system in this way is that it:
- Reduces the project's electricity bill
- Provides a fallback to restore or re-run the conversion if validation reveals serious problems
- Increases the function point count
- Speeds up the marketing launch
Correct answer: Provides a fallback to restore or re-run the conversion if validation reveals serious problems
Preserving the source system until validation is complete provides a fallback to restore or re-run the conversion if validation reveals serious problems, protecting the organization from an irreversible bad load. It is not done to cut electricity costs, raise function point counts, or accelerate marketing, which are unrelated to data-conversion recoverability.
- An IS auditor reviewing infrastructure deployment for a migrated system finds the team used automated, version-controlled scripts to provision the production environment instead of configuring servers by hand. The principal control benefit of this scripted, repeatable deployment is that it:
- Eliminates the need for any testing
- Guarantees the system can never fail
- Produces consistent, auditable environments and reduces the risk of manual configuration errors
- Removes the need for user acceptance
Correct answer: Produces consistent, auditable environments and reduces the risk of manual configuration errors
Scripted, version-controlled deployment produces consistent, auditable environments and reduces the risk of manual configuration errors, because the same defined steps run every time. It does not remove testing, guarantee against failure, or remove user acceptance, all of which remain required parts of a controlled implementation.
- An IS auditor reviewing a high-volume conversion finds the team scheduled the data load during a planned outage window and confirmed in advance that the window was long enough to complete the load and validate the results. The principal reason for sizing and scheduling this conversion window carefully is to:
- Increase the number of vendors involved
- Raise the system's purchase price
- Make the requirements document longer
- Ensure the conversion and its validation can finish before the system must be available, limiting business disruption
Correct answer: Ensure the conversion and its validation can finish before the system must be available, limiting business disruption
Sizing and scheduling the conversion window carefully ensures the conversion and its validation can finish before the system must be available, limiting business disruption from an overrun. It is not intended to add vendors, raise the purchase price, or lengthen the requirements document, which have no connection to outage planning.
- An IS auditor reviewing a post-implementation review wants to confirm it assessed lessons that could improve future projects. Besides benefits realization, the post-implementation review should also evaluate:
- The cafeteria menu during the project
- The personal hobbies of the developers
- Whether the project's processes, estimates, and controls performed as intended so future projects can improve
- The color scheme of the office
Correct answer: Whether the project's processes, estimates, and controls performed as intended so future projects can improve
Beyond benefits, the post-implementation review should evaluate whether the project's processes, estimates, and controls performed as intended so future projects can improve, turning experience into organizational learning. The cafeteria menu, developers' hobbies, and office color scheme are irrelevant to assessing project performance and lessons learned.
- An IS auditor is determining the most appropriate timing for a post-implementation review. The review is best conducted:
- Before any requirements are gathered
- During the initial feasibility study
- On the same day the contract is signed
- After the system has been live long enough to demonstrate whether expected benefits and stable operation are being achieved
Correct answer: After the system has been live long enough to demonstrate whether expected benefits and stable operation are being achieved
A post-implementation review is best conducted after the system has been live long enough to demonstrate whether expected benefits and stable operation are being achieved, since benefits and operational reality take time to appear. Conducting it before requirements, during feasibility, or on the contract-signing day would be far too early to observe outcomes.
- An IS auditor reviewing post-implementation practices finds that reviews are performed entirely by the same project team that built and delivered the system, with no independent input. The most significant concern with this arrangement is that:
- The review will consume too little electricity
- The review may lack objectivity, since those who delivered the project are assessing their own work
- The system will run slower
- The function point count will change
Correct answer: The review may lack objectivity, since those who delivered the project are assessing their own work
The concern is that the review may lack objectivity, since those who delivered the project are assessing their own work, which can understate problems and overstate success. Self-review has no meaningful effect on electricity use, system speed, or function point counts, so those options miss the independence issue.
- An IS auditor reviewing a release management process finds that code is promoted from development to a separate testing environment, then to a staging environment, and only finally to production, with approval required at each promotion. The primary control purpose of these separate, gated environments is to:
- Increase the number of physical buildings the company owns
- Eliminate the need to write release notes
- Reduce the company's tax liability
- Ensure changes are validated in controlled stages and authorized before reaching the live environment
Correct answer: Ensure changes are validated in controlled stages and authorized before reaching the live environment
Separate, gated environments exist to ensure changes are validated in controlled stages and authorized before reaching the live environment, so untested or unapproved code cannot slip into production. They do not add buildings, remove the need for release notes, or affect tax liability, which are unrelated to staged promotion control.
- An IS auditor reviewing configuration management asks how the organization knows exactly which versions of components make up the system in production at any time. The repository that records the configuration items and their relationships for this purpose is the:
- Business impact analysis
- Configuration management database or repository
- Recovery time objective register
- Penetration test report
Correct answer: Configuration management database or repository
The repository that records configuration items and their relationships so the organization knows what is in production is the configuration management database or repository. A business impact analysis assesses disruption, a recovery time objective register tracks restoration targets, and a penetration test report documents security findings, none of which inventories configuration items.
- An IS auditor reviewing version control finds that developers commit changes to a central source code repository that records every change, who made it, and when. The primary control benefit of this versioned source control for a development organization is that it:
- Guarantees the software will be free of bugs
- Removes the need for testing
- Provides an authoritative, traceable history of code changes and the ability to recover prior versions
- Eliminates the need for any approvals
Correct answer: Provides an authoritative, traceable history of code changes and the ability to recover prior versions
Versioned source control provides an authoritative, traceable history of code changes and the ability to recover prior versions, supporting accountability and rollback. It does not guarantee bug-free software, remove the need for testing, or eliminate approvals, which remain independent controls.
- An IS auditor reviewing a release finds the team prepared a documented, tested procedure to reverse the deployment and restore the previous version if the new release fails after go-live. The principal control benefit of this rollback plan is that it:
- Guarantees the release will succeed
- Removes the need to test the release
- Increases the function point count
- Lets the organization restore service to a known-good state quickly if the release causes problems
Correct answer: Lets the organization restore service to a known-good state quickly if the release causes problems
A documented, tested rollback plan lets the organization restore service to a known-good state quickly if the release causes problems, limiting the impact of a failed deployment. It does not guarantee success, remove the need for testing, or change function point counts, which are unrelated to rollback capability.
- An IS auditor reviewing release controls finds that the developer who writes a change is also the person who approves it for release into production, with no second reviewer. The most significant control weakness in this arrangement is the:
- Lack of independent review, since the author should not be the sole approver of their own change
- Increase in the system's storage requirements
- Slower compilation of the code
- Reduction in the number of releases
Correct answer: Lack of independent review, since the author should not be the sole approver of their own change
The weakness is the lack of independent review, since the author should not be the sole approver of their own change, which removes a key check against errors and unauthorized modifications. The arrangement does not inherently increase storage, slow compilation, or reduce the number of releases, so those options miss the segregation issue.
- An IS auditor is comparing changeover strategies for transitioning to a new system in stages, where one functional area or module is moved at a time over several weeks until the whole system is live. This staged approach is best described as a:
- Direct cutover
- Parallel changeover
- Phased changeover
- Function point conversion
Correct answer: Phased changeover
Moving one functional area or module at a time over several weeks until the whole system is live is a phased changeover, which spreads risk across stages. A direct cutover switches everything at once, a parallel changeover runs both systems together, and a function point conversion is not a changeover method at all.
- An IS auditor is advising on changeover for a small, low-risk internal utility where downtime is tolerable, dual operation would be wasteful, and rapid switching is preferred. The most cost-appropriate changeover strategy is:
- A lengthy parallel run of both systems for many months
- A direct cutover, switching to the new system at a single point
- Refusing to deploy the system at all
- Skipping all data conversion
Correct answer: A direct cutover, switching to the new system at a single point
For a small, low-risk utility where downtime is tolerable and dual operation would be wasteful, a direct cutover, switching to the new system at a single point, is most cost-appropriate. A long parallel run wastes effort for a low-risk system, refusing to deploy ignores the need, and skipping data conversion would leave the system without its data.
- An IS auditor reviewing a parallel changeover wants to understand what the organization should do with the discrepancies it finds when comparing old and new system outputs. The most appropriate use of those discrepancies is to:
- Ignore them because the new system is assumed correct
- Immediately delete the old system without analysis
- Investigate and resolve each difference before retiring the old system, since they may indicate defects
- Use them to set the marketing budget
Correct answer: Investigate and resolve each difference before retiring the old system, since they may indicate defects
The discrepancies should be investigated and resolved before retiring the old system, since they may indicate defects in the new system that must be corrected. Ignoring them, deleting the old system without analysis, or using them for a marketing budget would waste the comparison's purpose of catching errors before final cutover.
- An IS auditor compares the risk profiles of changeover strategies for a critical system. Considering immediate fallback if the new system fails on the first day, the most accurate statement is that:
- Direct cutover provides more fallback than parallel operation
- Parallel operation generally provides a stronger immediate fallback than a direct cutover
- All changeover strategies provide identical fallback
- Pilot deployment provides no risk reduction at all
Correct answer: Parallel operation generally provides a stronger immediate fallback than a direct cutover
Parallel operation generally provides a stronger immediate fallback than a direct cutover, because the old system keeps running and can take over if the new system fails. Direct cutover offers the weakest fallback, the strategies are not identical in risk, and a pilot does reduce risk by limiting exposure, so the other statements are incorrect.
- An IS auditor reviewing a pilot changeover wants to ensure the pilot is meaningful. The most important characteristic of the group chosen for a pilot deployment is that it should be:
- The smallest possible group regardless of how it uses the system
- Composed only of the developers who built the system
- Chosen at random with no regard to the work performed
- Representative of the broader user base and its real transactions so results are generalizable
Correct answer: Representative of the broader user base and its real transactions so results are generalizable
The pilot group should be representative of the broader user base and its real transactions so results are generalizable to the full rollout. Picking the smallest group regardless of usage, using only developers, or choosing without regard to the work performed would make the pilot unrepresentative and its results misleading.
- An IS auditor reviewing project governance finds that a steering committee was responsible for authorizing the project, monitoring its progress, and deciding whether it should continue. From a system development perspective, the primary value of this committee is that it:
- Writes the application's source code
- Performs the unit testing of each module
- Provides senior oversight that keeps the development effort aligned with business objectives and authorized investment
- Configures the production firewall
Correct answer: Provides senior oversight that keeps the development effort aligned with business objectives and authorized investment
The steering committee's primary value is that it provides senior oversight that keeps the development effort aligned with business objectives and authorized investment, governing whether the project should proceed. It does not write source code, perform unit testing, or configure firewalls, which are technical tasks outside its oversight role.
- An IS auditor is asked to explain why catching a requirements defect during the requirements phase is far less expensive than catching the same defect after the system is in production. The most accurate explanation is that:
- Defects cost the same to fix at any phase of the life cycle
- The cost to correct a defect rises sharply the later it is discovered in the life cycle
- Defects found in production are always free to fix
- Requirements defects cannot exist
Correct answer: The cost to correct a defect rises sharply the later it is discovered in the life cycle
The explanation is that the cost to correct a defect rises sharply the later it is discovered in the life cycle, because later fixes ripple through design, code, testing, and live data. Defects do not cost the same at every phase, production fixes are not free, and requirements defects clearly can exist, so the other options are wrong.
- An IS auditor evaluating an agile delivery finds the team relies on direct, frequent conversation among developers, testers, and business representatives rather than passing formal documents between separated groups. Compared with waterfall, the principal trade-off an auditor should recognize in this collaboration model is that it:
- Speeds shared understanding but requires deliberate effort to capture decisions for traceability and audit
- Makes the software impossible to test
- Removes all need for business involvement
- Guarantees the project will never change scope
Correct answer: Speeds shared understanding but requires deliberate effort to capture decisions for traceability and audit
The trade-off is that close collaboration speeds shared understanding but requires deliberate effort to capture decisions for traceability and audit, because reliance on conversation can leave decisions undocumented. It does not make the software untestable, remove business involvement, or freeze scope, which contradict how agile actually works.
- An IS auditor reviewing system readiness before production finds the team conducted a final check confirming that operations staff had documented procedures, support contacts, and monitoring in place to run the system once live. The principal purpose of this operational readiness check is to:
- Determine the software's function point count
- Set the recovery point objective for the project
- Replace the requirements specification
- Confirm the system can be supported and operated effectively after go-live, not just that it functions
Correct answer: Confirm the system can be supported and operated effectively after go-live, not just that it functions
The operational readiness check confirms the system can be supported and operated effectively after go-live, not just that it functions, by verifying procedures, support, and monitoring are ready. It is not for counting function points, setting a recovery point objective, or replacing the requirements specification, which serve different purposes in the life cycle.
- An IS auditor reviewing an acquisition project finds the contract for a purchased application requires the vendor to place its source code with an independent third party, releasable to the buyer only if the vendor goes out of business or stops supporting the product. The principal purpose of this source code escrow arrangement is to:
- Eliminate the need to test the purchased application
- Protect the buyer's ability to maintain the system if the vendor can no longer support it
- Guarantee the vendor will lower its license price
- Transfer ownership of the buyer's data to the vendor
Correct answer: Protect the buyer's ability to maintain the system if the vendor can no longer support it
The purpose of source code escrow is to protect the buyer's ability to maintain the system if the vendor can no longer support it, by making the code available under defined trigger conditions. It does not remove the need for testing, force a price reduction, or transfer the buyer's data to the vendor, which are unrelated to the escrow's intent.
- A BIA was conducted using only revenue figures to rank process criticality. Which dimension of impact was most likely overlooked, weakening the analysis?
- The brand of servers running each process
- The number of vendors involved in each process
- Non-financial impacts such as reputational damage, legal exposure, and loss of customer trust
- The physical floor space each department occupies
Correct answer: Non-financial impacts such as reputational damage, legal exposure, and loss of customer trust
Non-financial impacts such as reputational damage, legal exposure, and loss of customer trust were most likely overlooked. A sound business impact analysis weighs both quantitative losses and qualitative consequences, because some disruptions harm an organization in ways revenue alone cannot capture. Server brand, vendor counts, and floor space are not impact dimensions that the analysis must evaluate when ranking criticality.
- Why is it important that business process owners, rather than only IT staff, participate directly in the business impact analysis?
- Because process owners understand the operational and financial consequences of losing their processes and can judge tolerable downtime
- Because IT staff are not permitted to attend planning meetings
- Because process owners are responsible for purchasing the recovery hardware
- Because only process owners are allowed to approve the disaster recovery plan
Correct answer: Because process owners understand the operational and financial consequences of losing their processes and can judge tolerable downtime
Process owners understand the operational and financial consequences of losing their processes and can judge tolerable downtime, which is why their direct participation matters. The business, not IT, best knows the real-world effect of an outage on a function. IT staff are not barred from meetings, process owners do not procure recovery hardware as a rule, and approval authority is not what makes their input essential to the analysis.
- A BIA output lists a single recovery priority tier in which every process is labeled critical. What concern should an IS auditor raise about this result?
- The BIA must always produce exactly three tiers by regulation
- Labeling everything critical provides no basis to sequence recovery or allocate limited resources during a real disruption
- Critical processes should never appear in a BIA
- A BIA is not supposed to assign priorities at all
Correct answer: Labeling everything critical provides no basis to sequence recovery or allocate limited resources during a real disruption
The concern is that labeling everything critical provides no basis to sequence recovery or allocate limited resources during a real disruption. The value of a BIA lies in differentiating processes so the most important are recovered first; treating all as equal defeats that purpose. There is no fixed regulatory tier count, prioritization is a core BIA output, and critical processes are expected to appear in the analysis.
- How should the outputs of a business impact analysis most appropriately drive the selection of a recovery strategy?
- By matching the recovery capability and cost to the criticality and downtime tolerance the BIA established for each process
- By choosing the cheapest available strategy regardless of process needs
- By selecting one identical strategy for every process to simplify administration
- By copying the recovery strategy used by a competitor
Correct answer: By matching the recovery capability and cost to the criticality and downtime tolerance the BIA established for each process
The BIA outputs should drive selection by matching the recovery capability and cost to the criticality and downtime tolerance the BIA established for each process. Strategies are tailored so critical, time-sensitive processes get faster, costlier recovery and less critical ones get cheaper, slower options. Picking the cheapest option, a single uniform strategy, or a competitor's approach ignores the differentiated requirements the BIA produced.
- An IS auditor reviews a BIA performed two years ago and notes the organization has since launched a major new online product line that is now its largest revenue source. What is the most appropriate finding?
- The BIA remains valid indefinitely once approved
- BIAs should only be repeated after an actual disaster
- The new product line should be excluded because it is too recent
- The BIA is outdated and should be refreshed to reflect the new critical process and its dependencies
Correct answer: The BIA is outdated and should be refreshed to reflect the new critical process and its dependencies
The most appropriate finding is that the BIA is outdated and should be refreshed to reflect the new critical process and its dependencies. A significant business change can alter which processes are most critical, so the analysis must be revisited to remain accurate. A BIA is not valid indefinitely, should not wait for a disaster to be updated, and cannot legitimately exclude a now-dominant revenue process.
- When determining recovery requirements, why does an IS auditor evaluate the maximum tolerable outage alongside the recovery time objective?
- The two values must always be identical for a plan to be valid
- The maximum tolerable outage replaces the need for any RTO
- The maximum tolerable outage represents the absolute limit beyond which the business may not survive, and the RTO must be set within it
- The maximum tolerable outage measures data loss while the RTO measures cost
Correct answer: The maximum tolerable outage represents the absolute limit beyond which the business may not survive, and the RTO must be set within it
The maximum tolerable outage represents the absolute limit beyond which the business may not survive, and the RTO must be set within it. The RTO is a planning target that should always fall comfortably inside the maximum tolerable outage to leave a safety margin. The two are related but not required to be identical, the RTO is still needed, and neither measures data loss or cost in this context.
- An organization has set a recovery time objective of 30 minutes for its customer-facing payment gateway. Which recovery design is most consistent with this objective?
- Active-active clustering with automated failover across redundant nodes
- Restoring from nightly tape backups shipped from an offsite vault
- Rebuilding the server from installation media after a failure
- Procuring replacement hardware after the outage is declared
Correct answer: Active-active clustering with automated failover across redundant nodes
Active-active clustering with automated failover across redundant nodes is most consistent with a 30-minute RTO. Such an architecture shifts traffic to a healthy node almost instantly, meeting an aggressive restoration target. Restoring from shipped tapes, rebuilding from media, or procuring hardware after the fact all take far longer than 30 minutes and cannot satisfy so tight an objective.
- An IS auditor finds that an organization documented RTOs for its applications but never validated them against actual recovery exercises. What is the principal risk?
- Documenting RTOs without testing automatically halves recovery time
- Documented RTOs may be unachievable in practice, giving false confidence that recovery targets can be met
- RTOs become legally binding once written down
- The applications will refuse to start after an outage
Correct answer: Documented RTOs may be unachievable in practice, giving false confidence that recovery targets can be met
The principal risk is that documented RTOs may be unachievable in practice, giving false confidence that recovery targets can be met. Without testing, the organization cannot know whether its actual recovery capability matches the stated objective, and the gap surfaces only during a real disaster. Writing down an RTO does not reduce recovery time, make the value legally binding, or affect whether applications start.
- A business process depends on three systems with RTOs of one hour, four hours, and eight hours. What is the effective recovery time objective for the overall process?
- One hour, because the fastest system sets the pace
- Eight hours, because the process cannot fully function until its slowest required system is restored
- Four hours, because it is the middle value
- The sum of all three, equal to thirteen hours
Correct answer: Eight hours, because the process cannot fully function until its slowest required system is restored
The effective RTO for the overall process is eight hours, because the process cannot fully function until its slowest required system is restored. A process is only as recoverable as the longest-to-restore component it depends on. The fastest system does not set the pace, the middle value is arbitrary, and the objectives are not additive, so one hour, four hours, and thirteen hours are all incorrect.
- Management complains that recovery of a critical system consistently overruns its RTO because staff must locate and follow scattered, inconsistent procedures. Which improvement most directly addresses the RTO shortfall?
- Increasing the backup retention period
- Consolidating clear, tested, step-by-step recovery runbooks that staff can execute quickly under pressure
- Encrypting the backup media at rest
- Lengthening the maintenance window for the system
Correct answer: Consolidating clear, tested, step-by-step recovery runbooks that staff can execute quickly under pressure
Consolidating clear, tested, step-by-step recovery runbooks that staff can execute quickly under pressure most directly addresses the RTO shortfall. Time lost hunting for and reconciling procedures inflates recovery duration, so well-organized runbooks shorten it. Extending retention, encrypting media, or lengthening maintenance windows address other concerns and do not speed the actual recovery execution.
- An IS auditor reviews the data protection design for a system with a 15-minute RPO. The team relies on hourly snapshots. What is the most accurate assessment?
- Hourly snapshots exceed the RPO requirement comfortably
- The hourly snapshot interval cannot meet a 15-minute RPO, leaving up to 60 minutes of data exposed to loss
- The RPO is irrelevant because snapshots are automated
- Snapshots and RPO are unrelated concepts
Correct answer: The hourly snapshot interval cannot meet a 15-minute RPO, leaving up to 60 minutes of data exposed to loss
The most accurate assessment is that the hourly snapshot interval cannot meet a 15-minute RPO, leaving up to 60 minutes of data exposed to loss. The recovery point objective demands that no more than 15 minutes of data be lost, which an hourly capture cannot guarantee. Hourly snapshots fall short rather than exceed the target, automation does not satisfy the interval, and snapshot frequency is directly tied to achievable RPO.
- Two databases support related functions; one has an RPO of zero and the other an RPO of 24 hours. What does the zero RPO require that the 24-hour RPO does not?
- A longer backup retention period
- A cheaper, simpler protection mechanism
- No loss of committed data, which typically demands synchronous replication or equivalent continuous protection
- More physical storage cabinets in the data center
Correct answer: No loss of committed data, which typically demands synchronous replication or equivalent continuous protection
A zero RPO requires no loss of committed data, which typically demands synchronous replication or equivalent continuous protection. Eliminating the data-loss window calls for capturing every transaction at a second location as it commits. A zero RPO needs a more, not less, capable mechanism, is unrelated to retention length, and is not defined by the number of storage cabinets.
- An IS auditor evaluating an organization's RPO design observes that database transaction logs are shipped to the recovery site every five minutes. What does this most directly establish?
- The recovery time objective is automatically five minutes
- The system has unlimited storage capacity
- The maximum data loss is bounded to roughly the log-shipping interval, supporting a tight RPO
- Backups no longer need to be tested
Correct answer: The maximum data loss is bounded to roughly the log-shipping interval, supporting a tight RPO
Log shipping every five minutes most directly establishes that the maximum data loss is bounded to roughly the log-shipping interval, supporting a tight RPO. Frequent transmission of changes limits how much recent data could be lost. It does not define the recovery time objective, say anything about storage limits, or remove the need to test recoverability.
- A finance system's RPO was set to four hours, but after a disruption the business found that even one hour of lost transactions caused reconciliation chaos. What is the most appropriate corrective action?
- Re-evaluate and tighten the RPO to reflect the true business tolerance for data loss, then adjust protection accordingly
- Accept the four-hour RPO because it was already documented
- Convert the RPO into a recovery time objective
- Stop backing up the finance system entirely
Correct answer: Re-evaluate and tighten the RPO to reflect the true business tolerance for data loss, then adjust protection accordingly
The appropriate corrective action is to re-evaluate and tighten the RPO to reflect the true business tolerance for data loss, then adjust protection accordingly. The disruption revealed the documented objective did not match reality, so the objective and the supporting controls must be brought into line with actual tolerance. Keeping a proven-wrong value, converting it to an RTO, or ceasing backups would all fail to address the data-loss exposure.
- An organization stores its replication target at a site only two kilometers from the primary data center to keep synchronous replication latency low. Which RPO-related risk does this introduce?
- The RPO would be too small to be useful
- Synchronous replication would no longer protect any data
- A regional event could damage both sites at once, so the near-zero RPO would be meaningless if the replica is also lost
- The recovery point objective would convert into a service level agreement
Correct answer: A regional event could damage both sites at once, so the near-zero RPO would be meaningless if the replica is also lost
The risk is that a regional event could damage both sites at once, so the near-zero RPO would be meaningless if the replica is also lost. Placing the replica too close optimizes latency but exposes both copies to the same disaster, defeating the protection the tight RPO was meant to provide. A small RPO is desirable rather than useless, synchronous replication still protects data, and an RPO does not transform into an SLA.
- An IS auditor reviews a disaster recovery arrangement in which the alternate facility has servers, network gear, and operating systems installed but the most recent application data must be loaded from backups upon activation. Which type of recovery site is this?
- Cold site
- Reciprocal site
- Warm site
- Mirrored site
Correct answer: Warm site
This describes a warm site, which has servers, network gear, and operating systems installed but requires loading recent application data from backups upon activation. It sits between a cold site, which offers only space and utilities, and a hot site, which is ready almost immediately. A mirrored site is a continuously synchronized duplicate, and a reciprocal site relies on a partner's spare capacity, so neither fits.
- An organization signs a subscription with a commercial recovery provider that promises a ready-to-use facility, but the contract allows the provider to serve multiple subscribers from the same site on a first-come basis. What disaster recovery risk should the IS auditor highlight?
- The provider will be forced to give the site to a single subscriber permanently
- Subscription recovery sites cannot meet any recovery time objective
- During a widespread regional disaster, multiple subscribers may demand the site simultaneously and capacity may not be available
- Such contracts eliminate the need to test recovery
Correct answer: During a widespread regional disaster, multiple subscribers may demand the site simultaneously and capacity may not be available
The risk to highlight is that during a widespread regional disaster, multiple subscribers may demand the site simultaneously and capacity may not be available. Shared subscription sites can be oversubscribed, so a regional event affecting many customers can leave some without the facility they paid for. The provider is not forced to give the site to one subscriber, such sites can meet objectives when available, and testing remains essential.
- When an IS auditor assesses whether a cold site is appropriate for a particular system, which factor most strongly justifies the choice?
- The system requires near-zero data loss
- The system must fail over automatically within seconds
- The system processes the organization's highest-priority transactions
- The system has a long recovery time objective that allows time to procure and configure equipment
Correct answer: The system has a long recovery time objective that allows time to procure and configure equipment
A long recovery time objective that allows time to procure and configure equipment most strongly justifies a cold site. Because cold sites provide only space and utilities, they fit systems that can tolerate the delay of building out the environment. Needing near-zero data loss, seconds-level failover, or supporting the highest-priority transactions would all demand a far readier and costlier recovery option.
- An IS auditor reviews a disaster recovery plan and notes it identifies an alternate site but does not address how staff will physically reach it or work from it during a regional emergency. What is the most significant gap?
- The plan should not name an alternate site at all
- The alternate site should be located inside the primary building
- The plan omits logistical and personnel arrangements needed to actually operate the recovery site
- The plan contains too much detail about the recovery site
Correct answer: The plan omits logistical and personnel arrangements needed to actually operate the recovery site
The most significant gap is that the plan omits logistical and personnel arrangements needed to actually operate the recovery site. Having a facility is useless if staff cannot get there, be housed, or staff the operation during the emergency. The plan should name an alternate site, that site should not be in the primary building where a shared event could destroy both, and addressing logistics is not excessive detail.
- Why does moving from a cold site to a hot site generally increase recurring costs even when no disaster occurs?
- A hot site requires no equipment and therefore costs more to lease
- Hot sites are taxed at a higher rate than cold sites by regulation
- A hot site maintains ready, often duplicated and continuously updated infrastructure that must be paid for and kept current at all times
- Cold sites must be replaced annually while hot sites last forever
Correct answer: A hot site maintains ready, often duplicated and continuously updated infrastructure that must be paid for and kept current at all times
Moving to a hot site increases recurring costs because a hot site maintains ready, often duplicated and continuously updated infrastructure that must be paid for and kept current at all times. The standing readiness that enables fast recovery is exactly what drives the ongoing expense. Hot sites contain extensive equipment rather than none, there is no special tax distinction, and cold sites do not require annual replacement.
- An organization plans to recover into a public cloud region as its disaster recovery target. Which characteristic of this approach should the IS auditor verify is genuinely tested?
- That the cloud provider uses the same logo colors as the company
- That the cloud region is in the same building as the primary data center
- That sufficient cloud capacity and the required instance types are actually available and can be provisioned within the RTO during an event
- That the recovery uses physical tapes shipped to the cloud
Correct answer: That sufficient cloud capacity and the required instance types are actually available and can be provisioned within the RTO during an event
The auditor should verify that sufficient cloud capacity and the required instance types are actually available and can be provisioned within the RTO during an event. Cloud recovery assumes on-demand resources that, during broad regional demand, may be constrained, so this assumption must be tested rather than presumed. Logo colors are irrelevant, co-location would defeat the purpose, and shipping tapes contradicts the cloud recovery model.
- A business continuity plan focuses exclusively on the IT data center and ignores alternate workspace for staff whose office is destroyed. What does this reveal about the plan?
- It is well scoped, because continuity is purely an IT responsibility
- It should be narrowed further to cover only databases
- It should be merged entirely into the patch management process
- It is too narrow, because continuity must address people, facilities, and processes, not only technology
Correct answer: It is too narrow, because continuity must address people, facilities, and processes, not only technology
This reveals that the plan is too narrow, because continuity must address people, facilities, and processes, not only technology. Even with systems restored, the business cannot operate if staff have nowhere to work, so a true BCP spans workspace, personnel, and operations. Continuity is not purely IT, narrowing to databases would worsen the gap, and merging it into patch management confuses unrelated disciplines.
- An IS auditor wants to confirm that a business continuity plan reflects an acceptable balance between cost and protection. Whose acceptance of the residual risk should the auditor verify?
- The help desk technicians who handle daily tickets
- The external backup tape courier
- The software vendor whose product is being protected
- Senior management, because they own the residual risk and must accept the chosen level of resilience investment
Correct answer: Senior management, because they own the residual risk and must accept the chosen level of resilience investment
The auditor should verify acceptance by senior management, because they own the residual risk and must accept the chosen level of resilience investment. Decisions about how much continuity capability to fund are business risk decisions that belong at the top of the organization. Help desk staff, a tape courier, and a software vendor do not hold accountability for the organization's residual continuity risk.
- During a tabletop continuity exercise, participants discover that two departments both assume the other is responsible for notifying customers during an outage. What process improvement does this finding support?
- Eliminating customer notification from the plan
- Running fewer exercises to avoid surfacing conflicts
- Clearly assigning and documenting roles and responsibilities so accountability for each continuity task is unambiguous
- Merging the two departments into one permanently
Correct answer: Clearly assigning and documenting roles and responsibilities so accountability for each continuity task is unambiguous
The finding supports clearly assigning and documenting roles and responsibilities so accountability for each continuity task is unambiguous. Overlapping assumptions about who acts cause critical tasks to fall through the cracks during a real event. Removing customer notification, running fewer exercises, or forcibly merging departments would not resolve the underlying ambiguity the exercise exposed.
- What is the main purpose of conducting a tabletop or simulation continuity exercise rather than a full interruption test?
- To permanently replace all other forms of testing
- To validate decision-making, coordination, and plan logic at low operational risk before committing to higher-impact tests
- To intentionally take production systems offline for customers
- To measure the encryption strength of backup media
Correct answer: To validate decision-making, coordination, and plan logic at low operational risk before committing to higher-impact tests
The main purpose is to validate decision-making, coordination, and plan logic at low operational risk before committing to higher-impact tests. Tabletop and simulation exercises let teams rehearse the response and surface gaps without disrupting live operations. They do not replace all other testing, deliberately taking production offline describes a full interruption test, and they do not measure backup encryption strength.
- An IS auditor finds that a business continuity plan exists but no employees outside the planning team are aware of it or their roles in it. What is the most significant weakness?
- A plan that responders do not know cannot be executed effectively when a disruption strikes
- The plan should be kept secret from everyone for security
- The plan must be printed on colored paper to be valid
- Awareness is unnecessary because the planning team handles everything alone
Correct answer: A plan that responders do not know cannot be executed effectively when a disruption strikes
The most significant weakness is that a plan that responders do not know cannot be executed effectively when a disruption strikes. Continuity depends on many people across the organization understanding and rehearsing their roles. Secrecy would make execution impossible, paper color is irrelevant, and the planning team cannot single-handedly carry out an organization-wide response.
- Which factor most justifies how frequently a business continuity plan should be reviewed and updated?
- The number of pages in the plan document
- The rate of significant change in the organization's processes, systems, personnel, and risk environment
- The personal schedule of the IT manager
- The color scheme used in the plan's cover
Correct answer: The rate of significant change in the organization's processes, systems, personnel, and risk environment
The frequency of review and update is most justified by the rate of significant change in the organization's processes, systems, personnel, and risk environment. A plan must keep pace with change to remain executable, so faster-changing organizations need more frequent updates. Page count, the manager's personal schedule, and cover design have no bearing on how current the plan must be.
- An IS auditor reviews how a help desk handles user reports. Tickets are logged but there is no defined target response time for each severity level. Which incident management element is missing?
- A requirement to delete tickets after logging
- A rule that all incidents are equally urgent
- A ban on documenting workarounds
- Defined service targets that specify how quickly incidents of each priority should be acknowledged and resolved
Correct answer: Defined service targets that specify how quickly incidents of each priority should be acknowledged and resolved
The missing element is defined service targets that specify how quickly incidents of each priority should be acknowledged and resolved. Without response and resolution targets per severity, the help desk cannot ensure urgent issues are handled promptly or measure its performance. Deleting tickets, treating all incidents as equally urgent, and banning workarounds would each undermine rather than support sound incident management.
- A major outage is resolved, and the team applies a permanent fix that prevents the underlying fault from recurring. Which process completed this work?
- Capacity management, by adding resources
- Problem management, by identifying and removing the root cause
- Release management, by scheduling a deployment window
- Service level management, by renegotiating the SLA
Correct answer: Problem management, by identifying and removing the root cause
Problem management completed this work, by identifying and removing the root cause so the fault cannot recur. Permanent elimination of the underlying cause is precisely the goal of problem management, as distinct from the rapid service restoration that incident management provides. Capacity management sizes resources, release management deploys changes, and service level management governs agreements, none of which is root-cause elimination.
- An IS auditor reviews incident metrics and sees that mean time to resolve has been climbing steadily for six months. What is the most appropriate auditor action?
- Conclude that rising resolution time is always acceptable
- Investigate the cause of the deteriorating trend, such as staffing, knowledge, or recurring unresolved problems, and report it
- Recommend that the metric stop being collected
- Assume the increase proves the incidents are less severe
Correct answer: Investigate the cause of the deteriorating trend, such as staffing, knowledge, or recurring unresolved problems, and report it
The most appropriate action is to investigate the cause of the deteriorating trend, such as staffing, knowledge, or recurring unresolved problems, and report it. A worsening resolution time signals a control or process weakness that warrants analysis and management attention. Accepting the trend, ceasing measurement, or assuming lower severity would all ignore a meaningful warning sign in the incident data.
- Why should an organization distinguish between an incident's resolution and its closure in the incident management workflow?
- Closure must always happen before resolution
- Resolution and closure are the same step with no difference
- Resolution restores service, while closure confirms the user agrees the issue is fully addressed and records final details for analysis
- Closure means the incident is escalated to a problem automatically
Correct answer: Resolution restores service, while closure confirms the user agrees the issue is fully addressed and records final details for analysis
Distinguishing the two matters because resolution restores service, while closure confirms the user agrees the issue is fully addressed and records final details for analysis. Premature closure can mask incompletely solved issues, so confirming with the requester and capturing final data improves quality and trend analysis. Closure does not precede resolution, the steps are not identical, and closure does not automatically create a problem record.
- An organization's most experienced engineer keeps incident resolutions in personal notes rather than a shared system. From an IT operations resilience view, what is the chief risk?
- The engineer will resolve incidents too quickly
- Knowledge is not shared, so resolution slows or fails when that engineer is unavailable and problem analysis lacks data
- Personal notes are inherently more accurate than shared records
- Sharing knowledge would violate incident management principles
Correct answer: Knowledge is not shared, so resolution slows or fails when that engineer is unavailable and problem analysis lacks data
The chief risk is that knowledge is not shared, so resolution slows or fails when that engineer is unavailable and problem analysis lacks data. Concentrating resolution knowledge in one person creates a single point of failure and starves problem management of trend information. Fast resolution is not a risk, personal notes are not inherently more accurate, and sharing knowledge supports rather than violates good incident management.
- An IS auditor wants to confirm that severe incidents trigger appropriate management involvement. Which control should be present in the incident management process?
- A rule that no manager is ever informed of incidents
- A defined severity-based escalation procedure that brings the right authority and expertise to high-impact incidents
- A policy that all incidents close automatically after one hour
- A requirement that users diagnose their own incidents
Correct answer: A defined severity-based escalation procedure that brings the right authority and expertise to high-impact incidents
The control that should be present is a defined severity-based escalation procedure that brings the right authority and expertise to high-impact incidents. Escalation ensures major disruptions reach decision-makers and specialists quickly rather than languishing at the front line. Never informing managers, auto-closing all incidents, and forcing users to self-diagnose would each undermine effective handling of serious incidents.
- A change is classified as a standard change in the change management process. What characteristic justifies this classification?
- It is the most disruptive type of change possible
- It is applied without any procedure at all
- It is reserved only for active production emergencies
- It is a low-risk, well-understood, pre-authorized change with a documented, repeatable procedure
Correct answer: It is a low-risk, well-understood, pre-authorized change with a documented, repeatable procedure
A standard change is justified by being a low-risk, well-understood, pre-authorized change with a documented, repeatable procedure. Because the risk is known and the steps are proven, it can be executed under blanket pre-approval without repeated individual review. It is not the most disruptive change, is not performed without procedure, and is not the emergency category, which covers urgent unplanned fixes.
- An IS auditor finds that developers can promote their own code to production without independent review or approval. Which change management principle is violated?
- The requirement that all changes be deployed simultaneously
- The rule that production must never be changed
- Separation between those who develop changes and those who authorize and move them into production
- The principle that testing is unnecessary for code changes
Correct answer: Separation between those who develop changes and those who authorize and move them into production
The violated principle is separation between those who develop changes and those who authorize and move them into production. Allowing developers to self-promote removes the independent check that prevents unauthorized or untested code from reaching live systems. Simultaneous deployment of all changes is not a principle, production is meant to be changed in a controlled way, and testing remains required rather than optional.
- An IS auditor reviews patch records and finds that a critical vulnerability remediation was deferred for nine months with no documented risk acceptance. What is the most significant concern?
- Patches should never be deferred under any circumstances
- The deferral guarantees the system is now more secure
- Documenting risk acceptance would itself create vulnerabilities
- A known critical vulnerability remained unaddressed for an extended period without management formally accepting the risk
Correct answer: A known critical vulnerability remained unaddressed for an extended period without management formally accepting the risk
The most significant concern is that a known critical vulnerability remained unaddressed for an extended period without management formally accepting the risk. Deferring remediation may sometimes be necessary, but the exposure must be consciously accepted and documented by an appropriate authority. Patches can legitimately be deferred with proper governance, the delay does not improve security, and documenting risk acceptance is a control, not a vulnerability.
- Why is it important to coordinate patch deployment with the change management process rather than applying patches in an ad hoc manner?
- Patches are changes that can disrupt service, so they require assessment, approval, testing, scheduling, and a back-out plan like other changes
- Patches are not changes and need no oversight
- Change management slows patching down to the point of being harmful
- Coordinating patches removes the need to ever test them
Correct answer: Patches are changes that can disrupt service, so they require assessment, approval, testing, scheduling, and a back-out plan like other changes
Coordination is important because patches are changes that can disrupt service, so they require assessment, approval, testing, scheduling, and a back-out plan like other changes. Treating patches as governed changes prevents unexpected outages and preserves accountability. Patches are indeed changes needing oversight, change management protects rather than harms operations, and coordination supplements rather than eliminates testing.
- An organization maintains a configuration management database, but it is updated manually and quarterly. An IS auditor expects to find what kind of weakness?
- Manual quarterly updates make the database perfectly accurate at all times
- The database is likely to drift out of sync with the actual environment between updates, reducing its reliability
- The database will automatically detect all unauthorized changes
- Quarterly updates guarantee real-time configuration visibility
Correct answer: The database is likely to drift out of sync with the actual environment between updates, reducing its reliability
The auditor should expect that the database is likely to drift out of sync with the actual environment between updates, reducing its reliability. Infrequent manual maintenance allows undocumented changes to accumulate, so the records no longer reflect reality when needed for recovery or diagnosis. Quarterly manual updates cannot keep the database perfectly accurate, automatically detect unauthorized changes, or provide real-time visibility.
- What is the purpose of a configuration item record within configuration management?
- To store the personal contact details of customers
- To document an individual component under control, including its attributes, version, and relationships to other items
- To record the marketing budget for the IT department
- To list competitors' product prices
Correct answer: To document an individual component under control, including its attributes, version, and relationships to other items
A configuration item record's purpose is to document an individual component under control, including its attributes, version, and relationships to other items. These records collectively give an accurate picture of the environment that supports controlled change, troubleshooting, and recovery. Customer contact details, marketing budgets, and competitor prices are unrelated to tracking controlled configuration items.
- An IS auditor observes that emergency changes are routinely approved by the same person who implements them, with no later independent review. What control improvement is warranted?
- Require independent post-implementation review and approval of emergency changes to restore separation and accountability
- Eliminate emergency changes so the issue cannot arise
- Allow the implementer to approve all future normal changes too
- Stop recording emergency changes to simplify the process
Correct answer: Require independent post-implementation review and approval of emergency changes to restore separation and accountability
The warranted improvement is to require independent post-implementation review and approval of emergency changes to restore separation and accountability. Emergency speed can justify abbreviated up-front approval, but a later independent check ensures the action was appropriate and properly recorded. Eliminating emergency changes is impractical, extending self-approval to normal changes worsens the problem, and ceasing to record emergencies destroys the audit trail.
- An organization wants to reduce the risk that a single failed patch affects every server at once. Which deployment practice best mitigates this?
- Deploying the patch to every server in one simultaneous push
- Applying patches only to offline systems forever
- Ring-based or phased rollout that deploys to small groups first and expands only after confirming stability
- Skipping patches entirely to avoid the risk
Correct answer: Ring-based or phased rollout that deploys to small groups first and expands only after confirming stability
A ring-based or phased rollout that deploys to small groups first and expands only after confirming stability best mitigates the risk. Limiting initial exposure means a defective patch affects few systems and can be halted before broad impact. A simultaneous push maximizes blast radius, patching only offline systems leaves production exposed, and skipping patches leaves known vulnerabilities open.
- An IS auditor reviews the post-change verification step and finds that successful deployment is recorded but no check confirms the change achieved its intended result. What weakness does this represent?
- Recording deployment is unnecessary and should be removed
- Verifying outcomes would invalidate the change approval
- Changes never need any verification once deployed
- Without verifying the intended outcome, a change can be marked successful while failing to deliver its purpose or causing hidden issues
Correct answer: Without verifying the intended outcome, a change can be marked successful while failing to deliver its purpose or causing hidden issues
This represents the weakness that without verifying the intended outcome, a change can be marked successful while failing to deliver its purpose or causing hidden issues. Confirming deployment occurred is not the same as confirming the change worked as designed. Recording deployment is useful, outcome verification does not invalidate approval, and verification is a necessary control after deployment.
- Why should patches obtained from a vendor be validated for authenticity, such as by checking digital signatures or checksums, before deployment?
- To increase the file size of the patch
- To make the patch deploy faster
- To ensure the patch has not been tampered with or replaced by a malicious file before it is installed on systems
- To eliminate the need for change approval
Correct answer: To ensure the patch has not been tampered with or replaced by a malicious file before it is installed on systems
Patches should be validated for authenticity to ensure the patch has not been tampered with or replaced by a malicious file before it is installed on systems. Verifying signatures or checksums confirms the update came from the legitimate vendor and was not altered in transit. Validation does not change file size, speed deployment, or remove the need for change approval.
- An IS auditor reviews configuration records and finds undocumented firmware versions on network devices that differ from the approved baseline. What does this most likely indicate?
- Changes have been made outside the change and configuration control process, undermining the integrity of the baseline
- The devices are operating exactly as approved
- The baseline is unnecessary and should be discarded
- Firmware versions are irrelevant to configuration management
Correct answer: Changes have been made outside the change and configuration control process, undermining the integrity of the baseline
This most likely indicates that changes have been made outside the change and configuration control process, undermining the integrity of the baseline. Firmware that deviates from the approved baseline without documentation signals uncontrolled modification. The devices are not operating as approved, the baseline is the very reference that makes such drift detectable, and firmware versions are a legitimate configuration concern.
- An IS auditor finds that a critical application server routinely runs at 90 percent memory utilization during peak hours with no headroom for growth. From a capacity management perspective, what is the most appropriate recommendation?
- Wait until the server crashes and then add resources
- Forecast future demand and provision additional capacity or optimize usage before performance degrades
- Reduce monitoring to lower overhead during peaks
- Move the workload to an even smaller server to save cost
Correct answer: Forecast future demand and provision additional capacity or optimize usage before performance degrades
The most appropriate recommendation is to forecast future demand and provision additional capacity or optimize usage before performance degrades. Operating with no peak headroom on a critical server invites slowdowns or outages as demand grows, so proactive planning is needed. Waiting for a crash, reducing monitoring, or downsizing the server would all increase the risk of an availability incident.
- Why is trend analysis of resource utilization a core activity in capacity management?
- It is used to set the marketing strategy for IT services
- It determines the encryption algorithm for stored data
- It replaces the need for any monitoring tools
- It allows the organization to predict when resources will become constrained and act before demand exceeds supply
Correct answer: It allows the organization to predict when resources will become constrained and act before demand exceeds supply
Trend analysis is core to capacity management because it allows the organization to predict when resources will become constrained and act before demand exceeds supply. Studying utilization over time turns capacity planning from reactive firefighting into proactive provisioning. It does not set marketing strategy, choose encryption algorithms, or remove the need for the monitoring tools that produce the data.
- An IS auditor evaluates availability for a service advertised as highly available but discovers it depends on a single network switch with no redundancy. What is the most significant finding?
- The single switch is a single point of failure that contradicts the high-availability claim
- The single switch improves availability by simplifying the design
- Redundant switches would reduce availability
- Availability cannot be affected by network hardware
Correct answer: The single switch is a single point of failure that contradicts the high-availability claim
The most significant finding is that the single switch is a single point of failure that contradicts the high-availability claim. Genuine high availability requires eliminating components whose failure would take the service down, so an unredundant switch undermines the claim. A single switch does not improve availability through simplicity, redundancy increases rather than reduces availability, and network hardware clearly affects availability.
- An organization reports 99.99 percent availability for a service. Approximately how much downtime per year does this allow?
- Roughly 53 minutes per year
- Roughly 88 hours per year
- Roughly zero seconds per year
- Roughly 36 days per year
Correct answer: Roughly 53 minutes per year
An availability of 99.99 percent allows roughly 53 minutes of downtime per year, since 0.01 percent of a year is about that amount. This figure illustrates why each additional nine of availability sharply tightens the allowable outage budget. Roughly 88 hours corresponds to about 99 percent, zero seconds would require 100 percent, and 36 days is far below the implied availability, so those are incorrect.
- An IS auditor reviews how an organization handles seasonal demand spikes for an e-commerce platform. Which capacity management approach best supports both performance and cost efficiency?
- Permanently provisioning peak-level capacity year-round regardless of demand
- Scaling resources elastically to meet peak demand and reducing them afterward, guided by demand forecasts
- Provisioning only minimum capacity and accepting outages during peaks
- Ignoring seasonal patterns when planning capacity
Correct answer: Scaling resources elastically to meet peak demand and reducing them afterward, guided by demand forecasts
Scaling resources elastically to meet peak demand and reducing them afterward, guided by demand forecasts, best supports both performance and cost efficiency. Matching capacity to predictable demand avoids both outages and the waste of constant peak provisioning. Permanently provisioning peak capacity wastes money, minimum provisioning causes outages, and ignoring seasonal patterns abandons planning altogether.
- What does mean time to repair indicate about a component or service in availability management?
- The average time the component runs before failing
- The maximum acceptable data loss after a failure
- The average time required to restore the component or service to operation after a failure
- The percentage of transactions processed correctly
Correct answer: The average time required to restore the component or service to operation after a failure
Mean time to repair indicates the average time required to restore the component or service to operation after a failure. Shorter repair times improve availability because outages are resolved faster. The average run time before failure is mean time between failures, maximum acceptable data loss is the recovery point objective, and transaction accuracy is a separate quality measure.
- An IS auditor reviews an SLA and notes that availability is defined but the agreement does not state how planned maintenance windows are treated in the availability calculation. What is the most significant concern?
- Ambiguity over whether maintenance counts as downtime can cause disputes and inflate reported availability
- Maintenance windows always violate the SLA automatically
- Availability should never be defined in an SLA
- Maintenance windows have no effect on availability figures
Correct answer: Ambiguity over whether maintenance counts as downtime can cause disputes and inflate reported availability
The most significant concern is that ambiguity over whether maintenance counts as downtime can cause disputes and inflate reported availability. If the SLA is silent, the provider may exclude maintenance to show better numbers while the customer expected it counted. Maintenance does not automatically violate the SLA, availability belongs in the SLA, and maintenance can materially affect reported availability.
- Why should an SLA specify the measurement period and method used to calculate service metrics?
- The measurement method is confidential and must be omitted
- Specifying the method makes the SLA unenforceable
- Metrics do not require any defined measurement approach
- Without an agreed period and method, the same raw data can yield different results and the parties cannot objectively determine compliance
Correct answer: Without an agreed period and method, the same raw data can yield different results and the parties cannot objectively determine compliance
An SLA should specify the measurement period and method because without an agreed period and method, the same raw data can yield different results and the parties cannot objectively determine compliance. Defining how and over what window metrics are computed prevents disputes. The method should be transparent rather than confidential, specifying it strengthens rather than weakens enforceability, and metrics do require a defined approach.
- An organization relies on a key supplier whose own ability to meet the SLA depends on a fourth-party subcontractor. What should the IS auditor verify about this arrangement?
- That the subcontractor be hidden from the organization entirely
- That the supplier's obligations flow down to the subcontractor through back-to-back agreements so the end-to-end service can be met
- That the SLA be deleted because subcontracting voids it
- That only the subcontractor sign the SLA
Correct answer: That the supplier's obligations flow down to the subcontractor through back-to-back agreements so the end-to-end service can be met
The auditor should verify that the supplier's obligations flow down to the subcontractor through back-to-back agreements so the end-to-end service can be met. When delivery depends on a fourth party, the commitments must be passed through to avoid a gap between what is promised and what can be delivered. Hiding the subcontractor, deleting the SLA, or having only the subcontractor sign would all leave the organization unprotected.
- An IS auditor finds that SLA breaches are recorded but never reviewed in service governance meetings. What is the most significant consequence?
- Recurring service problems go unaddressed because breach data does not drive corrective action or supplier accountability
- Recording breaches becomes more accurate over time
- The provider automatically improves without intervention
- SLA breaches stop occurring once they are recorded
Correct answer: Recurring service problems go unaddressed because breach data does not drive corrective action or supplier accountability
The most significant consequence is that recurring service problems go unaddressed because breach data does not drive corrective action or supplier accountability. Capturing breaches has little value if no one acts on the information through governance and improvement. Recording alone does not make data more accurate, prompt provider improvement, or cause breaches to stop occurring.
- Which clause in an SLA most directly protects the customer's ability to exit and recover its data if the provider relationship ends?
- A defined exit, data return, and transition assistance provision
- A clause listing the provider's office holidays
- A clause describing the provider's company history
- A clause setting the font used in monthly reports
Correct answer: A defined exit, data return, and transition assistance provision
A defined exit, data return, and transition assistance provision most directly protects the customer's ability to exit and recover its data if the relationship ends. Exit clauses ensure the customer can retrieve its data and migrate without being locked in or stranded. Office holidays, company history, and report fonts are immaterial to a clean, recoverable exit.
- An IS auditor reviews an underpinning contract supporting an SLA and finds the internal support team's response commitment is weaker than the customer-facing SLA promises. What is the concern?
- Internal commitments should always be weaker than external ones
- Underpinning contracts have no relationship to SLAs
- The internal support cannot guarantee the customer-facing commitment, creating a structural gap that will lead to breaches
- The customer-facing SLA should be made even more aggressive
Correct answer: The internal support cannot guarantee the customer-facing commitment, creating a structural gap that will lead to breaches
The concern is that the internal support cannot guarantee the customer-facing commitment, creating a structural gap that will lead to breaches. If supporting agreements are weaker than the external promise, the organization is committing to a level it cannot reliably deliver. Internal commitments should support rather than fall short of external ones, underpinning contracts are tightly linked to SLAs, and tightening the customer-facing SLA would widen the gap.
- An IS auditor discovers a department running its own unsanctioned database server under a desk, used for a process feeding monthly regulatory filings. Which combination of risks is most relevant to business resilience?
- The server improves regulatory accuracy by being independent of IT
- The server is automatically included in the disaster recovery plan
- The server is outside backup, recovery, and patching coverage, so its loss could halt a regulatory process with no recovery plan
- Unsanctioned servers are always patched faster than managed ones
Correct answer: The server is outside backup, recovery, and patching coverage, so its loss could halt a regulatory process with no recovery plan
The most relevant risks are that the server is outside backup, recovery, and patching coverage, so its loss could halt a regulatory process with no recovery plan. Shadow infrastructure supporting critical work is invisible to the controls that would protect and restore it. Being outside IT does not improve accuracy, the server is by definition excluded from the disaster recovery plan, and unsanctioned servers are typically less, not better, maintained.
- Which governance action best brings previously undiscovered shadow IT into an acceptable risk posture without simply banning it?
- Ignoring discovered tools as long as users are satisfied
- Immediately deleting all discovered tools without assessment
- Permanently exempting discovered tools from any future review
- Assessing each discovered tool, then either formally adopting it under proper controls or migrating its function to a sanctioned alternative
Correct answer: Assessing each discovered tool, then either formally adopting it under proper controls or migrating its function to a sanctioned alternative
The best action is assessing each discovered tool, then either formally adopting it under proper controls or migrating its function to a sanctioned alternative. This addresses the legitimate need that drove the tool's adoption while restoring governance, security, and recoverability. Ignoring the tools accepts unmanaged risk, deleting them without assessment can break critical processes, and permanent exemption would entrench the original problem.
- An IS auditor finds that a critical revenue forecast depends on a macro-driven spreadsheet maintained by one analyst, with no documentation of its logic. Which resilience control is most important to recommend first?
- Documenting the spreadsheet's logic and placing it under version control and backup so it is recoverable and maintainable
- Deleting the spreadsheet to remove the dependency
- Allowing every employee to edit it without restriction
- Hiding the spreadsheet from auditors going forward
Correct answer: Documenting the spreadsheet's logic and placing it under version control and backup so it is recoverable and maintainable
The most important control to recommend first is documenting the spreadsheet's logic and placing it under version control and backup so it is recoverable and maintainable. Critical end-user computing that lives undocumented in one person's hands is a continuity risk that documentation, versioning, and backup directly reduce. Deleting it breaks a critical process, unrestricted editing raises error risk, and hiding it from auditors conceals rather than manages the risk.
- Why can widespread end-user computing complicate an organization's data classification and protection efforts?
- End-user tools automatically apply the strictest controls available
- Data in spreadsheets is never sensitive
- End-user computing removes all data from the organization
- Sensitive data copied into uncontrolled spreadsheets and tools may not receive the access, encryption, and handling controls applied to managed systems
Correct answer: Sensitive data copied into uncontrolled spreadsheets and tools may not receive the access, encryption, and handling controls applied to managed systems
Widespread end-user computing complicates protection because sensitive data copied into uncontrolled spreadsheets and tools may not receive the access, encryption, and handling controls applied to managed systems. Once data leaves governed repositories, its protection becomes inconsistent and hard to track. Such tools do not auto-apply the strictest controls, spreadsheet data can certainly be sensitive, and end-user computing does not remove data from the organization.
- An organization adopts a backup scheme of weekly full backups plus daily incrementals. To restore the system to its state on a Thursday after the Sunday full backup, which media are required?
- The Sunday full backup plus the Monday, Tuesday, Wednesday, and Thursday incrementals
- Only the Thursday incremental
- Only the Sunday full backup
- The Sunday full backup plus only the Thursday incremental
Correct answer: The Sunday full backup plus the Monday, Tuesday, Wednesday, and Thursday incrementals
Restoring to Thursday's state requires the Sunday full backup plus the Monday, Tuesday, Wednesday, and Thursday incrementals. Because each incremental captures only changes since the previous backup, every incremental in the chain since the full backup is needed. The Thursday incremental alone, the full backup alone, or the full plus only Thursday would all leave the restored data incomplete.
- An IS auditor finds that backup jobs report success daily, but no one has confirmed the backed-up data is readable. Which control most directly closes this gap?
- Increasing the number of backup jobs scheduled
- Renaming the backup files with the current date
- Storing the success logs in a separate folder
- Periodic test restores that verify the data can actually be recovered and is intact
Correct answer: Periodic test restores that verify the data can actually be recovered and is intact
Periodic test restores that verify the data can actually be recovered and is intact most directly close the gap. A success message confirms the job ran, not that the resulting media is usable, so only an actual restore proves recoverability. Adding more jobs, renaming files, or relocating logs does nothing to confirm the backed-up data can be read and restored.
- Why is it important to encrypt backup media that is transported or stored offsite?
- Encryption increases the storage capacity of the media
- If the media is lost or stolen, encryption prevents unauthorized parties from reading the sensitive data it contains
- Encryption makes backups restore faster
- Encryption removes the need to store backups offsite
Correct answer: If the media is lost or stolen, encryption prevents unauthorized parties from reading the sensitive data it contains
Encrypting offsite backup media is important because if the media is lost or stolen, encryption prevents unauthorized parties from reading the sensitive data it contains. Backups concentrate large volumes of data and travel outside controlled facilities, making confidentiality protection essential. Encryption does not expand capacity, speed restoration, or remove the need for offsite storage.
- An organization keeps three copies of its data on two different media types with one copy stored offsite. Which widely recommended backup principle does this reflect?
- Maintaining multiple copies across different media with at least one copy kept off-site for resilience
- Keeping all copies on a single device for simplicity
- Storing every copy in the same room for fast access
- Relying on one cloud copy with no local backup
Correct answer: Maintaining multiple copies across different media with at least one copy kept off-site for resilience
This reflects the principle of maintaining multiple copies across different media with at least one copy kept off-site for resilience. Diversifying copies and locations protects against media failure, site disasters, and single points of loss. Keeping all copies on one device, in one room, or relying on a single copy each violate the redundancy and separation the principle promotes.
- An IS auditor reviews a cloud backup configuration and finds that backups and production data reside in the same cloud account with the same administrative credentials. What resilience risk does this create?
- A compromise of those credentials or an account-level incident could delete or corrupt both production and backups together
- Backups will be impossible to create in the cloud
- The configuration guarantees immutable backups
- Cloud backups never need separation from production
Correct answer: A compromise of those credentials or an account-level incident could delete or corrupt both production and backups together
The risk is that a compromise of those credentials or an account-level incident could delete or corrupt both production and backups together. Sharing the account and credentials means the same threat that hits production can also destroy the backups, defeating their purpose. Cloud backups are still possible, this setup does not make them immutable, and separating backups from production is exactly the safeguard that is missing.
- What is the primary advantage of immutable or write-once backup storage in a ransomware threat environment?
- Immutable storage makes backups complete faster
- Immutable storage removes the need for any access controls
- Immutable backups can be edited freely by administrators
- Backups cannot be altered or deleted for a defined period, so they remain recoverable even if attackers compromise production systems
Correct answer: Backups cannot be altered or deleted for a defined period, so they remain recoverable even if attackers compromise production systems
The primary advantage is that backups cannot be altered or deleted for a defined period, so they remain recoverable even if attackers compromise production systems. Immutability directly counters ransomware that seeks to destroy or encrypt backups along with live data. It does not chiefly speed backups, remove the need for access controls, or allow free editing, which would defeat immutability.
- An IS auditor is asked to confirm that a recovery procedure works end to end. Which form of evidence provides the strongest assurance?
- A signed statement that the procedure is believed to work
- The age of the procedure document
- Observed results of an actual recovery test executing the documented procedure to a working outcome
- The number of staff who have read the procedure
Correct answer: Observed results of an actual recovery test executing the documented procedure to a working outcome
Observed results of an actual recovery test executing the documented procedure to a working outcome provide the strongest assurance. Direct observation of a successful end-to-end recovery demonstrates the procedure actually works, which is what the auditor must confirm. A belief statement, the document's age, and readership counts are weak indirect indicators that do not prove the procedure functions.
- An organization defines its RTO and RPO but never confirms that its current recovery solution can meet both. What is the consequence an IS auditor should highlight?
- Defining both objectives guarantees they will be met
- Objectives only matter for non-critical systems
- The objectives automatically reduce recovery cost
- The objectives may be aspirational only, with an unknown gap between targets and actual capability that surfaces during a real event
Correct answer: The objectives may be aspirational only, with an unknown gap between targets and actual capability that surfaces during a real event
The auditor should highlight that the objectives may be aspirational only, with an unknown gap between targets and actual capability that surfaces during a real event. Targets are meaningful only if the recovery solution is validated against them; otherwise the organization discovers shortfalls at the worst possible time. Merely defining objectives does not guarantee they are met, both matter most for critical systems, and stating objectives does not reduce cost.
- An IS auditor reviews a continuity program and finds the BIA, risk assessment, recovery strategy, and plans were each produced by different teams without cross-referencing. What is the most significant concern?
- Using different teams guarantees a better outcome
- Cross-referencing the components would invalidate them
- The components may be inconsistent, so recovery strategies might not match the criticality and risks the analyses identified
- Continuity components are meant to be independent and unrelated
Correct answer: The components may be inconsistent, so recovery strategies might not match the criticality and risks the analyses identified
The most significant concern is that the components may be inconsistent, so recovery strategies might not match the criticality and risks the analyses identified. A continuity program works only when the BIA, risk assessment, strategy, and plans align into a coherent whole. Independent teams do not guarantee a better outcome, cross-referencing strengthens rather than invalidates the components, and these elements are meant to be integrated rather than unrelated.
- During an incident, staff bypass the change process to apply an urgent fix and never log it afterward. From an IT operations control view, what is the chief weakness?
- Urgent fixes never affect production stability
- Logging emergency changes is prohibited by good practice
- Bypassing change control improves long-term reliability
- The undocumented change leaves no record for accountability, recovery, or detecting later issues it may have caused
Correct answer: The undocumented change leaves no record for accountability, recovery, or detecting later issues it may have caused
The chief weakness is that the undocumented change leaves no record for accountability, recovery, or detecting later issues it may have caused. Even emergency fixes must be recorded so the environment remains traceable and any side effects can be diagnosed. Urgent fixes can affect stability, logging emergency changes is expected good practice, and bypassing controls undermines rather than improves reliability.
- An IS auditor reviews the operations bridge and finds that capacity alerts, availability alerts, and incident tickets are handled by separate teams with no shared view. What operational resilience improvement is warranted?
- Removing capacity monitoring to reduce the number of teams
- Integrating monitoring and incident handling so capacity, availability, and incident signals are correlated for faster, coordinated response
- Forbidding teams from communicating to avoid confusion
- Treating every alert as a separate unrelated event permanently
Correct answer: Integrating monitoring and incident handling so capacity, availability, and incident signals are correlated for faster, coordinated response
The warranted improvement is integrating monitoring and incident handling so capacity, availability, and incident signals are correlated for faster, coordinated response. Related signals often stem from the same underlying issue, so correlation speeds diagnosis and recovery. Removing capacity monitoring loses visibility, forbidding communication harms response, and treating every alert as unrelated prevents the correlation that resilience needs.
- An organization's RPO requires that no more than one hour of data be lost, and it uses asynchronous replication that typically lags by 10 to 40 minutes but can spike to two hours under heavy load. What should the IS auditor conclude?
- The replication always meets the RPO because it usually lags under one hour
- The RPO is irrelevant when replication is asynchronous
- Replication lag has no effect on data loss
- Under heavy load the replication lag can exceed the one-hour RPO, so the objective is not reliably met and the risk should be reported
Correct answer: Under heavy load the replication lag can exceed the one-hour RPO, so the objective is not reliably met and the risk should be reported
The auditor should conclude that under heavy load the replication lag can exceed the one-hour RPO, so the objective is not reliably met and the risk should be reported. An objective must hold under worst-case conditions, and a two-hour spike breaches a one-hour target. Usually meeting the RPO is not the same as reliably meeting it, the RPO remains relevant with asynchronous replication, and lag directly determines potential data loss.
- An IS auditor is verifying that an organization can recover a critical application within its stated RTO of two hours. Which evidence best supports that the objective is achievable?
- A vendor brochure stating the software is reliable
- A statement that backups are taken nightly
- A recent recovery exercise log showing the application was restored and validated in under two hours
- An organization chart of the recovery team
Correct answer: A recent recovery exercise log showing the application was restored and validated in under two hours
A recent recovery exercise log showing the application was restored and validated in under two hours best supports that the objective is achievable. Demonstrated recovery within the target is direct evidence the RTO can be met. A vendor brochure, a note about backup frequency, and an org chart are tangential and do not prove the application can actually be recovered within two hours.
- Why should an organization document and test the failback procedure that returns operations from the recovery site to the primary site after a disaster?
- Failback is automatic and never needs planning
- An uncontrolled or untested failback can cause data loss or a second outage when returning to the primary environment
- Failback only matters for non-critical systems
- Failback eliminates the need for a recovery site
Correct answer: An uncontrolled or untested failback can cause data loss or a second outage when returning to the primary environment
Failback should be documented and tested because an uncontrolled or untested failback can cause data loss or a second outage when returning to the primary environment. Reverting to primary involves resynchronizing data and switching services, which carries real risk if unplanned. Failback is not automatic, matters for critical systems, and does not remove the need for the recovery site that made it necessary.
- An IS auditor reviews how a service desk categorizes incidents and finds no link between repeated incidents of the same type and any root-cause investigation. Which process gap exists?
- Incidents are being resolved too thoroughly
- Recurring incidents are not being escalated into problem management for root-cause analysis
- Categorization is causing the incidents to multiply
- Root-cause analysis belongs only to capacity management
Correct answer: Recurring incidents are not being escalated into problem management for root-cause analysis
The gap is that recurring incidents are not being escalated into problem management for root-cause analysis. When the same incident type repeats, problem management should investigate and eliminate the cause, which is not happening here. Incidents are not resolved too thoroughly, categorization does not cause incidents to multiply, and root-cause analysis is the domain of problem management, not capacity management.
- An organization wants to ensure that its alternate processing site can take over a critical workload at full scale, not just in a limited demonstration. Which test approach provides the strongest evidence?
- A read-through of the recovery documentation
- An interview with the site landlord
- A review of the alternate site's electricity bill
- A parallel test that runs the full production-equivalent workload at the alternate site alongside production
Correct answer: A parallel test that runs the full production-equivalent workload at the alternate site alongside production
A parallel test that runs the full production-equivalent workload at the alternate site alongside production provides the strongest evidence. Running the complete workload reveals whether capacity, configuration, and connectivity truly support production scale without risking the live environment as a full interruption would. A documentation read-through, a landlord interview, and an electricity bill review confirm only administrative facts, not workload capability.
- An IS auditor reviews SLA penalty and credit terms and finds penalties are capped so low that chronic underperformance costs the provider almost nothing. What should the auditor recommend?
- Remove all penalties since they are ineffective
- Raise the availability target instead of touching penalties
- Accept the terms because penalties never influence behavior
- Restructure the penalties and remedies so they meaningfully incentivize performance and reflect the business impact of failures
Correct answer: Restructure the penalties and remedies so they meaningfully incentivize performance and reflect the business impact of failures
The auditor should recommend restructuring the penalties and remedies so they meaningfully incentivize performance and reflect the business impact of failures. Penalties that cost almost nothing fail to motivate the provider, so aligning them with impact restores their deterrent purpose. Removing penalties weakens the agreement, raising the target without enforceable consequences changes little, and penalties can influence behavior when set appropriately.
- An organization's incident response for a major outage worked technically, but the post-incident review found that lessons were never fed back into the continuity and problem processes. What improvement does this finding support?
- Establishing a feedback loop so post-incident lessons update recovery procedures, problem records, and continuity plans
- Discontinuing post-incident reviews to save effort
- Keeping lessons within the response team only
- Treating each major outage as entirely unique with no learning
Correct answer: Establishing a feedback loop so post-incident lessons update recovery procedures, problem records, and continuity plans
The finding supports establishing a feedback loop so post-incident lessons update recovery procedures, problem records, and continuity plans. Learning from incidents only adds value when it drives improvements across the related processes. Discontinuing reviews, hoarding lessons within one team, or treating outages as unique with no learning would all waste the insight the review produced.
- An IS auditor evaluates whether a critical system's availability target is supported by its design. The target is 99.95 percent, but the system runs on a single server with manual recovery taking several hours. What is the most accurate conclusion?
- The single-server design exceeds the availability target
- Availability targets are unrelated to system architecture
- The design cannot support the target, since a single failure and multi-hour manual recovery would breach 99.95 percent availability
- Manual recovery improves availability over automated failover
Correct answer: The design cannot support the target, since a single failure and multi-hour manual recovery would breach 99.95 percent availability
The most accurate conclusion is that the design cannot support the target, since a single failure and multi-hour manual recovery would breach 99.95 percent availability. That target allows only minutes of downtime, which a single-server architecture with hours-long manual recovery cannot honor. The single-server design falls short rather than exceeds the target, architecture directly affects availability, and manual recovery is slower, not better, than automated failover.
- An IS auditor finds that backups for a critical system are retained for 30 days, but the organization has discovered that some data corruption goes undetected for up to 60 days. What backup-related risk does this create?
- The retention period is too long and should be shortened
- Corruption cannot affect backed-up data
- Longer detection time improves recoverability
- A clean pre-corruption backup may no longer exist by the time corruption is discovered, preventing full recovery
Correct answer: A clean pre-corruption backup may no longer exist by the time corruption is discovered, preventing full recovery
The risk is that a clean pre-corruption backup may no longer exist by the time corruption is discovered, preventing full recovery. If corruption can go unnoticed for 60 days but backups last only 30, the last good copy is already gone when the problem is found. Shortening retention would worsen this, corruption can absolutely propagate into backups, and longer detection time harms rather than helps recoverability.
- An organization is selecting between synchronous and asynchronous replication for a remote recovery site located 500 kilometers away. Which trade-off should drive the decision?
- Synchronous replication offers near-zero data loss but adds latency over distance, while asynchronous reduces latency impact at the cost of a small data-loss window
- Asynchronous replication always provides zero data loss
- Synchronous replication is unaffected by distance
- Replication choice has no effect on the recovery point objective
Correct answer: Synchronous replication offers near-zero data loss but adds latency over distance, while asynchronous reduces latency impact at the cost of a small data-loss window
The decision should be driven by the trade-off that synchronous replication offers near-zero data loss but adds latency over distance, while asynchronous reduces latency impact at the cost of a small data-loss window. Over long distances, synchronous confirmation can slow transactions, so the organization must weigh data-loss tolerance against performance. Asynchronous does not provide zero data loss, synchronous is affected by distance-induced latency, and replication choice directly shapes the achievable RPO.
- An IS auditor reviews an SLA for a managed service and finds that it specifies availability and response times but says nothing about recovery objectives in the event of a disaster. What gap should the auditor raise?
- SLAs should never reference recovery objectives
- Availability and response times fully cover disaster recovery
- Recovery objectives only belong in the marketing material
- The SLA does not commit the provider to any recovery time or recovery point objectives, leaving continuity expectations undefined
Correct answer: The SLA does not commit the provider to any recovery time or recovery point objectives, leaving continuity expectations undefined
The gap to raise is that the SLA does not commit the provider to any recovery time or recovery point objectives, leaving continuity expectations undefined. Day-to-day availability and response targets do not address how quickly and to what data point the service is restored after a disaster. SLAs appropriately reference recovery objectives, routine availability does not cover disaster recovery, and recovery objectives belong in the agreement, not just marketing.
- An IS auditor reviews a business continuity arrangement that depends on a single key supplier with no alternate. From a resilience standpoint, what should the auditor recommend?
- Identify and arrange alternate sources or contingency options so a single supplier failure does not halt critical operations
- Increase the order volume from the single supplier
- Remove the supplier dependency from the continuity plan
- Assume the supplier will never fail
Correct answer: Identify and arrange alternate sources or contingency options so a single supplier failure does not halt critical operations
The auditor should recommend identifying and arranging alternate sources or contingency options so a single supplier failure does not halt critical operations. Concentration on one supplier is a single point of failure for continuity, which alternates or contingencies mitigate. Increasing order volume deepens dependence, omitting the dependency from the plan hides the risk, and assuming the supplier will never fail ignores the very scenario continuity planning exists to address.
- An organization's continuity plan assumes the primary workforce can work remotely during a building loss but never confirms whether enough remote-access capacity and licenses exist. What is the most significant concern?
- The remote-work assumption is untested, so insufficient access capacity could prevent staff from actually performing critical work during a disruption
- Remote work always scales infinitely without planning
- Remote-access capacity is irrelevant to continuity
- The plan should assume no staff will need access
Correct answer: The remote-work assumption is untested, so insufficient access capacity could prevent staff from actually performing critical work during a disruption
The most significant concern is that the remote-work assumption is untested, so insufficient access capacity could prevent staff from actually performing critical work during a disruption. A continuity strategy that relies on remote access must verify the capacity and licensing to support a surge of users. Remote work does not scale infinitely without planning, access capacity is highly relevant to continuity, and assuming no staff need access would defeat the strategy.
- An IS auditor reviews incident records and finds many incidents are logged but few are linked to the configuration items they affected. How does this weakness most directly impair IT operations?
- Linking incidents to components slows resolution and should be avoided
- Without linking incidents to affected components, the organization cannot easily identify recurring problem areas or assess impact during recovery
- Configuration items are unrelated to incident management
- Incident records become more accurate when component data is omitted
Correct answer: Without linking incidents to affected components, the organization cannot easily identify recurring problem areas or assess impact during recovery
This most directly impairs operations because without linking incidents to affected components, the organization cannot easily identify recurring problem areas or assess impact during recovery. Associating incidents with configuration items reveals which components are unstable and supports impact analysis. Linking does not slow resolution as a rule, configuration items are central to incident handling, and omitting component data reduces rather than improves record quality.
- An organization is deciding how often to perform full disaster recovery testing. Which factor should most influence the testing frequency for a given system?
- The alphabetical position of the system's name
- The criticality of the system and the rate of change in its environment, since higher criticality and faster change demand more frequent validation
- The personal preference of the newest team member
- The number of vowels in the system's hostname
Correct answer: The criticality of the system and the rate of change in its environment, since higher criticality and faster change demand more frequent validation
Testing frequency should most be influenced by the criticality of the system and the rate of change in its environment, since higher criticality and faster change demand more frequent validation. Critical, rapidly changing systems are likeliest to develop untested recovery gaps. A system's name spelling, a team member's preference, and vowel counts have no bearing on how often recovery should be validated.
- An organization uses a cloud provider for a critical workload and wants assurance the provider can meet recovery commitments. Which provider-side evidence best supports this assurance during an IS audit?
- The provider's advertising claims about reliability
- Independent assurance reports and the results of the provider's own recovery tests demonstrating the committed objectives can be met
- The number of customers the provider serves
- The provider's social media follower count
Correct answer: Independent assurance reports and the results of the provider's own recovery tests demonstrating the committed objectives can be met
Independent assurance reports and the results of the provider's own recovery tests demonstrating the committed objectives can be met best support this assurance. Third-party assurance and evidence of actual testing show the provider's controls and recovery capability work as claimed. Advertising claims, customer counts, and follower counts are marketing indicators that do not demonstrate recovery capability.
- An IS auditor reviews how the organization protects backups against the same threat that hits production. Which design best preserves a recoverable copy if production is compromised by malware?
- Keeping at least one backup copy isolated or air-gapped so it is not reachable from the production network
- Storing the backup on the same server as production data
- Granting production malware-scanning accounts full write access to backups
- Synchronizing backups continuously with no isolation so they always match production
Correct answer: Keeping at least one backup copy isolated or air-gapped so it is not reachable from the production network
Keeping at least one backup copy isolated or air-gapped so it is not reachable from the production network best preserves a recoverable copy if production is compromised. Isolation prevents malware from reaching and destroying the backup along with live data. Co-locating backups with production, granting broad write access, or continuously synchronizing without isolation all expose backups to the same compromise.
- An organization's continuity plan was validated a year ago, but since then it migrated its core application to a cloud provider with a different recovery model. What is the most appropriate IS auditor finding?
- The plan must be reviewed and updated to reflect the new architecture, because the prior validation no longer matches the current environment
- The prior validation remains sufficient regardless of architecture changes
- Cloud migrations never affect continuity planning
- The plan should be discarded because cloud services do not need continuity plans
Correct answer: The plan must be reviewed and updated to reflect the new architecture, because the prior validation no longer matches the current environment
The most appropriate finding is that the plan must be reviewed and updated to reflect the new architecture, because the prior validation no longer matches the current environment. A significant architectural change can invalidate recovery assumptions, so the plan and its validation must be refreshed. Prior validation is not sufficient after such a change, cloud migrations do affect continuity, and cloud services still require continuity planning.
- An IS auditor reviews the disaster recovery plan's assumptions and finds it assumes backups can be restored over the network from cloud storage within the RTO, but available bandwidth would take three times the RTO to transfer the data. What is the most significant finding?
- Bandwidth has no effect on cloud restore times
- The RTO should be ignored for cloud-based recovery
- Cloud restores are always instantaneous regardless of data size
- The restore cannot complete within the RTO over the available bandwidth, so the recovery strategy does not meet the objective
Correct answer: The restore cannot complete within the RTO over the available bandwidth, so the recovery strategy does not meet the objective
The most significant finding is that the restore cannot complete within the RTO over the available bandwidth, so the recovery strategy does not meet the objective. Large data volumes constrained by limited bandwidth can blow past the recovery time target, a gap that must be addressed through faster links, seeding, or local copies. Bandwidth strongly affects restore time, the RTO remains the benchmark for cloud recovery, and cloud restores are not instantaneous for large datasets.
- An IS auditor is asked to map a proposed control to the security objective it primarily supports. A control that watermarks and restricts who may view a confidential research report most directly serves which element of the CIA triad?
- Integrity
- Availability
- Confidentiality
- Resilience
Correct answer: Confidentiality
Restricting who may view a confidential report primarily serves confidentiality, which protects information from unauthorized disclosure. Integrity concerns accuracy, availability concerns access for authorized users, and resilience is not one of the three CIA elements.
- An organization runs redundant servers and load balancing so its customer portal stays reachable even when one server fails. From a CIA perspective, this investment is primarily protecting:
- Confidentiality
- Integrity
- Availability
- Non-repudiation
Correct answer: Availability
Redundancy and load balancing that keep a portal reachable despite a server failure primarily protect availability, ensuring authorized users can access the system when needed. Confidentiality addresses disclosure, integrity addresses accuracy, and non-repudiation is outside the CIA triad.
- An IS auditor reviewing security objectives is told the organization wants to weigh all three CIA properties when designing controls. Which statement best reflects how the CIA triad should guide control selection?
- Confidentiality should always be maximized even if it makes data unavailable
- Availability should be ignored once data is encrypted
- Controls should balance confidentiality, integrity, and availability according to the asset's risk and business needs
- Integrity is only relevant for public data
Correct answer: Controls should balance confidentiality, integrity, and availability according to the asset's risk and business needs
Controls should balance confidentiality, integrity, and availability according to the asset's risk and business needs, since overemphasizing one property can undermine another. Maximizing confidentiality at the cost of availability, ignoring availability after encryption, or limiting integrity to public data all misapply the triad.
- A subordinate, or issuing, certificate authority in a PKI hierarchy primarily exists to:
- Store users' private keys for recovery
- Handle day-to-day certificate issuance so the root can remain offline and protected
- Encrypt all network traffic between endpoints
- Replace the need for certificate revocation
Correct answer: Handle day-to-day certificate issuance so the root can remain offline and protected
A subordinate certificate authority handles day-to-day certificate issuance so the root authority can remain offline and protected from compromise. It does not store users' private keys, encrypt network traffic itself, or remove the need to revoke certificates that become untrustworthy.
- In a PKI, the entity that verifies an applicant's identity and approves a certificate request but does not itself sign or issue the certificate is the:
- Registration authority
- Root certificate authority
- Hardware security module
- Relying party
Correct answer: Registration authority
The registration authority verifies an applicant's identity and approves the request, then forwards it to the certificate authority, which actually signs and issues the certificate. The root authority signs certificates, a hardware security module protects keys, and a relying party simply trusts and uses issued certificates.
- An IS auditor reviewing a PKI notes that certificates have unusually long validity periods of many years. The primary risk of overly long certificate lifetimes is that:
- Certificates will be issued too quickly
- Browsers will refuse all long certificates automatically
- A compromised key or outdated cryptography remains trusted for a long time before expiry
- The certificate authority will run out of serial numbers
Correct answer: A compromised key or outdated cryptography remains trusted for a long time before expiry
Overly long certificate lifetimes mean a compromised key or weakening cryptography remains trusted for a long time before the certificate naturally expires, widening the window of exposure. The issue is not issuance speed, automatic browser rejection, or exhausting serial numbers.
- An IS auditor evaluating a PKI wants assurance that private keys used to sign certificates are generated and stored in tamper-resistant hardware. The device that provides this protection is a:
- Network intrusion sensor
- Load balancer
- Certificate revocation list
- Hardware security module
Correct answer: Hardware security module
A hardware security module generates and stores cryptographic keys in tamper-resistant hardware, protecting the most sensitive PKI keys from extraction. A network intrusion sensor monitors traffic, a load balancer distributes load, and a certificate revocation list lists revoked certificates, none of which secures key material in hardware.
- An IS auditor is comparing the key-distribution challenge of symmetric versus asymmetric encryption. Asymmetric encryption helps solve the symmetric key-distribution problem because:
- It requires no keys at all
- It uses the same single key for every user in the organization
- The public key can be shared openly while only the matching private key can decrypt
- It transmits keys in plaintext to save time
Correct answer: The public key can be shared openly while only the matching private key can decrypt
Asymmetric encryption eases key distribution because the public key can be shared openly while only the matching private key can decrypt, so no secret must be exchanged in advance. It still uses keys, does not rely on one shared key for everyone, and never transmits keys in plaintext.
- An IS auditor reviewing an encryption design sees that the system uses a 256-bit key with a current symmetric algorithm. Increasing key length, all else equal, primarily strengthens resistance to:
- Brute-force attacks that try to guess the key
- Social engineering of help-desk staff
- Physical theft of the server
- Phishing emails sent to users
Correct answer: Brute-force attacks that try to guess the key
A longer key strengthens resistance to brute-force attacks, because the number of possible keys an attacker must try grows enormously with each added bit. Key length does not address social engineering, physical theft, or phishing, which target people and physical assets rather than the cryptographic key space.
- An IS auditor notes that a vendor encrypts data 'at rest' in its database and 'in transit' over the network. The distinction between these two states is that data at rest is:
- Stored data on disk or media, while in transit refers to data moving across a network
- Data being actively processed in memory
- Data that has been permanently deleted
- Data that is only on paper
Correct answer: Stored data on disk or media, while in transit refers to data moving across a network
Data at rest is stored data on disk or media, while data in transit refers to data moving across a network, and each state requires its own encryption protection. It is not data being processed in memory, deleted data, or paper records, which are different categories.
- An IS auditor reviewing an encryption deployment finds the same symmetric key has been used unchanged for many years across all systems. The principal weakness this introduces is that:
- The algorithm becomes mathematically invalid over time
- If that one long-lived key is ever exposed, all data ever encrypted with it is compromised
- Encryption speed will steadily decrease each year
- The key will automatically expire and stop working
Correct answer: If that one long-lived key is ever exposed, all data ever encrypted with it is compromised
Relying on a single long-lived key across all systems means that if that key is ever exposed, all data ever encrypted with it is compromised, which is why periodic key rotation is sound practice. The algorithm does not become invalid with age, encryption speed does not decline yearly, and a symmetric key does not auto-expire.
- An IS auditor verifies that a digitally signed software update can be confirmed as coming from the genuine publisher. The publisher's signature is validated using the publisher's:
- Private key shared with all customers
- Symmetric session key
- Internal IP address
- Public key contained in a trusted certificate
Correct answer: Public key contained in a trusted certificate
A publisher's signature is validated using the publisher's public key, distributed in a trusted certificate, which confirms the matching private key produced the signature. The private key is never shared with customers, a symmetric session key does not verify signatures, and an IP address is irrelevant to signature validation.
- An IS auditor explains that a digital signature provides integrity and authentication but, by itself, does not provide:
- Detection of tampering with the message
- Verification of the signer's identity
- Assurance the message came from the claimed sender
- Confidentiality of the message contents
Correct answer: Confidentiality of the message contents
A digital signature by itself does not provide confidentiality of the message contents, because signing does not encrypt the data; the message may still be readable to anyone. Signatures do detect tampering, verify the signer's identity, and assure the message origin, which are exactly what they are designed to provide.
- An IS auditor reviewing a digital-signature scheme learns it relies on a hash algorithm now considered weak and prone to collisions. The risk of a collision-prone hash in this context is that:
- Signatures will take longer to generate
- The certificate authority will stop issuing certificates
- Users will need longer passwords
- An attacker could craft a different document that produces the same hash, forging a valid-looking signature
Correct answer: An attacker could craft a different document that produces the same hash, forging a valid-looking signature
A collision-prone hash lets an attacker craft a different document that produces the same hash, so an existing signature would appear valid for the substituted document, undermining integrity. The concern is not signing speed, certificate issuance, or password length, which are unrelated to hash collisions.
- An IS auditor wants to confirm that an organization can both verify who sent an electronic contract and prove the sender cannot credibly deny sending it. The mechanism that best provides both is:
- Network address translation
- A shared team password
- A symmetric key known to both parties
- A digital signature using the sender's private key
Correct answer: A digital signature using the sender's private key
A digital signature created with the sender's private key both verifies the sender and supports non-repudiation, since only the sender holds that private key. Network address translation hides addresses, a shared password and a mutually known symmetric key cannot uniquely attribute an action to one signer.
- An IS auditor reviews a DLP program and finds it operates in three modes: data at rest, data in motion, and data in use. Scanning files stored on file servers and endpoints for sensitive content corresponds to DLP for:
- Data in motion
- Data in use
- Data in archive only
- Data at rest
Correct answer: Data at rest
Scanning stored files on servers and endpoints for sensitive content is DLP for data at rest. Data in motion covers content traversing the network, data in use covers content being actively handled at the endpoint, and data in archive is not a standard separate DLP mode.
- An IS auditor evaluating a newly deployed DLP system finds it generates so many false alerts that staff routinely ignore them. The most significant consequence of this excessive false-positive rate is that:
- Storage costs will rise sharply
- The DLP will encrypt files automatically
- Genuine data-leak events may be overlooked amid the noise
- Network bandwidth will be permanently exhausted
Correct answer: Genuine data-leak events may be overlooked amid the noise
When a DLP floods staff with false alerts, genuine data-leak events may be overlooked amid the noise, defeating the control's purpose, so tuning the rules is essential. The core problem is alert fatigue, not storage cost, automatic encryption, or permanent bandwidth exhaustion.
- An IS auditor reviewing endpoint DLP notes it can block copying sensitive files to USB drives. This capability is most important for controlling:
- The speed of the organization's internet connection
- The accuracy of the general ledger
- The risk of data exfiltration through removable media
- The uptime of the email server
Correct answer: The risk of data exfiltration through removable media
Blocking sensitive files from being copied to USB drives controls the risk of data exfiltration through removable media, a common leakage channel. It does not affect internet speed, ledger accuracy, or email server uptime, which are unrelated to endpoint media controls.
- An IS auditor reviewing an IAM program finds that access changes are made directly by administrators without any documented request or approval. The control most needed to address this is:
- A faster directory server
- More frequent password expiration only
- A larger help-desk team
- A formal access request, approval, and provisioning workflow
Correct answer: A formal access request, approval, and provisioning workflow
Access changes made without documented request or approval call for a formal access request, approval, and provisioning workflow so that entitlements are authorized and traceable. A faster server, more frequent password expiration, or a bigger help desk do not establish the authorization and accountability that is missing.
- An IS auditor reviews an IAM design and finds users accumulate entitlements as they change roles without losing old ones. This gradual buildup of unnecessary access is known as:
- Privilege creep
- Network latency
- Key rotation
- Load balancing
Correct answer: Privilege creep
The gradual accumulation of unnecessary entitlements as users change roles is privilege creep, which violates least privilege and is detected through periodic access reviews. Network latency, key rotation, and load balancing are unrelated technical and operational concepts.
- An IS auditor reviewing access management notes that an attribute-based access control model grants access by evaluating attributes such as department, location, and time of day. The principal advantage of attribute-based access control over simple role-based control is that it:
- Eliminates the need to authenticate users
- Enables more granular, context-aware access decisions
- Removes the need for any access logging
- Guarantees no user will ever be denied access
Correct answer: Enables more granular, context-aware access decisions
Attribute-based access control enables more granular, context-aware access decisions by evaluating multiple attributes rather than role alone. It does not remove the need to authenticate users or to log access, and it certainly does not guarantee that access is never denied.
- An IS auditor evaluating federated identity learns that a federation lets users authenticate with their home organization to access a partner's application. The standard exchanged between the identity provider and the service provider to convey authentication is most commonly based on:
- Raw plaintext passwords sent to the partner
- Security assertions such as SAML tokens
- Physical access badges
- Backup tape catalogs
Correct answer: Security assertions such as SAML tokens
Federated identity conveys authentication using security assertions such as SAML tokens, so the partner trusts the home organization's identity provider without receiving the user's password. It does not send raw plaintext passwords to the partner, and physical badges and tape catalogs are unrelated to federation.
- An IS auditor reviews a single sign-on implementation and recommends a way to limit damage if a user steps away from an authenticated workstation. The most relevant control is:
- Disabling all logging
- Sharing the SSO credentials with a backup user
- Removing multi-factor authentication to speed access
- Automatic session timeout and re-authentication after inactivity
Correct answer: Automatic session timeout and re-authentication after inactivity
Automatic session timeout and re-authentication after inactivity limit the exposure of an unattended authenticated session under single sign-on. Disabling logging, sharing credentials, and removing multi-factor authentication would each increase risk rather than contain it.
- An IS auditor distinguishes single sign-on from password synchronization. The defining characteristic of true single sign-on is that:
- The same password is copied to every system
- Each system keeps a separate, unrelated password
- Users must log in twice for added security
- After one authentication, the user obtains access to multiple systems without entering credentials again
Correct answer: After one authentication, the user obtains access to multiple systems without entering credentials again
True single sign-on means that after one authentication, the user obtains access to multiple systems without entering credentials again, typically through tokens. Copying the same password to every system is password synchronization, separate passwords is the absence of SSO, and requiring two logins is not SSO.
- An IS auditor reviewing the resilience of a single sign-on service notes that all application logins depend on it. To address the availability risk this concentration creates, the auditor would most expect:
- Storing the SSO database in plaintext
- A redundant, highly available SSO infrastructure with failover
- Disabling MFA on the SSO portal
- Letting each application bypass SSO without controls during outages
Correct answer: A redundant, highly available SSO infrastructure with failover
Because all logins depend on the SSO service, the availability risk is addressed with a redundant, highly available SSO infrastructure with failover so an outage does not block access everywhere. Plaintext storage, disabling MFA, and uncontrolled bypass would weaken security or fail to address availability properly.
- An IS auditor reviews an authentication design that sends a one-time numeric code by text message as a second factor. Compared with a hardware token or authenticator app, the recognized weakness of SMS-based codes is susceptibility to:
- SIM-swapping and interception attacks
- Excessive battery drain
- Slow screen refresh rates
- Loss of internet bandwidth
Correct answer: SIM-swapping and interception attacks
SMS-based one-time codes are recognized as weaker because they are susceptible to SIM-swapping and interception attacks that divert the code to an attacker. The concern is not battery drain, screen refresh, or bandwidth, which do not affect the security of the delivery channel.
- An IS auditor reviews a login that requires a smart-card token plus a fingerprint. The two factors here combine which categories of authentication evidence?
- Something you know and somewhere you are
- Something you have and something you are
- Something you know and something you have
- Something you are and something you do
Correct answer: Something you have and something you are
A smart-card token is something you have and a fingerprint is something you are, so this login combines those two factor categories. It does not involve a knowledge factor such as a password, nor a location factor, so the other combinations do not match.
- An IS auditor reviewing adaptive authentication learns the system steps up to an additional factor only when a login appears risky, such as a new device or unusual location. The primary benefit of this risk-based approach is that it:
- Removes the need for any authentication on trusted devices forever
- Guarantees no account can ever be compromised
- Eliminates the need to log authentication attempts
- Balances stronger assurance for risky logins with lower friction for routine ones
Correct answer: Balances stronger assurance for risky logins with lower friction for routine ones
Risk-based, adaptive authentication balances stronger assurance for risky logins with lower friction for routine ones by requesting extra factors only when warranted. It does not permanently exempt trusted devices, guarantee no compromise, or remove the need to log attempts.
- An IS auditor evaluating biometric authentication is told the system must be tuned so that the rate of wrongly accepted impostors and the rate of wrongly rejected legitimate users are equal. This balance point is called the:
- Recovery time objective
- Mean time between failures
- Crossover error rate
- Service level threshold
Correct answer: Crossover error rate
The point where the false acceptance rate and false rejection rate are equal is the crossover error rate, often used to compare biometric system accuracy. A recovery time objective, mean time between failures, and service level threshold are unrelated operational or recovery metrics.
- An IS auditor reviewing IDS placement finds a host-based intrusion detection sensor installed on a critical server. Compared with a network-based sensor, a host-based IDS is better positioned to detect:
- All traffic flowing between unrelated external networks
- Physical tampering with the building's doors
- The temperature of the data center
- Malicious changes to files and processes on that specific host, including within encrypted sessions terminating there
Correct answer: Malicious changes to files and processes on that specific host, including within encrypted sessions terminating there
A host-based IDS is better positioned to detect malicious changes to files and processes on its host, including activity inside sessions that terminate and are decrypted there. A network-based sensor watches traffic between hosts, while building access and data-center temperature are outside an IDS's scope.
- An IS auditor reviewing an intrusion prevention system in inline mode notes it can drop malicious packets. The trade-off an auditor would highlight for inline IPS is that:
- It can never block any traffic
- A false positive could block legitimate traffic, and an IPS failure could disrupt the network path
- It only works on encrypted traffic
- It removes the need for firewalls and access controls
Correct answer: A false positive could block legitimate traffic, and an IPS failure could disrupt the network path
Because an inline IPS sits in the traffic path and can drop packets, a false positive could block legitimate traffic and an IPS failure could disrupt the network path, so reliability and tuning matter. An IPS can block traffic, is not limited to encrypted traffic, and does not replace firewalls or access controls.
- An IS auditor finds that an organization's signature-based IDS missed a brand-new attack for which no signature existed yet. This undetected real attack is an example of a:
- False positive
- False negative
- True positive
- Benign anomaly
Correct answer: False negative
A real attack that the IDS fails to detect is a false negative, which is exactly the gap signature-based detection has against novel, signatureless attacks. A false positive flags benign activity as malicious, a true positive correctly detects an attack, and a benign anomaly is not an attack at all.
- An IS auditor reviewing detection capabilities notes the IDS must regularly receive updated signatures from the vendor. The primary reason these updates matter is that:
- They increase the server's clock speed
- They reduce the need for any network cabling
- They automatically encrypt all stored logs
- Without current signatures the IDS cannot recognize recently discovered threats
Correct answer: Without current signatures the IDS cannot recognize recently discovered threats
Without current signatures, a signature-based IDS cannot recognize recently discovered threats, so timely updates are essential to its effectiveness. The updates do not change clock speed, reduce cabling needs, or encrypt logs, which are unrelated to signature currency.
- An IS auditor reviews an application-layer firewall, sometimes called a proxy firewall. Compared with a basic packet filter, its distinguishing capability is that it can:
- Inspect the content and context of application-level protocols, not just packet headers
- Only examine the source IP address
- Operate without any rules
- Encrypt the data center's physical access logs
Correct answer: Inspect the content and context of application-level protocols, not just packet headers
An application-layer or proxy firewall can inspect the content and context of application-level protocols, giving deeper insight than a packet filter that only examines headers. It does more than read a source IP, still requires rules, and does not encrypt physical access logs.
- An IS auditor reviews a network design with two firewalls from different vendors placed in series around a screened subnet. The primary security rationale for using two different vendors' firewalls is to:
- Reduce the cost of firewall licensing
- Eliminate the need for any logging
- Avoid a single vendor vulnerability defeating both layers at once
- Increase the office Wi-Fi range
Correct answer: Avoid a single vendor vulnerability defeating both layers at once
Using two different vendors' firewalls in series helps avoid a single vendor vulnerability defeating both layers at once, strengthening defense in depth. It does not reduce licensing cost, remove the need for logging, or extend Wi-Fi range.
- An IS auditor reviews a next-generation firewall that integrates intrusion prevention, application awareness, and user identity into its policy decisions. Compared with a traditional port-and-protocol firewall, its key advantage is the ability to:
- Make access decisions only by physical port number
- Apply policy based on application, user, and threat context rather than ports alone
- Ignore all encrypted traffic by design
- Replace the organization's backups
Correct answer: Apply policy based on application, user, and threat context rather than ports alone
A next-generation firewall can apply policy based on application, user, and threat context rather than ports and protocols alone, enabling more precise control. It is not limited to physical port numbers, is not designed to ignore encrypted traffic, and does not perform backups.
- An IS auditor reviews a firewall change process and finds that rules are added on request but never reviewed or removed when no longer needed. The accumulation of obsolete rules over time creates the risk that:
- Stale, overly permissive rules may quietly leave unnecessary access open
- The firewall will run out of physical ports
- All traffic will be encrypted twice
- Users will be forced to use longer passwords
Correct answer: Stale, overly permissive rules may quietly leave unnecessary access open
Without periodic review and cleanup, stale, overly permissive rules may quietly leave unnecessary access open, expanding the attack surface, which is why rule recertification is recommended. The risk is not running out of physical ports, double encryption, or longer passwords.
- An IS auditor evaluating a honeypot considers the difference between a low-interaction and a high-interaction honeypot. A high-interaction honeypot:
- Provides a fuller, more realistic system that yields richer intelligence but carries greater risk if not contained
- Emulates only a few services and offers little for attackers to do
- Is identical to a production database
- Cannot be monitored by the security team
Correct answer: Provides a fuller, more realistic system that yields richer intelligence but carries greater risk if not contained
A high-interaction honeypot provides a fuller, more realistic system that yields richer intelligence on attacker behavior but carries greater risk if not properly contained. A low-interaction honeypot emulates only a few services, a honeypot is not a production database, and honeypots are specifically monitored.
- An IS auditor reviews the deployment of a network of multiple coordinated honeypots designed to study attacker behavior across a simulated environment. This larger arrangement is known as a:
- Subnet mask
- Demilitarized zone
- Certificate chain
- Honeynet
Correct answer: Honeynet
A network of multiple coordinated honeypots forming a simulated environment to study attackers is a honeynet. A subnet mask defines network ranges, a demilitarized zone isolates public-facing servers, and a certificate chain links certificates to a trusted root, none of which is a collection of decoys.
- An IS auditor is asked whether deploying a honeypot raises any legal or ethical considerations. The most relevant concern an auditor would raise is:
- Honeypots violate all data protection laws automatically
- Honeypots must store real customer data to be lawful
- Care is needed around entrapment, monitoring notices, and ensuring it is not used to attack others
- Honeypots require shutting down the production firewall
Correct answer: Care is needed around entrapment, monitoring notices, and ensuring it is not used to attack others
Honeypots raise legitimate concerns around entrapment, appropriate monitoring notices, and ensuring a compromised decoy is not used to attack third parties, so legal review is prudent. They do not automatically violate all data laws, do not require storing real customer data, and do not require disabling the production firewall.
- An attacker leaves infected USB drives in a company parking lot, hoping an employee will plug one in. This social engineering technique that exploits curiosity with a physical lure is called:
- A SYN flood
- Baiting
- Cross-site scripting
- Port scanning
Correct answer: Baiting
Leaving infected media as a lure that exploits curiosity is baiting, a form of social engineering. A SYN flood is a denial-of-service technique, cross-site scripting is a web application attack, and port scanning is reconnaissance, none of which depends on a physical curiosity lure.
- An executive receives a highly targeted, personalized fraudulent email crafted using details about their role and projects. This precise targeting of a high-value individual is best described as:
- Spear phishing or whaling
- A generic spam blast
- A denial-of-service attack
- A brute-force attack
Correct answer: Spear phishing or whaling
A highly targeted, personalized fraudulent email aimed at a specific high-value individual is spear phishing, and when it targets senior executives it is often called whaling. A generic spam blast is untargeted, while denial-of-service and brute-force attacks target systems and credentials rather than deceiving a specific person.
- An IS auditor reviews a web application attack in which an attacker injected a malicious script that ran in other users' browsers when they viewed a page. This attack is:
- Cross-site scripting
- A ping flood
- Shoulder surfing
- Dumpster diving
Correct answer: Cross-site scripting
Injecting a malicious script that executes in other users' browsers is cross-site scripting, a common web application attack. A ping flood is a denial-of-service technique, while shoulder surfing and dumpster diving are physical or observational reconnaissance methods rather than script injection.
- An IS auditor reviews an incident in which attackers held an organization hostage by encrypting its files and demanding payment. The malware category responsible is:
- A keylogger
- A network sniffer
- A vulnerability scanner
- Ransomware
Correct answer: Ransomware
Malware that encrypts files and demands payment for their release is ransomware, which primarily threatens availability and sometimes confidentiality. A keylogger captures keystrokes, a network sniffer captures traffic, and a vulnerability scanner identifies weaknesses, none of which extorts via encryption.
- An IS auditor reviews a penetration test report and sees the engagement was scoped as a 'gray-box' test. A gray-box test means the testers were given:
- No information at all about the target
- Full source code and complete internal documentation
- Partial knowledge, such as limited credentials or some architecture details
- Only the organization's marketing brochures
Correct answer: Partial knowledge, such as limited credentials or some architecture details
A gray-box test gives testers partial knowledge, such as limited credentials or some architecture details, simulating an insider or a partially informed attacker. Having no information is black-box, full source and documentation is white-box, and marketing brochures alone are not a defined testing scope.
- An IS auditor reviews the conclusion of a penetration test and emphasizes that the single most valuable deliverable from a remediation standpoint is the:
- List of testers' favorite tools
- Prioritized findings with risk ratings and recommended remediation
- Time the testers started each day
- Brand of laptop the testers used
Correct answer: Prioritized findings with risk ratings and recommended remediation
The most valuable deliverable for remediation is prioritized findings with risk ratings and recommended remediation, which lets the organization fix the most serious weaknesses first. The testers' tools, start times, and laptop brand do not help the organization improve its security posture.
- An IS auditor distinguishes a penetration test from a red-team exercise. A red-team engagement differs primarily in that it:
- Only scans for missing patches
- Is conducted entirely without any authorization
- Simulates a realistic, goal-oriented adversary over time, often testing detection and response as well as vulnerabilities
- Cannot include social engineering
Correct answer: Simulates a realistic, goal-oriented adversary over time, often testing detection and response as well as vulnerabilities
A red-team engagement simulates a realistic, goal-oriented adversary over time, testing the organization's detection and response capabilities in addition to technical vulnerabilities. It is broader than a patch scan, still requires authorization, and frequently includes social engineering.
- An IS auditor recommends that penetration testing be performed by parties independent of the system's developers and operators. The primary reason for this independence is to:
- Provide an objective assessment free from the blind spots and conflicts of those who built or run the system
- Reduce the cost of the engagement
- Guarantee that no findings are reported
- Ensure the test never touches production
Correct answer: Provide an objective assessment free from the blind spots and conflicts of those who built or run the system
Independence provides an objective assessment free from the blind spots and conflicts of those who built or run the system, increasing the credibility of findings. It is not primarily about cost, and independence neither suppresses findings nor dictates whether production is tested.
- An IS auditor reviewing incident response classification finds the team treats an 'event' and an 'incident' as the same thing. The correct distinction is that an incident is:
- Any observable occurrence in a system or network
- Only a scheduled maintenance window
- An event that adversely affects, or threatens to affect, the confidentiality, integrity, or availability of information assets
- A routine successful login
Correct answer: An event that adversely affects, or threatens to affect, the confidentiality, integrity, or availability of information assets
An incident is an event that adversely affects, or threatens to affect, the confidentiality, integrity, or availability of information assets, whereas an event is simply any observable occurrence. Maintenance windows and routine successful logins are ordinary events, not incidents.
- During incident response, the phase that follows containment and focuses on removing the threat, such as deleting malware and closing the exploited vulnerability, is:
- Preparation
- Detection
- Eradication
- Identification
Correct answer: Eradication
After containment, eradication removes the threat by deleting malware and closing the exploited vulnerability before normal operations are restored. Preparation precedes incidents, while detection and identification occur before containment, not after it.
- An IS auditor reviewing an organization's response to a breach involving regulated personal data confirms the plan addresses required breach notification. The reason notification provisions belong in the incident response plan is that:
- Notification improves server performance
- Notification is purely optional in all cases
- Laws and regulations may require timely notice to regulators and affected individuals, with penalties for failure
- Notification replaces the need to contain the incident
Correct answer: Laws and regulations may require timely notice to regulators and affected individuals, with penalties for failure
Breach notification belongs in the plan because laws and regulations may require timely notice to regulators and affected individuals, with penalties for failure to comply. Notification does not affect server performance, is not purely optional where the law applies, and does not replace containment activities.
- An IS auditor reviews incident response and recommends a periodic tabletop exercise. The primary purpose of a tabletop exercise is to:
- Permanently shut down production systems
- Encrypt the organization's backups
- Walk responders through a simulated scenario to validate roles, decisions, and gaps without disrupting live systems
- Replace the need for any written plan
Correct answer: Walk responders through a simulated scenario to validate roles, decisions, and gaps without disrupting live systems
A tabletop exercise walks responders through a simulated scenario to validate roles, decisions, and gaps without disrupting live systems, improving readiness. It does not shut down production, encrypt backups, or remove the need for a written plan, which the exercise is meant to test.
- An IS auditor reviews digital evidence handling and finds that an investigator analyzed the original seized device directly rather than a forensic copy. The most significant problem this creates is that:
- Working on the original risks altering it and could render the evidence inadmissible
- The analysis would run too slowly
- The device would use too much power
- The investigator would need a faster network
Correct answer: Working on the original risks altering it and could render the evidence inadmissible
Analyzing the original device risks altering it, which can render the evidence inadmissible and undermine the investigation, so a verified forensic copy should be used instead. The concern is evidentiary integrity, not analysis speed, power consumption, or network performance.
- An IS auditor reviewing forensic procedures notes that a write blocker is used when acquiring a suspect drive. The function of a write blocker is to:
- Speed up the copying process
- Prevent any data from being written to the source drive during acquisition, preserving its integrity
- Encrypt the resulting image automatically
- Compress the evidence to save space
Correct answer: Prevent any data from being written to the source drive during acquisition, preserving its integrity
A write blocker prevents any data from being written to the source drive during acquisition, preserving the original's integrity for evidentiary purposes. It is not primarily a speed, encryption, or compression tool, which serve different needs.
- An IS auditor reviewing an investigation finds that evidence was collected without documenting where it was stored and who accessed it afterward. The principal consequence is that:
- The evidence will be easier to analyze
- The investigation will finish faster
- Gaps in the chain of custody may make the evidence unreliable or inadmissible
- The evidence will automatically be encrypted
Correct answer: Gaps in the chain of custody may make the evidence unreliable or inadmissible
Undocumented storage and access create gaps in the chain of custody that may make the evidence unreliable or inadmissible in proceedings. Such gaps do not make analysis easier, speed the investigation, or encrypt anything.
- An IS auditor reviews cloud security responsibilities under an Infrastructure-as-a-Service model. Compared with Software-as-a-Service, under IaaS the customer typically retains responsibility for:
- The operating system, applications, and configuration running on the provisioned infrastructure
- The physical hardware in the provider's data center
- Nothing, because the provider secures everything
- Only the building's fire suppression system
Correct answer: The operating system, applications, and configuration running on the provisioned infrastructure
Under Infrastructure-as-a-Service, the customer typically retains responsibility for the operating system, applications, and configuration running on the provisioned infrastructure, while the provider secures the underlying hardware. The customer does not manage the provider's physical hardware or fire suppression, and security is shared rather than entirely the provider's.
- An IS auditor reviews a multi-tenant cloud platform and is concerned about one customer's data being exposed to another. The control most fundamental to preventing this is:
- Strong tenant isolation enforced by the provider's architecture
- Disabling all encryption between tenants
- Sharing one administrator account across tenants
- Storing all tenants' data in a single unsegmented table
Correct answer: Strong tenant isolation enforced by the provider's architecture
Preventing cross-tenant exposure depends most fundamentally on strong tenant isolation enforced by the provider's architecture. Disabling encryption, sharing an administrator account, or storing data unsegmented would each increase the risk of one tenant reaching another's data.
- An IS auditor reviewing virtualization security recommends that the hypervisor be hardened and tightly controlled. The reason the hypervisor warrants special attention is that:
- It is the only component that stores backups
- It manages the building's physical access
- It controls all the guest virtual machines, so its compromise can expose every guest
- It replaces the need for any network firewall
Correct answer: It controls all the guest virtual machines, so its compromise can expose every guest
The hypervisor controls all the guest virtual machines, so its compromise can expose every guest, making it a high-value target that must be hardened. It is not primarily a backup store, does not manage physical access, and does not replace network firewalls.
- An IS auditor reviews how an organization removes data when it stops using a cloud service. A specific cloud concern the auditor raises about data destruction is:
- The customer can always physically shred the provider's disks
- The customer must rely on the provider's deletion processes and may struggle to verify data is truly destroyed across all copies
- Cloud data deletes itself instantly with no provider involvement
- Deletion in the cloud is impossible under any circumstances
Correct answer: The customer must rely on the provider's deletion processes and may struggle to verify data is truly destroyed across all copies
In the cloud the customer must rely on the provider's deletion processes and may struggle to verify that data is truly destroyed across all replicated copies and backups. The customer cannot physically shred the provider's disks, data does not delete itself instantly, and deletion is possible but harder to verify.
- An IS auditor reviews how an organization measures the impact of its security awareness program. The most meaningful indicator of effectiveness the auditor would look for is:
- The number of slides in the training deck
- The font size used in the materials
- The length of the training video in minutes
- A measurable reduction in risky behaviors, such as lower click rates on simulated phishing over time
Correct answer: A measurable reduction in risky behaviors, such as lower click rates on simulated phishing over time
The most meaningful indicator is a measurable reduction in risky behaviors, such as lower click rates on simulated phishing over time, showing the program changes behavior. Slide counts, font sizes, and video length do not demonstrate effectiveness.
- An IS auditor finds that an organization's security policies exist but employees are unaware of them. The control that most directly bridges this gap is:
- A faster file server
- A security awareness and training program that communicates and reinforces policy expectations
- A larger firewall rule base
- More frequent password resets alone
Correct answer: A security awareness and training program that communicates and reinforces policy expectations
A security awareness and training program most directly bridges the gap by communicating and reinforcing policy expectations so employees understand and follow them. A faster server, a bigger rule base, or frequent resets do not address employees' lack of awareness.
- An IS auditor evaluates whether security awareness training meets compliance expectations and confirms that completion is tracked and records retained. The primary purpose of retaining these completion records is to:
- Improve the corporate network speed
- Replace the need for technical controls
- Provide evidence that required training was delivered and completed, supporting accountability and audits
- Encrypt the organization's email
Correct answer: Provide evidence that required training was delivered and completed, supporting accountability and audits
Retaining completion records provides evidence that required training was delivered and completed, supporting accountability and demonstrating compliance during audits. The records do not improve network speed, replace technical controls, or encrypt email.
- An IS auditor reviews a system that adds a unique random value to each password before hashing it so that identical passwords produce different stored hashes. This random value is called a:
- Salt
- Session token
- Subnet mask
- Certificate serial number
Correct answer: Salt
A unique random value added to each password before hashing is a salt, which defeats precomputed-hash and rainbow-table attacks by making identical passwords hash differently. A session token, subnet mask, and certificate serial number serve unrelated session, network, and PKI purposes.
- An IS auditor reviewing the protection of data in transit between two corporate sites over the internet would expect the connection to be secured with:
- A site-to-site virtual private network with encryption
- An unencrypted public file share
- A plaintext FTP transfer
- A broadcast to all internet hosts
Correct answer: A site-to-site virtual private network with encryption
Protecting data in transit between corporate sites over the internet is achieved with a site-to-site virtual private network that encrypts the traffic. An unencrypted file share, plaintext FTP, or a broadcast would expose the data rather than protect it.
- An IS auditor reviewing application security recommends parameterized queries and input validation to defend against a specific attack class. These controls primarily mitigate:
- Injection attacks such as SQL injection through malicious input
- Power outages in the data center
- Physical theft of laptops
- Slow disk performance
Correct answer: Injection attacks such as SQL injection through malicious input
Parameterized queries and input validation primarily mitigate injection attacks such as SQL injection by ensuring user input is treated as data rather than executable commands. They do not address power outages, physical theft, or disk performance.
- An IS auditor reviews logical access to a sensitive database and recommends that database administrators not also be able to alter the audit logs of their own actions. Enforcing this separation primarily protects:
- The availability of the network
- The speed of report generation
- The integrity and trustworthiness of the audit trail
- The brightness of the monitors
Correct answer: The integrity and trustworthiness of the audit trail
Preventing administrators from altering the logs of their own actions protects the integrity and trustworthiness of the audit trail, so logged activity can be relied upon. It does not concern network availability, report speed, or monitor brightness.
- An IS auditor reviews protection of sensitive data and finds the organization substitutes real credit card numbers with surrogate values that have no exploitable meaning outside the secure system that maps them back. This technique is:
- Load balancing
- Tokenization
- Defragmentation
- Compression
Correct answer: Tokenization
Substituting real values with meaningless surrogate values that only a secure system can map back is tokenization, which reduces the exposure of sensitive data in downstream systems. Load balancing, defragmentation, and compression address performance and storage, not data substitution.
- An IS auditor reviewing wireless security finds rogue access points connected to the corporate network by employees. The primary risk posed by an unauthorized rogue access point is that it:
- Creates an uncontrolled entry point that can bypass perimeter security controls
- Improves Wi-Fi coverage at no cost
- Automatically encrypts all corporate traffic
- Reduces the number of needed passwords
Correct answer: Creates an uncontrolled entry point that can bypass perimeter security controls
A rogue access point creates an uncontrolled entry point that can bypass perimeter security controls, exposing the internal network to unauthorized access. It is a security exposure, not a free coverage benefit, and it neither encrypts traffic nor reduces password needs.
- An IS auditor reviews how an organization confirms a downloaded file has not been corrupted or tampered with in transit by comparing a published checksum. This use of a hash provides assurance of:
- Confidentiality of the file
- Integrity of the file
- Availability of the download server
- The file's recovery time objective
Correct answer: Integrity of the file
Comparing a downloaded file's hash against a published checksum provides assurance of integrity, confirming the file matches the original and was not altered. Hashing does not provide confidentiality, server availability, or a recovery objective.
- An IS auditor reviews how an organization protects highly sensitive databases and finds that data is encrypted such that even database administrators cannot read the contents without separate authorization. The control providing this separation between data access and database administration is:
- Giving every DBA the encryption keys
- Database transparent or application-level encryption with key management held outside the DBA role
- Disabling encryption to simplify administration
- Storing the keys in the same table as the data
Correct answer: Database transparent or application-level encryption with key management held outside the DBA role
Encrypting the data with key management held outside the database administrator role separates data access from administration, so DBAs manage the system without reading sensitive contents. Handing DBAs the keys, disabling encryption, or storing keys beside the data would each defeat this separation.
- An IS auditor reviews an organization's protection against eavesdropping on internal network traffic and recommends encrypting traffic between internal servers. The risk this addresses is that an attacker who gains a foothold inside the network could otherwise:
- Improve the network's throughput
- Sniff unencrypted internal traffic and capture sensitive data in transit
- Lower the organization's electricity bill
- Speed up legitimate backups
Correct answer: Sniff unencrypted internal traffic and capture sensitive data in transit
Encrypting internal traffic addresses the risk that an attacker with an internal foothold could sniff unencrypted traffic and capture sensitive data in transit. It does not improve throughput, lower electricity costs, or speed backups.
- An IS auditor reviewing endpoint security recommends application allowlisting on critical workstations. The primary protective effect of allowlisting is that it:
- Allows only approved, known-good applications to execute, blocking unknown or unauthorized code
- Permits any software to run unless specifically blocked
- Encrypts the workstation's network traffic
- Increases the screen resolution
Correct answer: Allows only approved, known-good applications to execute, blocking unknown or unauthorized code
Application allowlisting permits only approved, known-good applications to execute, blocking unknown or unauthorized code such as malware. It is the opposite of allowing anything unless blocked, and it neither encrypts traffic nor changes screen resolution.
- An IS auditor reviews a forensic engagement and confirms investigators captured the contents of system memory before powering off a compromised server. The category of evidence they were preserving is:
- Volatile evidence
- Paper documentation
- Archived backup tapes
- Printed reports
Correct answer: Volatile evidence
The contents of system memory are volatile evidence that is lost when a system is powered off, so capturing it first preserves transient data. Paper documentation, archived tapes, and printed reports are non-volatile and are not lost by shutting down a system.
- An IS auditor reviews a network design and recommends placing a reverse proxy in front of internet-facing web servers. A security benefit of a reverse proxy is that it can:
- Expose the web servers' real internal addresses to the internet
- Hide the back-end servers and inspect or filter inbound requests before they reach the application
- Disable all logging of requests
- Replace the need for any authentication
Correct answer: Hide the back-end servers and inspect or filter inbound requests before they reach the application
A reverse proxy can hide the back-end servers and inspect or filter inbound requests before they reach the application, reducing direct exposure. It conceals rather than exposes internal addresses, does not disable logging, and does not replace authentication.
- An IS auditor reviews how an organization protects a private signing key used for code signing and confirms it is stored in a hardware security module requiring multiple authorized people to approve its use. Requiring multiple approvers for high-risk key operations is an example of:
- Anonymous access
- Default deny
- Single sign-on
- Dual control, or split knowledge
Correct answer: Dual control, or split knowledge
Requiring multiple authorized people to approve a high-risk key operation is dual control, or split knowledge, which prevents any single individual from misusing the key. Anonymous access, default deny, and single sign-on describe different access concepts.
- An IS auditor reviewing email security finds the organization has implemented controls so that recipients can verify a message genuinely came from the claimed sending domain and was not spoofed. The category of controls providing this is:
- Sender authentication frameworks such as SPF, DKIM, and DMARC
- Disk defragmentation
- Database indexing
- Screen savers
Correct answer: Sender authentication frameworks such as SPF, DKIM, and DMARC
Sender authentication frameworks such as SPF, DKIM, and DMARC let recipients verify that a message genuinely came from the claimed sending domain and was not spoofed, reducing phishing and spoofing. Defragmentation, indexing, and screen savers have nothing to do with email sender verification.
- An IS auditor reviews how an organization protects against an attacker intercepting and relaying communications between two parties who believe they are talking directly. This interception attack is a:
- Disk failure
- Capacity shortfall
- Scheduled backup
- Man-in-the-middle attack
Correct answer: Man-in-the-middle attack
An attacker intercepting and relaying communications between two parties who think they are talking directly is conducting a man-in-the-middle attack, which can be countered with strong mutual authentication and encryption. Disk failure, capacity shortfall, and scheduled backups are operational matters, not this interception attack.
- An IS auditor reviews certificate validation in a web application and finds the application accepts any certificate without checking its trust chain or revocation status. The risk this creates is that:
- An attacker presenting a fraudulent or revoked certificate could impersonate a trusted server
- The application will run too fast
- Users will need to remember more passwords
- The server will consume less power
Correct answer: An attacker presenting a fraudulent or revoked certificate could impersonate a trusted server
Accepting any certificate without validating its trust chain or revocation status lets an attacker present a fraudulent or revoked certificate to impersonate a trusted server, enabling interception. The flaw does not speed the application, change password needs, or reduce power use.
- An IS auditor reviewing security monitoring recommends that alerts from the intrusion detection system, firewalls, and endpoint tools be centrally correlated to spot multi-step attacks. The most relevant capability for this correlation is:
- Increasing the office printer count
- Disabling endpoint logging
- Centralized log correlation and analysis across multiple security sources
- Reducing the number of monitored systems
Correct answer: Centralized log correlation and analysis across multiple security sources
Spotting multi-step attacks across tools relies on centralized log correlation and analysis across multiple security sources, which connects related events into a coherent picture. Adding printers, disabling endpoint logging, or monitoring fewer systems would reduce, not improve, detection.
- An IS auditor reviews a DLP policy and finds it relies on accurate identification of which data is sensitive. The DLP technique that detects sensitive content by matching defined patterns such as government ID or card-number formats is:
- Random sampling of email subject lines only
- Counting the number of attachments
- Measuring the size of each message
- Pattern matching using regular expressions or predefined identifiers
Correct answer: Pattern matching using regular expressions or predefined identifiers
Detecting sensitive content by matching defined patterns such as ID or card-number formats is pattern matching using regular expressions or predefined identifiers, a core DLP detection method. Sampling subject lines, counting attachments, or measuring message size do not reliably identify sensitive content.
- An IS auditor reviews protection against malware on user endpoints and recommends keeping anti-malware definitions and the operating system current. From a Domain 5 protection standpoint, the principal value of timely endpoint updates is to:
- Improve the desktop wallpaper
- Increase the size of the hard drive
- Make the keyboard respond faster
- Close known vulnerabilities and recognize current malware before attackers exploit them
Correct answer: Close known vulnerabilities and recognize current malware before attackers exploit them
Keeping endpoint defenses and the operating system current closes known vulnerabilities and lets tools recognize current malware before attackers exploit them. It does not change wallpaper, expand the drive, or speed the keyboard.
- An IS auditor reviews how an organization verifies the integrity of critical system files over time and finds a tool that alerts when monitored files are unexpectedly modified. This control is best described as:
- Load balancing
- File integrity monitoring
- Capacity planning
- Data compression
Correct answer: File integrity monitoring
A tool that alerts when monitored critical files are unexpectedly modified is file integrity monitoring, which supports the integrity objective and helps detect tampering. Load balancing, capacity planning, and data compression address performance and storage rather than detecting unauthorized changes.
- An IS auditor reviewing a security operations team's response to alerts finds there is no defined process for escalating confirmed incidents to management and legal counsel. The most significant risk of this gap is that:
- Alerts will be encrypted automatically
- Serious incidents may not receive timely decisions, resources, or required notifications
- The network will gain bandwidth
- Passwords will become longer
Correct answer: Serious incidents may not receive timely decisions, resources, or required notifications
Without a defined escalation process, serious incidents may not receive timely decisions, resources, or required notifications, slowing the response and increasing harm. The gap does not encrypt alerts, add bandwidth, or change password length.
- An IS auditor reviews how a sender can guarantee both confidentiality and proof of origin for a single message. The combined approach is to:
- Send the message in plaintext with no protection
- Sign the message with the sender's private key and encrypt it with the recipient's public key
- Use the same shared password for everyone
- Rely only on network address translation
Correct answer: Sign the message with the sender's private key and encrypt it with the recipient's public key
Combining confidentiality with proof of origin is achieved by signing the message with the sender's private key and encrypting it with the recipient's public key, so only the recipient can read it and the origin is verifiable. Plaintext, a shared password, or network address translation provide neither property reliably.
- An IS auditor reviews data classification as the foundation for protecting information assets and confirms each data set is labeled by sensitivity. From a Domain 5 protection perspective, the principal benefit of accurate classification labels is that they:
- Drive the appropriate level of protective controls, such as encryption and access restrictions, for each sensitivity level
- Make the data load faster
- Reduce the number of servers needed
- Eliminate the need for backups
Correct answer: Drive the appropriate level of protective controls, such as encryption and access restrictions, for each sensitivity level
Accurate sensitivity labels drive the appropriate level of protective controls, such as encryption and access restrictions, so the most sensitive data receives the strongest protection. Classification does not speed data loading, reduce server counts, or remove the need for backups.
- An IS auditor reviews how an organization protects message integrity using a keyed hash so that only parties sharing the secret key can both generate and verify the value. This keyed integrity mechanism is a:
- Demilitarized zone
- Recovery point objective
- Load balancer
- Message authentication code
Correct answer: Message authentication code
A keyed hash that only parties sharing the secret key can generate and verify is a message authentication code, which provides both integrity and authenticity of a message. A demilitarized zone, recovery point objective, and load balancer address network segmentation, recovery, and traffic distribution instead.
- An IS auditor reviews an organization's handling of a confirmed data breach and finds responders preserved logs and forensic images before remediation. Preserving this evidence before cleanup is important primarily because it:
- Makes the remediation slower for no reason
- Guarantees the breach will not recur
- Automatically restores all encrypted data
- Supports root-cause analysis, potential legal action, and required reporting that depend on intact evidence
Correct answer: Supports root-cause analysis, potential legal action, and required reporting that depend on intact evidence
Preserving logs and forensic images before remediation supports root-cause analysis, potential legal action, and required reporting that all depend on intact evidence, which cleanup could destroy. It is not a needless delay, does not guarantee non-recurrence, and does not restore data on its own.
- An IS auditor reviews an organization's approach to confirming user identity for high-risk transactions, such as large fund transfers, by requiring an extra verification step beyond the initial login. This pattern of re-verifying identity for sensitive actions is called:
- Anonymous browsing
- Single-factor login
- Open access
- Step-up authentication
Correct answer: Step-up authentication
Requiring an extra verification step for high-risk actions beyond the initial login is step-up authentication, which raises assurance only where the risk warrants it. Anonymous browsing, single-factor login, and open access provide less assurance, not more, for sensitive transactions.
- An IS auditor reviews how an organization protects data integrity in a sensitive transaction log and confirms each new entry is cryptographically linked to the previous one so any tampering with an earlier record is detectable. This integrity technique is best described as:
- Load balancing of log writes
- Compression of the log file
- Hash chaining of log entries
- Random shuffling of records
Correct answer: Hash chaining of log entries
Cryptographically linking each log entry to the previous one so tampering becomes detectable is hash chaining, which strengthens the integrity and tamper-evidence of the log. Load balancing, compression, and random shuffling address performance or storage rather than tamper detection.
- An IS auditor reviews how an organization confirms that a remediated vulnerability has actually been fixed after a penetration test reported it. The appropriate follow-up activity is to:
- Assume the fix worked because it was scheduled
- Perform retesting or validation of the remediated items to confirm the weakness is resolved
- Delete the original test report
- Disable the affected system permanently
Correct answer: Perform retesting or validation of the remediated items to confirm the weakness is resolved
Confirming a reported weakness is truly fixed requires retesting or validation of the remediated items rather than assuming the fix worked. Assuming success because it was scheduled, deleting the report, or permanently disabling the system are not appropriate ways to verify remediation.