ISACA CISA v2021-04-28 q260

ISACA.CISA.v2021-04-28.
q260
Exam Code: CISA
Exam Name: Certified Information Systems Auditor
Certification Provider: ISACA
Free Question Number: 260
Version: v2021-04-28
# of views: 112
# of Questions views: 2912
https://www.freecram.com/torrent/ISACA.CISA.v2021-04-28.q260.html
NEW QUESTION: 1
When reviewing capacity monitoring, an IS auditor notices several incidents where storage
capacity limits were reached, while the average utilization was below 30% Which of the
following is MOST likely the root cause?
A. The storage space should have been enlarged in time
B. The dynamics of the utilization were not properly taken into account.
C. Storage input and output requirements were not identified.
D. Load balancers were configured incorrect
Answer: B (LEAVE A REPLY)
NEW QUESTION: 2
An organization has outsourced its data leakage monitoring to an Internet service provider
(ISP). Which of the following is the BEST way for an IS auditor to determine the
effectiveness of this service?
A. Simulate a data leakage incident.
B. verify the ISP has staff to deal with data leakage.
C. Review the data leakage clause in the SLA.
D. Review the ISP's external audit report
Answer: A (LEAVE A REPLY)
NEW QUESTION: 3
Which of the following access rights in the production environment should be granted to a
developer to maintain segregation of duties?
A. System administration
B. IT operations
C. Database administration
D. Emergency support
Answer: D (LEAVE A REPLY)
NEW QUESTION: 4
An internal audit has revealed a large number of incidents for which root cause analysis
has not been performed. Which of the following is MOST important for the IS auditor to
verify to determine whether there is an audit issue?
A. Cost of resolving the incidents
B. Severity level of the incidents
C. Frequency of the incidents
D. Time required to resolve the incidents
NEW QUESTION: 5
Which of the following cloud computing models should an organization adopt if faced with
challenges in capacity planning and software maintenance?
A. Hybrid cloud model
B. Infrastructure as a Service (laaS)
C. Service-oriented architecture
D. Platform as a Service (PaaS)
NEW QUESTION: 6
During a project meeting for the Implementation of an Enterprise resource planning (ERP).
a new requirement Is requested by the finance department. Which of the following would
BEST Indicate to an IS auditor that the resulting risk to the project has been assessed?
A. The approval of the change by the finance department.
B. The project status as reported in the meeting minutes
C. The updated business requirements.
D. The analysis of the cost and time impact of the requirement
Answer: (SHOW ANSWER)
NEW QUESTION: 7
A region where an organization conducts business has announced changes in privacy
legislation. Which of the following should an IS auditor do FIRST to prepare for the
changes?
A. Communicate the changes In privacy legislation to the legal department.
B. Perform a gap analysis with current privacy procedures.
C. Design compensating controls to be in compliance with new privacy legislation.
D. Provide suggested updates to the organization's privacy procedures.
NEW QUESTION: 8
An organization recently implemented a cloud document storage solution and removed the
ability for end users to save data to their local workstation hard drives Which of the
following findings should be the IS auditor's GREATEST concern?
A. The business continuity plan (BCP) was not updated.
B. Users have not been trained on the new system.
C. Mobile devices are not encrypted.
D. Users are not required to sign updated acceptable
NEW QUESTION: 9
An IS auditor discovered abnormalities in a monthly report generated from a system
upgraded six months ago.
Which of the following should be the auditor's FIRST course of action?
A. Determine the impact of abnormalities in the report
B. Perform a change management review of the system
C. Inspect source code for proof of abnormalities.
D. Schedule an access review of the system.
NEW QUESTION: 10
The drives of a tile server are backed up at a hot site. Which of the following is the BEST
way to duplicate the files stored on the server for forensic analysis?
A. Capture a bit-by-bit image of the file server's drives.
B. Create a logical copy of the file server's drives.
C. Run forensic analysis software on the backup drive.
D. Replicate the server's volatile data to another drive.
D18912E1457D5D1DDCBD40AB3BF70D5D
NEW QUESTION: 11
An IS auditor observes that a bank's web page address is prefixed "https:/f. The auditor
would be correct to conclude that:
A. transactions are encrypted.
B. the customer is connected to the bank's intranet.
C. the bank has established a virtual private network (VPN).
D. the bank has a restricted Internet protocol (IP) address.
NEW QUESTION: 12
What is the PRIMARY objective of implementing data classification?
A. Create awareness among users.
B. Establish appropriate encryption methods.
C. Establish appropriate data protection methods.
D. Employ data leakage prevention tools.
Answer: C (LEAVE A REPLY)
NEW QUESTION: 13
When reviewing a database supported by a third-party service provider, an IS auditor
found minor control deficiencies. The auditor should FIRST
A. organization's chief information officer (CIO)
B. service provider contract liaison
C. service provider support team manager
D. organization's service level manager
NEW QUESTION: 14
An IS auditor is reviewing the upgrading of an operating system. Which of the following
would be the GREATEST audit concern?
A. The lack of change control
B. The lack of activity logging
C. The lack of malware protection
D. The lack of release notes
NEW QUESTION: 15
When developing a business continuity plan (BCP), which of the following should be
performed FIRST?
A. Classify operations.
B. Establish a disaster recovery plan (DRP)
C. Develop business continuity training.
D. Conduct a busines impact analysis (BIA)
NEW QUESTION: 16
Which of the following are the PRIMARY considerations when determining the timing of
remediation testing?
A. The significance of the reported findings and the impact if corrective actions ate not
taken
B. The difficult of scheduling resources and availability of management tor a I up
engagement
C. The availability and competencies of control owners tor implementing the agreed action
plans
D. The level of management and business commitment to implementing agreed action
plans
Valid CISA Dumps shared by Fast2test.com for Helping Passing CISA Exam!
Fast2test.com now offer the newest CISA exam dumps, the Fast2test.com CISA exam
questions have been updated and answers have been corrected get the newest
Fast2test.com CISA dumps with Test Engine here: https://www.fast2test.com/CISA-
practice-test.html (575 Q&As Dumps, 40%OFF Special Discount: freecram)
NEW QUESTION: 17
During the course of an audit, an IS auditor's organizational independence is impaired. The
IS auditor should FIRST
A. inform audit management of the situation.
B. obtain the auditee s approval before continuing the audit.
C. inform senior management in writing and proceed with the audit
D. proceed with the audit as planned after documenting the incident.
NEW QUESTION: 18
Which of the following controls would BEST enable IT management: to detect shadow IT
within the organization?
A. Enterprise data on mobile devices is encrypted
B. Proxy restrictions are in place
C. Help desk calls and incidents are reviewed
D. Unauthorized network and email traffic is restricted
NEW QUESTION: 19
An IS auditor is preparing a data set for a data analytics project. The data will be used to
benchmark a new computer-assisted audit technique (CAAT) tool being developed. Which
of the following will help to ensure the data cannot be identified?
A. Data redaction
B. Anonymization
C. Encryption
D. Data masking
NEW QUESTION: 20
Two servers are deployed in a cluster to run a mission-critical application. To determine
whether the system has been designed for optimal efficiency, the IS auditor should verify
that:
A. the two servers are of exactly the same configuration
B. load balancing between the servers has been implemented
C. the number of disks in the cluster meets minimum requirements
D. the security features in the operating system are all enabled
NEW QUESTION: 21
As part of a quality assurance initiative, an organization has engaged an external auditor to
evaluate the internal IS audit function. Which of the following observations should be of
MOST concern?
A. Audit reports do not state they are conducted in accordance with industry standards.
B. Audit engagements are not risk-based.
C. Audit reports are not approved by the audit committee.
D. The audit team is not sufficiently leveraging data analytics.
NEW QUESTION: 22
An IS auditor is conducting a pre-implementation review to determine a new system's
production readiness.
The auditor's PRIMARY concern should be whether:
A. there are unresolved high-risk items
B. benefits realization has been evidenced
C. users were involved in the quality assurance (QA) testing.
D. the project adhered to the budget and target date.
NEW QUESTION: 23
Which of the following could be used to evaluate the effectiveness of IT operations?
A. Balanced scorecard
B. Net present value
C. Total cost of ownership
D. Internal rate of return
NEW QUESTION: 24
With a properly implemented public key infrastructure (PKI) In use, person A wishes to
ensure that an outgoing message can be read only by person B. To achieve this, the
message should be encrypted using which of the following?
A. Person A's public key
B. Person B's private key
C. Person B's public key
D. Person A's private key
NEW QUESTION: 25
Which of the following roles is ULTIMATELY accountable for the protection of an
organization s information?
A. The data owner
B. The chief information security officer (CISO)
C. The board of directors
D. The chief information officer (CIO)
NEW QUESTION: 26
Which of the following is the safest means of transmitting confidential information over the
Internet?
A. Use asymmetric encryption and encrypt the data with a private key.
B. Establish a virtual private network (VPN) between the source and the destination.
C. Send the data to a trusted third party to resend to the destination.
D. Break the data into many packets and send it over different routes.
NEW QUESTION: 27
During an audit of a mission-critical system hosted in an outsourced data center, an IS
auditor discovers that contracted routine maintenance for the alternate power generator
was not performed. Which of the following should be the auditor's MAIN concern?
A. Loss of warranty due to lack of system maintenance
B. Fraudulent behavior by the outsourcer charging for work not performed
C. Failure of the alternate power generator during a power outage
D. High repair costs if faulty generator parts are not detected in a timely manner
NEW QUESTION: 28
Which of the following would be MOST important for an IS auditor to review when
identifying Key IT risk areas to include in an IS audit scope?
A. External audit reports
B. It risk management processes
C. Control self-assessments (CSAs)
D. The IT risk register
NEW QUESTION: 29
Which of the following BEST ensures IT incident and problem management practices will
meet expected service level agreements (SLAs)?
A. Creating records of known errors and documenting procedures for workarounds
B. Defining problem impact and urgency levels through consultation with the business
C. Obtaining regular progress reports from IT change management on problem resolution
D. Incorporating lessons learned into problem resolution review meetings
NEW QUESTION: 30
When determining whether a project in the design phase will meet organizational
objectives what is BEST to compare against the business case?
A. Project plan
B. Project budget provisions
C. Implementation plan
D. Requirements analysis
NEW QUESTION: 31
An IS auditor is reviewing the process followed in identifying and prioritizing the critical
business processes.
This process is part of the:
A. balanced scorecard.
B. enterprise risk management plan.
C. business impact analysis (BIA).
D. operations component of the business continuity plan (BCP).
NEW QUESTION: 32
Which of the following would BEST detect that a distributed-denial-of-service attack
(DDoS) is occurring?
A. Penetration testing
B. Customer service complaints
C. Automated monitoring of logs
D. Server crashes
NEW QUESTION: 33
Which of the following BEST indicates to an IS auditor that an IT-related project will deliver
value to the organization?
A. The project will use existing infrastructure to deliver services.
B. Competitors are considering similar IT-based solutions.
C. The cost of the project is within the organization's risk appetite.
D. Requirements are based on stakeholder expectations.
NEW QUESTION: 34
In a database management system (DBMS) normalization is used to:
A. standardize data names
B. reduce access time
C. reduce data redundancy
D. eliminate processing deadlocks
NEW QUESTION: 35
Which of the following audit procedures would provide the BEST assurance that an
application program is functioning as designed?
A. Interviewing business management
B. Confirming accounts
C. Using a continuous auditing module
D. Reviewing program documentation
NEW QUESTION: 36
Which of the following will enable a customer to authenticate an online Internet vendor?
A. Customer verifies the vendor is certificate with a certificate authority (CA).
B. Vendor decrypts incoming orders using its own private key.
C. Customer encrypts an order using the vendor s public key.
D. Vendor signs a reply using a hash function and the customer's public key.
NEW QUESTION: 37
Which of the following is the PRIMARY objective of the IS audit function?
A. Facilitate extraction of computer-based data for substantive testing.
B. Certify the accuracy of financial data
C. Report to management on the functioning of internal controls.
D. Perform reviews based on standards developed by professional organizations
NEW QUESTION: 38
Which of the following is the BEST indication of the completeness of interface control
documents used for the development of a new application?
A. All inputs and outputs for potential actions are included.
B. Both successful and failed interface data transfers are recorded.
C. Failed interface data transfers prevent subsequent processes.
D. All documents have been reviewed by end users.
NEW QUESTION: 39
Which of the following is the MOST important factor when an organization is developing
information security policies and procedures?
A. Consultation with management
B. Cross-references between policies and procedures
C. Compliance with relevant regulations
D. Inclusion of mission and objectives
NEW QUESTION: 40
Which of the following should be reviewed FIRST when planning an IS audit?
A. Annual business unit budget
B. IS audit standards
C. The business environment
D. Recent financial information
NEW QUESTION: 41
During a "clean desk" audit, a USB flash drive labeled "confidential" was found on the desk
of a terminated employee. Which of the following would be the BEST way to safety review
its contents?
A. Disable autorun on the PC used to plug in the flash drive
B. Scan the USB flash drive with anti-virus software
C. Access the USB flash drive in an offline sandbox environment
D. Copy the files to a secure USB flash drive
NEW QUESTION: 42
When responding to an ongoing denial of service (DoS) attack, an organization's FIRST
course of action should be to
A. minimize impact
B. investigate damage
C. analyze the attack path
D. restore service
NEW QUESTION: 43
Which of the following would be of GREATEST concern to an IS auditor reviewing a critical
spreadsheet during a financial audit?
A. Periodic access reviews are manually performed.
B. A copy of the current validated file is not available.
C. Changes to the file are not always documented.
D. Access requests are manually processed.
NEW QUESTION: 44
During an audit of the organization's data privacy policy, the IS auditor identified that only
some IT application databases have encryption in place. What should be the auditors
FIRST action?
A. Determine whether compensating controls are in place
B. Review the most recent database penetration testing results.
C. Review a comprehensive list of databases with the information they contain.
D. Assess the resources required to implement encryption to unencrypted databases.
NEW QUESTION: 45
When an organization is having new software implemented under contract, which of the
following is key to controlling escalating costs due to scope creep?
A. Change management
B. Risk management
C. Quality management
D. Problem management
NEW QUESTION: 46
An IS auditor notes that several of a client's servers are vulnerable to attack due to open
unused ports and protocols. The auditor recommends management implement minimum
security requirements. Which type of control has been recommended?
A. Preventive
B. Compensating
C. Directive
D. Corrective
NEW QUESTION: 47
Which of the following threats is MOST effectively controlled by a firewall?
A. Network congestion
B. Password cracking
C. Network sniffing
D. Denial of service (DoS) attack
NEW QUESTION: 48
The BEST data backup strategy for mobile users is to:
A. have them regularly go to branch offices to perform backups.
B. have them regularly back up data directories onto CD and courier the backups to the
head office.
C. synchronize data directories automatically over the network.
D. mirror all data to a portable storage device.
NEW QUESTION: 49
Which of the following should an IS auditor recommend to facilitate the management of
baseline requirements for hardening of firewalls?
A. Configuration management
B. Capacity management
C. Patch management
D. Release management
NEW QUESTION: 50
Which of the following is a prerequisite to help ensure that IS hardware and software
support the delivery of mission-critical functions?
A. Documented emergency change procedures
B. Control over IS infrastructure expenditure
C. An independent audit of the process
D. A comprehensive IS applications architecture
NEW QUESTION: 51
When assessing a business case as part of a post-implementation review, the IS auditor
MUST ensure that the:
A. business case has not been amended since project approval.
B. amendments to the business case have been approved.
C. feasibility of alternative project approaches has been assessed.
D. quality assurance measures have been applied throughout the project
NEW QUESTION: 52
Which of the following is the BEST way to transmit documents classified as confidential
over the Internet?
A. Sending documents as multiple packets over different network routes
B. Using a virtual private network (VPN)
C. Hashing the document contents and destroying the hash value
D. Converting documents to proprietary format before transmission
NEW QUESTION: 53
Which of the following would help to ensure the completeness of batch file transfers?
A. Input controls
B. Hash totals
C. Self-checking digits
D. Parity check
NEW QUESTION: 54
Which of the following is the BEST audit procedure to determine whether a firewall is
configured in compliance with the organization's security policy?
A. Reviewing the system log
B. Reviewing the actual procedures
C. Interviewing the firewall administrator
D. Reviewing the parameter settings
NEW QUESTION: 55
Which of the following is the MOST reliable network connection medium in an environment
where there is strong electromagnetic interface?
A. Wireless link
B. Coaxial cable
C. Shielded twisted-pair cable
D. Fiber optic cable
NEW QUESTION: 56
What is the BEST indicator of successful implementation of an organization s information
security policy?
A. Reduced number of noncompliance penalties incurred
B. Reduced number of false-positive security events
C. Reduced number of successful phishing incidents
D. Reduced number of help desk calls
NEW QUESTION: 57
Which of the following is MOST important for an IS auditor to verify during a disaster
recovery audit?
A. Media are stored in fireproof cabmen.
B. The disaster recovery plan is updated on a regular basis
C. Disaster recovery tests are carried out.
D. Regular backups are made and stored offsite.
NEW QUESTION: 58
A retirement system verifies that the field for employee status has either a value of A (for
active) or R (for retired). This is an example of which type of check?
A. Completeness
B. Existence
C. Validity
D. Limit
NEW QUESTION: 59
Which of the following conditions would be of MOST concern to an IS auditor assessing
the risk of a successful brute force attack against encrypted data at rest?
A. Use of asymmetric encryption
B. Use of symmetric encrypt
C. Random key generation
D. Short key length
NEW QUESTION: 60
An IS auditor is conducting a post-implementation review of an enterprise resource
planning (ERP) system End users indicated concerns with the accuracy of critical
automatic calculations made by the system. The auditor's FIRST course of action should
be to:
A. verify completeness of user acceptance testing
B. verify results to determine validity of user concerns
C. review recent changes to the system
D. review initial business requirements
NEW QUESTION: 61
An IS auditor Is assessing risk associated with peer-to-peer file sharing within an
organization. Which of the following should be of GREATEST concern?
A. File-sharing policies have not been reviewed since last year
B. Only some employees are required to attend security awareness training
C. The organization does not have an efficient patch management process.
D. Not all devices are running antivirus programs
NEW QUESTION: 62
During an audit of a reciprocal disaster recovery agreement between two companies, the
IS auditor would be MOST concerned with the:
A. frequency of system testing
B. allocation of resources during an emergency
C. maintenance of hardware and software compatibility
D. differences in IS policies and procedures
NEW QUESTION: 63
Which of the following provides the BEST indication that IT key performance indicators
(KPls) are Integrated into management practices?
A. KPls are reviewed on a periodic basis.
B. IT KPls include business metrics
C. All relevant parties are involved in the design of KPls
D. KPls are communicated lo stakeholders
NEW QUESTION: 64
Which of the following has the GREATEST influence on the success of IT governance?
A. IT strategy is embedded in all risk management processes
B. Alignment of IT strategies with the entity's vision
C. The CIO is a member of the audit committee
D. Clear, concise, and enforced IS policies
NEW QUESTION: 65
Two organizations will share ownership of a new enterprise resource management (ERM)
system To help ensure the successful implementation of the system, it k MOST important
to define:
A. access to data.
B. appropriate procedures
C. custody of assets
D. the governance model.
NEW QUESTION: 66
The results of an IS audit indicating the need to strengthen controls has oeen
communicated to the appropriate stakeholders Which of the following is the BEST way for
management to enforce Implementation of the recommendations?
A. Copy senior management on communications related to the audit
B. Assign ownership to each remediation activity
C. Have stakeholders developer a business case for control changes
D. Request auditors to design a roadmap for closure
NEW QUESTION: 67
When designing metrics for information security, the MOST important consideration is that
the metrics:
A. provide actionable data.
B. apply to all business units.
C. are easy to understand.
D. track trends over time.
NEW QUESTION: 68
An organization's sensitive data is stored in a cloud computing environment and is
encrypted. Which of the following findings should be of GREATEST concern to an IS
auditor?
A. Symmetric keys are used for encryption.
B. Encryption keys are not rotated on a regular basis.
C. Test data encryption keys are being used in production
D. Data encryption keys are accessible lo the service provider.
NEW QUESTION: 69
Which of the following controls BEST mitigates the impact of a distributed denial of service
(DDoS) attack against the controller in a softwaredefined network (SDN)?
A. Hardening the operating system that hosts the SDN controller
B. Implementing multiple physical SDN controllers
C. Relocating virtualized network functions to physical infrastructure
D. Implementing configuration management for SDN controllers
NEW QUESTION: 70
An IS auditor is assigned to review the development of a specific application. Which of the
following would be the MOST significant step following the feasibility study?
A. Assist users in the design of proper acceptance-testing procedures.
B. Review functional design to determine that appropriate controls are planned.
C. Follow up with project sponsor for project's budgets and actual costs.
D. Attend project progress meetings to monitor timely implementation of the application.
NEW QUESTION: 71
Which of the following activities is MOST important to consider when conducting IS audit
planning?
A. Results from previous audits are reviewed.
B. The audit committee agrees on risk rankings.
C. Audit scheduling is based on skill set of audit team.
D. Resources are allocated to areas of high risk.
NEW QUESTION: 72
An IS auditor reviewing a financial organization's identity management solution found thai
some critical business applications do not have identified owners. Which of the following
should the auditor do NEXT?
A. Discuss the issue with the auditee.
B. Revoke access rights to the critical applications.
C. Write a finding in the audit report.
D. Request a business risk acceptance.
NEW QUESTION: 73
Which of the following IS functions can be performed by the same group or individual while
still providing the proper segregation of duties?
A. Application programming and systems analysis
B. Security administration and application programming
C. Computer operations and application programming
D. Database administration and computer operations
NEW QUESTION: 74
Which of the following is an example of a corrective control?
A. Employing only qualified personnel to execute tasks
B. Utilizing processes that enforce segregation of duties
C. Generating automated batch job failure notifications
D. Restoring system information from data backups
NEW QUESTION: 75
In which of the following sampling methodologies does each member of the population
have a known nonzero probability of being selected?
A. Stratified sampling
B. Haphazard sampling
C. Quota sampling
D. Judgmental sampling
NEW QUESTION: 76
An IS auditor has been asked to review an organization's security incident response plan
for effectiveness Which of the following should the auditor recommend be done FIRST
after a network intrusion event has occurred?
A. Contain the impact of the event
B. Identify procedures for recovery from the event
C. Notify the appropriate regulatory bodies
D. Escalate the event to senior management
NEW QUESTION: 77
What would be an IS auditor's BEST course of action when a critical issue outside the
audit scope is discovered on an employee workstation?
A. Expand the audit scope to include desktop audits.
B. Take no action as this issue is outside the audit scope.
C. Include the finding with recommendations in the final report.
D. Record the observation in the workpapers.
NEW QUESTION: 78
Which of the following would be MOST useful when analyzing computer performance?
A. Tuning of system software to optimize resource usage
B. Operations report of user dissatisfaction with response time
C. Report of off-peal utilization and response time
D. statiscal metrics measuring capacity utilization
NEW QUESTION: 79
A recent audit concluded that an organization's information security system was weak and
that monitoring would likely fail to detect penetration. Which of the following would be the
MOST appropriate recommendation?
A. Encrypt sensitive data while strengthening the system
B. Identify and periodically remove sensitive data that is no longer needed
C. Establish a clear policy related to security and the handling of sensitive data
D. Look continually for new criminal behavior and attacks on sensitive data
NEW QUESTION: 80
Which of the following mechanisms for process improvement involves examination of
industry best practice?
A. Knowledge management
B. Business process reengineering (BPR)
C. Continuous improvement
D. Benchmarking
NEW QUESTION: 81
Which of the following is a KEY consideration to ensure the availability of nodes in an
active-active application cluster configuration?
A. Adequate storage exists across all nodes.
B. Some of the nodes are located in the same city.
C. Network encryption exists between nodes
D. The duster agent software used is open source
NEW QUESTION: 82
Which of the following findings is the GREATES concern when reviewing a disaster
recovery plan (DRP) with high availability requirements?
A. Current vendor contact information is not included.
B. Recovery time objectives (RTO) are not defined.
C. Disaster recovery testing is not required.
D. Responsibilities are not defined for the recovery team.
NEW QUESTION: 83
An organization using instant messaging to communicate with customers prevent
legitimate customers from being impersonated by:
A. Logging conversation.
B. Using firewall to limit network traffic to authorized ports.
C. Authentication users before conversation are initiated.
D. Using call monitoring.
NEW QUESTION: 84
Which of the following is the BEST control to reduce the likelihood that a spear phishing
attack will be successful?
A. Education for staff and high-profile users on social engineering
B. Automated alerts to security managers identifying confidential information transferred
externally
C. Spam filtering for emails containing external hyperlinks sent to mass recipient lists
D. Tools for users to report suspicious emails and unusual financial transactions
NEW QUESTION: 85
Which of the following is MOST essential to quality management?
A. Adherence to a globally recognized quality standard
B. Application of statistical process control methods
C. Teamwork by all representatives of the quality group
D. Commilment on the part of executive management
NEW QUESTION: 86
When determining the specifications for a server supporting an online application using
more than a hundred endpoints, which of the following is the MOST important factor to be
Considered?
A. Reputation of the vendors and their customer base
B. High availability of different systems
C. Transaction volume estimate during peak periods
D. Cost-benefit comparison between the available systems
NEW QUESTION: 87
Which of the following observations should be of concern to an is auditor in the fieldwork
stage of a procurement audit?
A. Requisitions are being processed by the finance team.
B. The purchase requester receives notifications of goods delivery.
C. Requisitions are being facilitated by a third-party procurement service.
D. Purchase commitments are made prior to requisitions being approved.
NEW QUESTION: 88
Which of the following is MOST important with regard to an application development
acceptance test?
A. User management approves the test design before the test is started.
B. All data files are tested for valid information before conversion.
C. The quality assurance (QA) team is in charge of the testing process.
D. The programming team is involved in the testing process.
NEW QUESTION: 89
Which of the following should be the FIRST step when developing a business continuity
plan (BCP)?
A. Conduct a risk assessment
B. Discuss recovery time and recovery process objectives with the business owner
C. Choose appropriate controls and measures for recovering IT components.
D. Develop a business continuity strategy
NEW QUESTION: 90
An IS auditor has found that despite an increase in phishing attacks over the past two
years, there has been a significant decrease in the success rate. Which of the following is
the MOST likely reason for this decline?
A. Enhanced training for incident responders
B. Implementation of an intrusion detection system (IDS)
C. Implementation of a security awareness program
D. Development of an incident response plan
NEW QUESTION: 91
Which of the following controls would BEST decrease the exposure if a password is
compromised?
A. Passwords are masked.
B. Passwords are encrypted.
C. Passwords have format restrictions.
D. Password changes are forced periodically.
NEW QUESTION: 92
For a company that outsources payroll processing, which of the following is the BEST way
to ensure that only authorized employees are paid?
A. Employees should receive pay statements showing gross pay, net pay. and deductions.
B. The company's bank reconciliations should be independently prepared and checked.
C. Electronic payroll reports should be independently reviewed.
D. Only payroll employees should be given the password for data entry and report
retrieval.
NEW QUESTION: 93
An IS auditor suspects an organization's computer may have been used to commit a
crime. Which of the following is the auditor s BEST course of action?
A. Advise management of the crime after the investigation.
B. Notify local law enforcement of the potential crime before further investigation.
C. Contact the incident response team to conduct an investigation.
D. Examine the computer to search for evidence supporting the suspicions.
NEW QUESTION: 94
Which of the following is MOST useful for determining whether the goals of IT are aligned
with the organization's goals?
B. Enterprise dashboard
C. Key performance indicators (KPIs)
D. Enterprise architecture (EA)
NEW QUESTION: 95
To create a digital signature in a message using asymmetric encryption, it is necessary to:
A. First use a symmetric algorithm for the authentication sequence.
B. encrypt the authentication sequence using a private key.
C. encrypt the authentication sequence using a public key.
D. transmit the actual digital signature in unencrypted clear text.
NEW QUESTION: 96
Which of the following is MOST important for the successful completion of a new
application system?
A. Appropriate training of system analysts
B. Steering committee approval of the new system
C. User participation in the project development
D. Completion of a positive cost-benefit analysis
NEW QUESTION: 97
Which of the following system deployments requires the cloud provider to assume the
widest range of responsibilities for data protection?
A. Database as a Service (DBaaS)
B. Platform as a Service (PaaS)
C. Software as a Service (SaaS)
D. Infrastructure as a Service (IasS)
NEW QUESTION: 98
Which of the following is the GREATEST risk resulting from conducting periodic reviews of
IT over several years based on the same audit program?
A. Audit risk is increased because the programs might not be adapted to the organization s
current situation.
B. The amount of errors with increase because the routine work promotes r\attentiveness.
C. Staff turnover in the audit department will increase because fieldwork becomes less
interesting.
D. Detection risk is increased because auditees already know the audit program.
NEW QUESTION: 99
A legacy application is running on an operating system that is no longer supported by the
vendor. If the organization continues to use the current application, which of the following
should be the IS auditor's GREATEST concern?
A. Inability to use the operating system due to potential license issues
B. Inability to update the legacy application database
C. Increased cost of maintaining the system
D. Potential exploitation of zero-day vulnerabilities in the system
NEW QUESTION: 100

A small organization does not have enough employees to implement adequate segregation
of duties in accounts payable. Which of the following is the BEST compensating control to
mitigate the risk associated with this situation?
A. Regular reconciliation of key transactions approved by a supervisor
B. Rotation of duties among existing personnel
C. Review of transactions exceeding a specific threshold
D. Supervisory review of logs to detect changes in vendors
NEW QUESTION: 101

Which of the following is the BEST control to mitigate the malware risk associated with an
instant messaging (IM) system1?
A. Encrypting IM traffic
B. Blocking external IM traffic
C. Blocking attachments in IM
D. Allowing only corporate IM solutions
NEW QUESTION: 102

planning an end-user computing (EUC) audit, it is MO ST important for the IS auditor to
A. evaluate the organization's EUC policy
B. obtains an inventory EUC applications
C. evaluate EUC threats and vulnerabilities
D. determine EUC materiality and complexity thresholds
NEW QUESTION: 103

An IS auditor attempts to sample for variables in a population of items with wide
differences in values but determines that an unreasonably large number of sample items
must be selected to produce the desired confidence level. In this situation, which of the
following is the audit decision?
A. Select a stratified sample
B. Select a judgmental sample
C. Lower the desired confidence level
D. Allow more time and test the required sample
NEW QUESTION: 104

An organization has performance metrics to track how well IT resources are being used,
but there has been little progress on meeting the organization's goals. Which of the
following would be MOST helpful to determine the underlying reason?
A. Re-evaluating key performance indicators (KPls)
B. Conducting a root cause analysis
C. Conducting a business impact analysis (BIA)
D. Re-evaluating organizational goals
NEW QUESTION: 105

An organization is evaluating a disaster recovery testing scenario in which a ransomware
attack occurs and the business impact analysis (BIA) indicates the recovery point objective
(RPO) is 6 hours. Which of the following BEST ensures the most recent good data set will
be available after the attack occurs?
A. Replication is every 6 hours.
B. Replication occurs every 15 minutes.
C. Backup is configured every 5 hours.
D. Backup is configured every 4 hours.
NEW QUESTION: 106

The process of applying a hash function to a message, and obtaining and ciphering a
digest refers to:
A. digital signatures.
B. authentication.
C. digital certificates.
D. public key infrastructure (PKI).
NEW QUESTION: 107

Which of the following is the GREATEST risk of cloud computing?
A. Reduced performance
B. Inflexibility
C. Lack of scalability
D. Disclosure of data
NEW QUESTION: 108

Which of the following should be included in a business impact analysis (BIA)
A. Recovery strategy for significant business interruptions
B. Support documentation for the recovery alternative
C. identification of IT resources that support key business processes
D. Roles and responsibilities for the business continuity process
NEW QUESTION: 109

Which of the following should be of MOST concern to an IS auditor evaluating a forensics
program?
A. Forensic images are only maintained for 12 months.
B. Forensic images are stored on removable media with encryption.
C. Forensic images are stored on shared disks.
D. Forensic images are only stored for involuntarily terminated employees.
NEW QUESTION: 110

The PRIMARY reason an IS department should analyze past incidents and problems is to:
A. identify the causes of recurring incidents and problems.
B. determine if all incidents and problems are reported
C. assess help desk performance
D. assign responsibility for problems.
NEW QUESTION: 111

A sales representative is reviewing the organization's feedback blog and gets redirected to
a site that sells illegal prescription drugs. The blog site is MOST likely susceptible to which
of the following types of attacks?
A. SQL injection
B. Phishing attack
C. Directory harvesting
D. Cross-site scripting
NEW QUESTION: 112

Which of the following user actions constitutes the GREATEST risk for introducing viruses
into a local network?
A. Opening an email attachment
B. Uploading a file onto an internal server
C. Viewing a hypertext markup language (HTML) document
D. Downloading a file from an external server
NEW QUESTION: 113

When reviewing a disaster recovery plan (DRP) an IS auditor should examine the:
A. Uninterruptible power supply (UPS)
B. Fire-fighting equipment
C. Access to the computer site by the backup staff
D. Offsite data file storage
NEW QUESTION: 114

Which of the following is MOST influential when defining disaster recovery strategies?
A. Data classification scheme
B. Annual loss expectancy
C. Maximum tolerable downtime
D. Existing server redundancies
NEW QUESTION: 115

An organization's current end-user computing practices include the use of a spreadsheet
for financial statements. Which of the following is the GREATEST concern?
A. The spreadsheet is not maintained by IT.
B. The spreadsheet contains numerous macros.
C. Operational procedures have not been reviewed in the current fiscal year
D. Formulas are not protected against unintended changes.
NEW QUESTION: 116

When implementing a software product (middleware) to pass data between local area
network (LAN) servers and the mainframe, the MOST critical control consideration is:
A. cross-platform authentication.
B. network traffic levels between platforms.
C. time-stamping of transactions to facilitate recovery.
D. time synchronization of databases.
NEW QUESTION: 117
The MOST important reason for documenting all aspects of a digital forensic investigation
is that documentation:
A. meets IT audit documentation standards.
B. ensures the process will be repeatable in future investigations.
C. ensures compliance with corporate incident response policies.
D. provides traceability for independent investigation by third parties.
NEW QUESTION: 118

What is the MOST important consideration of any disaster response plan?
A. Personnel safety
B. Business resumption
C. IT asset protection
D. Adequate resource capacity
NEW QUESTION: 119

Which of the following would provide the BEST evidence for use in a forensic investigation
of an employee's hard drive?
A. Memory dump to an external hard drive
B. Prior backups
C. A file level copy of the hard drive
D. Bit-stream copy of the hard drive
NEW QUESTION: 120

To restore service at a large processing facility after a disaster, which of the following tasks
should be performed FIRST?
A. Launch the emergency action team.
B. Activate the reciprocal agreement.
C. Inform insurance company agents.
D. Contact equipment vendors.
NEW QUESTION: 121

A system administrator recently informed the IS auditor about the occurrence of several
unsuccessful intrusion attempts from outside the organization. Which of the following is
MOST effective in detecting such an intrusion?
A. Configuring the router as a firewall
B. Periodically reviewing log files
C. Using smart cards with one-time passwords
D. Installing Biometrics-based authentication
NEW QUESTION: 122

In a 24/7 processing environment, a database contains several privileged application
accounts with passwords set to "never expire.' Which of the following recommendations
would BEST address the risk with minimal disruption to the business?
A. Modify the access management policy to make allowances for application accounts
B. Modify applications to no longer require direct access to the database.
C. Introduce database access monitoring into the environment
D. Schedule downtime to implement password changes
NEW QUESTION: 123

When participating as a member of a system development team, the IS auditor should be
aware that:
A. for ongoing evaluation capability, the auditor should ensure that computer audit
software is implemented in all applications.
B. the auditor should sign a statement of independence prior to participating in the project
team.
C. the auditor's ability to perform an independent evaluation of the application after
implementation will be impaired.
D. as a control specialist, the auditor can provide significant value to the project team by
making the final decision on specific controls.
NEW QUESTION: 124

Which of the following would be MOST time and cost efficient when performing a control
self-assessment (CSA) for an organization with a large number of widely dispersed
employees?
A. Survey questionnaire
B. Facilitated workshops
C. Face-to face interviews
D. Top-down and bottom-up analysis
NEW QUESTION: 125

Which of the following is the BEST indication that an information security program is
effective?
A. The security team has performed a risk assessment to understand the organization's
risk appetite.
B. The security team is knowledgeable and uses the best available tools.
C. The number of reported and confirmed security incidents has increased after awareness
training.
D. The security awareness program was developed following industry best practices.
NEW QUESTION: 126

Which of the following is a reason for implementing a decentralized IT governance model?
A. Greater consistency among business units
B. IT synergy among business units
C. Standardized controls and economies of scale
D. Greater responsiveness to business needs
NEW QUESTION: 127

Which of the following is the PRIMARY criterion for identifying an incident severity level?
A. Data integrity
B. Impact on business
C. Time to recognition
D. Speed of recovery
NEW QUESTION: 128

An IS Auditor is performing a business continuity plan (BCP) audit and identifies that the
plan has not been tested for five years, however, the plan was successfully activated
during a recent extended power outage.
Which of the following is the 15 auditor's BEST count of action?
A. Determine if lessons learned from the activation were incorporated into the plan
B. Determine if the business impact analysis (BIA) is still accurate.
C. Determine if a follow-up BCP audit is required to identify future gaps
D. Determine if the annual BCP training program is in need of review
NEW QUESTION: 129

During a network security review the system log indicates an unusually high number of
unsuccessful login attempts Which of the following sampling techniques is MOST
appropriate for selecting a sample of user IDs for further investigation?
A. Monetary unit
B. Variable
C. Attribute
D. Stratified
NEW QUESTION: 130

An IS auditor is planning on utilizing attribute sampling to determine the error rate for
health care claims processed. Which of the following factors will cause the sample size to
decrease?
A. Expected error rate increase
B. Acceptable risk level decrease
C. Population size increase
D. Tolerable error rate increase
NEW QUESTION: 131

Which of the following is the BEST approach to verify that internal help desk procedures
are executed in compliance with policies?
A. Test a sample of closed tickets.
B. Interview end users
C. Evaluate help desk call metrics.
D. Benchmark help desk procedures.
NEW QUESTION: 132

In a high-volume, real-time system, the MOST effective technique by which to continuously
monitor and analyze transaction processing is:
A. embedded audit modules.
B. integrated test facility (ITF)
C. transaction tagging
D. parallel simulation.
NEW QUESTION: 133

A typical network architecture used for e-commerce, a load balancer is normally found
between the:
A. routers and the web servers.
B. users and the external gateways.
C. mail servers and the mail repositories
D. databases and the external gateways,
NEW QUESTION: 134

Which of the following is the FIRST consideration when developing a data retention policy?
A. Identifying the legal and contractual retention period for data
B. Designing an infrastructure storage strategy
C. Determining the backup cycle based on retention period
D. Determining the security access privileges to the data
NEW QUESTION: 135

Which of the following is the MOST important difference between end-user computing
(EUC) applications and traditional applications?
A. Traditional applications require roll-back procedures whereas EUC applications do not.
B. Traditional applications require periodic patching whereas EUC applications do not.
C. Traditional application input controls are typically more robust than EUC application
input controls.
D. Traditional application documentation is typically less comprehensive than EUC
application documentation.
NEW QUESTION: 136

Which of the following is the PRIMARY objective of using a capability maturity model as a
tool to communicate audit results to senior management?
A. To confirm audit findings
B. To prioritize remediation efforts
C. To illustrate improvement opportunities
D. To evaluate management's action plan
NEW QUESTION: 137

While evaluating an organization's program for tracking system interfaces and data
transfers, the IS auditor notices the program does not record some of the ad hoc transfers
that occur. Which of the following is the GREATEST potential risk?
A. No repudiation controls may be Ineffective or nonexistent.
B. Peer-to-peer data transfers may not be encrypted.
C. Some ad hoc transfers may not use secure FTP sites.
D. Management reports may be Incomplete.
NEW QUESTION: 138

The PRIMARY benefit of using secure shell (SSH) to access a server on a network is that
it:
A. provides better session reliability
B. provides confidentiality of transmitted data
C. facilitates communication across platforms.
D. prevents man-in-the-middle attacks
NEW QUESTION: 139

During the review of an organization's software development process, which of the
following would be the IS auditor's GREATEST concern related to software security coding
testing?
A. The developers are not qualified to conduct security and performance testing
B. Only newly developer applications are submitted tor code reviews
C. A security validation framework is not used In the development process
D. Developers did not document the initial vulnerabilities
NEW QUESTION: 140

The GREATEST benefit of using a prototyping approach in software development is that it
helps to:
A. conceptualize and clarify requirements
B. minimize scope changes to the system
C. decrease the time allocated for user testing and review
D. improve efficiency of quality assurance (QA) testing.
NEW QUESTION: 141
What would be an IS auditors GREATEST concern when using a test environment for an
application audit?
A. Developers have access to the best environment
B. Retention period of test data has been exceeded
C. Test and production environments do not mirror each other
D. Test and production environments lack data encryptions
NEW QUESTION: 142

An organization has purchased a replacement mainframe computer to cope with the
demands of increased business. Which of the following should be the PRIMARY concern
of an IS auditor?
A. The disaster recovery plan has been reviewed and updated.
B. Application access controls are adequate.
C. Appropriate tender evaluation processes have been followed.
D. The procurement is within the planned budget for the year.
NEW QUESTION: 143

An organization is including a client side software component of a Software as a Service
(SaaS) solution as part of its standard PC age To protect the organization against
copyright infringement, what is MOST important for the IS auditor to ensure?
A. License usage is assessed
B. Open source alter natives are prohibited
C. The latest version of software is available.
D. Contract clauses are reviewed
NEW QUESTION: 144

Invoking a business continuity plan (BCP) is demonstrating which type of control?
A. Corrective
B. Preventive
C. Directive
D. Detective
NEW QUESTION: 145

When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor
should FIRST review;
A. the IT processes and procedures.
B. Information security procedures.
C. the IT governance framework.
D. the most recent audit results.
NEW QUESTION: 146

An organization has implemented a control to help ensure databases containing personal
information will not be updated with online transactions that are incomplete due to
connectivity issues. Which of the following information attributes is PRIMARILY addressed
by this control?
A. Compliance
B. Availability
C. Confidentiality
D. integrity
NEW QUESTION: 147

Which of the following areas are the MOST likely cause of an application producing several
erroneous reports?
A. A deficiency in patch management
B. A deficiency in database administration
C. A deficiency in user acceptance testing
D. A deficiency in IT resource allocation
NEW QUESTION: 148

An IS auditor is evaluating the access controls at a multinational company with a shared
network infrastructure. Which of the following is MOST important?
A. Simplicity of end-to-end communication paths
B. Logging of network information at user level
C. Common security policies
D. Remote network administration
NEW QUESTION: 149

Which of the following is the MOST important metric in selecting a biometric device?
A. Crossover error rate
B. Image size
C. System response time
D. False rejection rate
NEW QUESTION: 150
Which of the following would be the MOST significant consideration when developing a
data classification program for a multinational organization?
A. Increase In percent of data considered confidential
B. Conflicting regulatory requirements
C. Management structure
D. Change to service-oriented architecture
NEW QUESTION: 151

What is the PRIMARY reason for hardening new devices before introducing into a
corporate network?
A. To prevent users from installing unlicensed software
B. To reduce exposure to security risk
C. To comply with organization polices
D. To reduce unnecessary downtime
NEW QUESTION: 152

An IS auditor is planning an audit of an organization s payroll processes. Which of the
following is the BEST procedure to provide assurance against internal fraud?
A. Interview the payroll manager to obtain a detailed process workflow.
B. Review management's approval of payroll system changes.
C. Review management's validation of payroll payment recipients.
D. Compare employee work contracts against hours entered in the payroll system.
NEW QUESTION: 153

The MAIN reason an organization's incident management procedures should include a
post-incident review is to:
A. improve processes by learning from identified weaknesses
B. ensure evidence is collected tor possible post-event litigation.
C. enable better reporting for executives and the audit committee
D. take appropriate action when procedures are not followed
NEW QUESTION: 154

Information security awareness programs in a large organization should be:
A. customized for each target audience.
B. developed by user management.
C. the same for all employees.
D. Written by an external security company
NEW QUESTION: 155

Code changes are compiled and placed in a change folder by the developer. An
implementation learn migrates changes to production from the change folder. Which of the
following BEST indicates separation of duties is in place during the migration process?
A. The implementation team does not have access to change the source code.
B. A second individual performs code review before the change is released to production.
C. The developer approves changes prior to moving them to the change folder.
D. The implementation team does not have experience writing code.
NEW QUESTION: 156

An IS auditor finds that confidential company data has been inadvertently leaked through
social engineering.
The MOST effective way to help prevent a recurrence of this issue is to implement:
A. data loss prevention (DIP) software.
B. a third-party intrusion prevention solution
C. penalties to staff for security policy breaches
D. a security awareness program.
NEW QUESTION: 157

Which of the following tools is MOST helpful in estimating budgets for tasks within a large
IT business application project?
B. Ganttchart
C. Critical path methodology (CPM)
D. Function point analysis (FPA)
NEW QUESTION: 158
Which of the following is the MOST important control to help minimize the risk of data
leakage from calls made to a business-to-business application programming interface
(API)?
A. Implementing an API versioning system
B. Deploying content inspection at the API gateway
C. Implementing API server clusters
D. Providing API security awareness training to developers
NEW QUESTION: 159

Which of the following is the MOST effective way to minimize the risk of a SQL injection
attack?
A. Implementing an intrusion detection tool
B. Using secure coding practices
C. Performing activity monitoring
D. Reconfiguring content filtering settings
NEW QUESTION: 160

When creating a new risk management program, it is CRITICAL to consider
A. compliance measures.
B. risk mitigation techniques.
C. resource utilization
D. the risk appetite.
NEW QUESTION: 161

An organization s audit charter PRIMARILY:
A. defines the auditors' code of conduct
B. formally records the annual and quarterly audit plans
C. describes the auditors' authority to conduct audits
D. documents the audit process and reporting standards
NEW QUESTION: 162

Which of the following controls is MOST effective in detecting spam?
A. Denying transmission control protocol (TCP) connections in the mail server
B. Registering the recipient with keepers of spam lists
C. Using heuristic filters based on the content of the message
C Refusing Internet protocol (IP) connections at the router
NEW QUESTION: 163

Which of the following is the BEST method to assess the adequacy of security awareness
in an organization?
A. Confirming a security awareness program exists
B. Administering security survey questionnaires
C. Observing employee security behaviors
D. Interviewing employees about security responsibility
NEW QUESTION: 164

Which of the following is an IS auditor's recommendation for mitigating risk associated with
rapid expansion of hosts within a virtual environment?
A. Implement policies and processes to control virtual machine (VM) lifecycle management
B. Consider using a third-party service provider to share the virtual machine (VM) risk
C. Limit access to the hypervisor operating system (OS) and administration console
D. Ensure quick access to updated images of a guest operating system for fast recovery
NEW QUESTION: 165

Which of the following is a distinguishing feature at the highest level of a maturity model?
A. Processes are monitored continuously.
B. Projects are controlled with management supervision.
C. There are formal standards and procedures.
D. A continuous improvement process is applied.
NEW QUESTION: 166

Following an internal audit of a database, management has committed to enhance
password management controls. Which of the following provides the BEST evidence that
management has remediated the audit finding?
A. Interviews with management about remediation completion
B. Screenshots from end users showing updated password settings
C. Observation of updated password settings with database administrators (DBAs)
D. Change tickets of recent password configuration updates
NEW QUESTION: 167

An external IS auditor is reviewing the continuous monitoring system for a large bank and
notes several potential issues. Which of the following would present the GREATEST
concern regarding the reliability of the monitoring system?
A. The system results are not regularly reviewed by management.
B. The alert threshold is updated periodically.
C. The monitoring system was configured by internal auditors.
D. The measurement method is periodically varied.
NEW QUESTION: 168

During a post-incident review of a security breach, what type of analysis should an IS
auditor expect to be performed by the organization's information security team?
A. Root cause analysis
B. Gap analysis
C. Business impact analysis (BIA)
D. Qualitative risk analysis
NEW QUESTION: 169

Which of the following Is the MOST effective way for an IS auditor to evaluate whether an
organization is well positioned to defend against an advanced persistent threat (APT)?
A. Verify that the organization has adequate levels of cyber insurance
B. Assess the skill set within the security function
C. Verify that the organization is using correlated data for security monitoring
D. Review the validity of external Internet Protocol (IP) addresses accessing the network
NEW QUESTION: 170

What is the PRIMARY purpose of performing a parallel run of a new system?
A. To validate the operation of the new system against its predecessor.
B. To verify the new system provides required business functionality
C. To verify the new system can process the production load
D. To provide a failover plan in case of system Issues.
NEW QUESTION: 171

Which of the following should an IS auditor review FIRST when planning a customer data
privacy audit?
A. Customer agreements
B. Legal and compliance requirements
C. Organizational policies and procedures
D. Data classification
NEW QUESTION: 172

During the implementation of an upgraded enterprise resource planning (ERP) system,
which of the following is the MOST important consideration for a go-live decision?
A. Rollback strategy
B. Business case
C. Test cases
D. Post-implementation review objectives
NEW QUESTION: 173

Which of the following stakeholders is accountable for control evaluations during a control
self-assessment (CSA)?
A. Departmental managers
B. Enterprise risk management
C. Chief internal auditor
D. Quality assurance management
NEW QUESTION: 174

An organization's audit charter should:
A. set the enterprise strategic direction.
B. detail the audit objectives.
C. include the IS audit plan.
D. define the auditors' right to access information.
NEW QUESTION: 175

IS management has decided to replace the current single-server-based local area network
(LAN) with three interconnected servers running different operating systems. Existing
applications and data on the old server have been exclusively distributed on the new
servers. This will MOST likely result in:
A. disclosure of information.
B. multiple authentication.
C. data unavailability,
D. data incompleteness.
NEW QUESTION: 176

An IS auditor previously worked in an organization s IT department and was involved with
the design of the business continuity plan (BCP). The IS auditor has now been asked to
review this same BCP. The auditor should FIRST.
A. communicate the conflict of interest to the audit manager prior to starting the
assignment.
B. decline the audit assignment.
C. document the conflict in the audit report.
D. communicate the conflict of interest to the audit committee prior to starting the
assignment
NEW QUESTION: 177

An organization has begun using social media to communicate with current and potential
clients. Which of the following should be of PRIMARY concern to the auditor?
A. Reduced productivity of stuff using social media
B. Using a third-party provider to host and manage content
C. Lack of guidance on appropriate social media usage and monitoring
D. Negative posts by customers affecting the organization's image
NEW QUESTION: 178

Which of the following should an IS auditor recommend to reduce the likelihood of potential
intruders using social engineering?
A. Deploy a security awareness program
B. Prohibit the use of social networking platforms
C. Implement an intrusion detection system (IDS)
D. Perform simulated attacks
NEW QUESTION: 179

The recovery time objective (RTO) is normally determined on the basis of the:
A. cost of recovery of all systems.
B. criticality of the systems affected.
C. acceptable downtime of the alternate site,
D. risk of occurrence.
NEW QUESTION: 180

An IT steering committee assists the board of directors to fulfill IT governance duties by:
A. focusing on the supply of IT services and products.
B. implementing the IT strategy.
C. developing IT policies and procedures for project tracking.
D. overseeing major projects and IT resource allocation.
NEW QUESTION: 181

An IS auditor who was instrumental in designing an application is called upon to review the
application. The auditor should:
A. inform audit management of the earlier involvement.
B. refuse the assignment to avoid conflict of interest.
C. use the knowledge of the application to carry out the audit.
D. modify the scope of the audit.
NEW QUESTION: 182

Which of the following is the MAIN purpose of implementing an incident response process?
A. Provide substantial audit-trail evidence.
B. Assign roles and responsibilities
C. Comply with policies and procedures.
D. Manage impact due to breaches.
NEW QUESTION: 183

The MOST appropriate control to ensure that all orders transmitted from remote locations
to the production department are received accurately would be to:
A. have data transmitted back to the local site for comparison.
B. verify that parity checking is still active.
C. send and reconcile transaction counts and totals.
D. track and account for the numerical sequence of sales orders.
NEW QUESTION: 184

What is the MOST critical finding when reviewing an organization's information security
management?
A. No official charter for the information security management system
B. No dedicated security officer
C. No periodic assessments to identify threats and vulnerabilities
D. No employee awareness training and education program
NEW QUESTION: 185

Which of the following is the MOST effective way for an IS auditor to evaluate the creation
and deletion of administrative accounts in a virtual environment?
A. Review accounts to determine access requirements.
B. Review account provisioning and deprovisioning procedures.
C. Review password management procedures.
D. Review resource management for capacity performance.
NEW QUESTION: 186

Which of the following is the BEST way for an IS auditor to assess the effectiveness of
backup procedures?
A. Review the backup schedule.
B. Inspect backup logs.
C. Interview the data owner.
D. Evaluate the latest data restore.
NEW QUESTION: 187

Which type of risk has materialized when an internal IS auditor discovers an issue that
external auditors missed due to improperly applied audit procedures?
A. Control risk
B. Inherent risk
C. Sampling risk
D. Detection risk
NEW QUESTION: 188
Which of the following is MOST important for an IS auditor to determine when reviewing
how the organization's incident response team handles devices that may be involved in
criminal activity?
A. Whether users have knowledge of their devices being examined
B. Whether the access logs are checked before seizing the devices
C. Whether there is a chain of custody for the devices
D. Whether devices are checked for malicious applications
NEW QUESTION: 189

An IS auditor identified hard-coded credentials within the source code of recently
developed software when evaluating its readiness for implementation. Which of following
would be the auditor's BEST recommendation?
A. Ensure log reports are retained of all persons updating software source code.
B. Ensure revisions of source code can be tracked and rollback can be performed.
C. Ensure documented evidence of source code being kept in escrow is retained.
D. Ensure source code reviews and debugging are performed and documented
NEW QUESTION: 190

During a help desk review, an IS auditor determines the call abandonment rate exceeds
agreed-upon service levels. What conclusion can be drawn from this finding?
A. There are insufficient telephone lines available to the help desk.
B. Help desk staff are unable to resolve a sufficient number of problems on the first call.
C. Users are finding solutions from alternative sources.
D. There is insufficient staff to handle the help desk call volume.
NEW QUESTION: 191

An organization is using tunneling over an extranet. Which or the following control
objectives is BEST addressed by this process?
A. Availability
B. Completeness
C. Confidentially
D. Nonrepudiation
NEW QUESTION: 192

An IS auditor discovers that several desktop computers contain unauthorized software.
Which of the following would be the auditor's BEST course of action?
A. Report the use of the unauthorized software to auditee management
B. Report the use of the unauthorized software to the legal department
C. Inform the users of the unauthorized software
Delete the unauthorized software from the computers
NEW QUESTION: 193

The results of a feasibility study for acquiring a new system should provide management
with a clear understanding of:
A. application security over critical data processing.
B. the approach to meeting data processing needs.
C. critical application systems' utilization of computer resources.
D. how hardware selection criteria are aligned with the IS strategic plan.
NEW QUESTION: 194

Which audit approach is MOST helpful in optimizing the use of IS audit resources?
A. Agile auditing
B. Continuous auditing
C. Outsourced auditing
D. Risk-based auditing
NEW QUESTION: 195

The risk that the IS auditor will not find an error that has occurred is identified by which of
the following terms?
A. Detection
B. Inherent
C. Prevention
D. Control
NEW QUESTION: 196

The BEST method an organization can employ to align its business continuity plan (BCP)
and disaster recovery plan (DRP) with core business needs is to:
A. execute periodic walk-throughs of the plans.
B. include BCP and disaster recovery plan responsibilities as a part of new employee
training,
C. outsource the maintenance of the BCP and disaster recovery plan to a third party.
D. update the business impact analysis (BIA) for significant business changes.
NEW QUESTION: 197

In which of the following cloud service models does the user organization have the
GREATEST control over the accuracy of configuration items in its configuration
management database (CMDB)?
A. Software as a Service (SaaS)
B. Infrastructure as a Service (laaS)
C. Database as a Service (DbaaS)
D. Platform as a Service (PaaS)
NEW QUESTION: 198

An organization has outsourced its data processing function to a service provider. Which of
the following would BEST determine whether the service provider continues to meet the
organization s objectives?
A. Assessment of the personnel training processes of the provider
B. Review of performance against service level agreements (SLAs)
C. Periodic audits of controls by an independent auditor
D. Adequacy of the service provider's insurance
NEW QUESTION: 199

When evaluating a protect immediately prior to implementation, which of the following
would provide the BEST evidence that the system has the required functionality?
A. Sign-off from senior management
B. User acceptance testing (UAT) results
C. Integration testing results
D. Quality assurance (QA) results
NEW QUESTION: 200

Which of the following key performance indicators (KPIs) provides the BEST indication of a
security awareness campaign's effectiveness?
A. Decrease m the number of help desk calls
B. Percentage of attendees passing the awareness quiz
C. Reduced average rime for incident resolution
D. Increase in the number of reported security incidents
NEW QUESTION: 201

During an external assessment of network vulnerability which of the following activities
should be performed FIRST
A. Collect network information
B. implement an intrusion detection system (IDS)
C. Review policies
D. Monitor the network
NEW QUESTION: 202

Which of the following would have the GREATEST impact on defining the classification
levels for electronic documents?
A. Volume of information
B. Document archival requirements
C. End user preferences
D. Value of information
NEW QUESTION: 203

An audit report notes that terminated employees have been retaining their access rights
after their departure.
Which of the following strategies would BEST ensure that obsolete access rights are
identified in a timely manner?
A. Require local supervisors to initiate connection.
B. Implement an automated interface with the organization's human resources system.
C. Delete user IDs at a predetermined date after their creation.
D. Automatically delete user IDs after they are unused for a predetermined time.
NEW QUESTION: 204

Which of the following would BEST indicate a mature information security program within
an organization?
A. A decrease in the cost of the IT security program
B. A decrease in time from incident identification to containment
C. A decrease in the number of attempted attacks per month
D. A decrease in the average time to remediate vulnerabilities
NEW QUESTION: 205

Which of the following would BEST provide executive management with current
information on IT related costs and IT performance indicators?
A. Continuous audit reports
B. IT dashboard
C. IT service management plan
D. Risk register
NEW QUESTION: 206

Which of the following would provide the BEST assurance that an organization s backup
media is adequate in the case of a disaster?
A. Regular review of backup logs to ensure that all data from the production environment is
included
B. Scheduled maintenance of the backup device
C. Scheduled read/write tests of the backup media
D. Regular recovery of production systems in a test environment
NEW QUESTION: 207

Which of the following is the MOST important determining factor when establishing
appropriate timeframes for follow-up activities related to audit findings?
A. Availability of IS audit resources
B. Complexity of business processes identified in the audit
C. Remediation dates included m management responses
D. Peak activity periods for the business
NEW QUESTION: 208

Which combination of access controls provides the BEST physical protection for a server
room?
A. Card with a magnetic strip and a smart card
B. User ID and PIN
C. PIN and smart card
D. Card with a magnetic stop and a shared PIN
NEW QUESTION: 209
After discussing findings with an auditee, an IS auditor is required to obtain approval of the
report from the CEO before issuing it to the audit committee. This requirement PRIMARILY
affects the IS auditor's:
A. independence
B. judgment
C. effectiveness
D. integrity
NEW QUESTION: 210

A lower recovery point objective (RPO) results In
A. wider interruption windows.
B. lower overall cost
C. higher disaster tolerance
D. higher backup frequency
NEW QUESTION: 211

Which of the following would BEST deter the theft of corporate information from a laptop?
A. Protect files with passwords.
B. Encrypt the file allocation table (FAT).
C. Install biometric access controls.
D. Encrypt all data on the hard drive.
NEW QUESTION: 212

The practice of performing backups reflects which type of internal control?
A. Compensating
B. Corrective
C. Detective
D. Preventive
NEW QUESTION: 213

Which of the following key performance indicator (KPI) changes would represent a decline
in system availability?
A. Increased mean time to restore services
B. Increased number of help desk
C. Increased percentage of monitored services
D. Increased mean time between failures
NEW QUESTION: 214

When engaging services from external auditors, which of the following should be
established FIRST?
A. Service level agreements
B. Termination conditions agreements
C. Operational level agreements
D. Nondisclosure agreements
NEW QUESTION: 215

Which of the following tools are MOST helpful for benchmarking an existing IT capability?
A. Risk assessments
B. IT maturity models
C. IT balanced scorecards
D. Prior IS audit reports
NEW QUESTION: 216

An IS auditor is reviewing standards and compliance requirements related to an upcoming
systems audit. The auditor notes that the industry standards are less stringent than local
regulatory standards. How should the auditor proceed?
A. Audit exclusively to the industry standards.
B. Audit to the policies and procedures of the organization.
C. Audit to the standards with the highest requirements.
D. Coordinate with regulatory officers to determine necessary requirements.
NEW QUESTION: 217

A small organization is experiencing rapid growth and plans to create a new information
security policy.
Which of the following is MOST relevant to creating the policy?
A. The business objectives
B. Previous audit recommendations
C. The business impact analysis (BIA)
D. Industry standards
NEW QUESTION: 218

The MOST effective method for an IS auditor to determine which controls are functioning in
an operating system is to:
A. Compare the current configuration to the corporate standard
B. Consult with the vendor of the system
C. Consult with the systems programmer
D. Compare the current configuration to the default configuration
NEW QUESTION: 219

What should be an IS auditor s NEXT course of action when a review of an IT
organizational structure reveals IT staff members have duties in other departments?
A. Determine whether any segregation of duties conflicts exist.
B. Immediately report a potential finding to the audit committee.
C. Report the issue to human resources (HR) management
D. Recommend that segregation of duties controls be implemented.
NEW QUESTION: 220

What is an IS auditor's BEST recommendation to strengthen security guidelines in order to
prevent data leakage from the use of smart devices?
A. Include usage restrictions for smart devices in the security procedures.
B. Review the access logs to the organization's sensitive data in a timely manner.
C. Require employees to formally acknowledge security procedures.
D. Enforce strong security settings on smart devices.
NEW QUESTION: 221

Which of the following factors would be GREASTEST threat to the success of the re-
engineering of a business process?
A. Failure to communicate the reasons for change to employees
B. Lack of support from the senior management
C. Delayed decision-making by the project managers
D. Decrease m the number of control procedures
NEW QUESTION: 222

Which of the following is the BEST key performance indicator (KPI) for determining how
well the IT policy is aligned to the business requirements?
A. Total cost to support the policy
B. Number of approved exceptions to the policy
C. Total cost of policy breaches
D. Number of inquiries regarding the policy
NEW QUESTION: 223

The CIO of an organization is concerned that the information security policies may not be
comprehensive.
Which of the following should an IS auditor recommend be performed FIRST?
A. Obtain a copy of their competitor's policies
B. Establish a governance board to track compliance with the policies
C. Determine if there is j process to handle exceptions to the policies
D. Compare the policies against an industry framework.
NEW QUESTION: 224

Which of the following is the PRIMARY advantage of using an automated security log
monitoring tool over a manual review to monitor the use
A. Increased likelihood of detecting suspicious activity
B. Improved incident response time
C. Reduced costs associated with automating the review
D. Reduced manual effort of reviewing logs
NEW QUESTION: 225

Which of the following is a benefit of using symmetric cryptography instead of asymmetric
cryptography?
A. Can be used for digital signature
B. Enhanced authentication
C. Efficiency of use
D. Improved key management
NEW QUESTION: 226

Which of the following backup methods is MOST appropriate when storage space is
limited?
A. Full backups
B. Incremental backups
C. Annual backups
D. Differential backups
NEW QUESTION: 227

Which of the following is the MOST important audit activity following a database migration?
A. Analyze logs to identify potential migration errors that may have occurred
B. Review backup processes and retention requirements tor the original
C. Review decommissioning processes for the original source of data
D. Perform an audit of the data migration scripts to ensure integrity of the database
NEW QUESTION: 228

Which of the following Is essential to an effective continuous improvement program within
the IS department?
A. Security awareness training
B. Periodic job rotation
C. Performance measurement
D. independent assessment
NEW QUESTION: 229

Which of the following would BEST indicate the independence of the internal audit
function?
A. Engagement letter
B. Organizational structure
C. Audit chatter
D. Dedicated chief internal auditor
NEW QUESTION: 230
To test the integrity of the data in the accounts receivable master file, an IS auditor
particularly interested in reviewing customers with balances over $400.000. the selection
technique the IS auditor would use to obtain such a sample is called:
A. Discovery sampling
B. Random selection
C. Systematic selection
D. Stratification
NEW QUESTION: 231

Which of the following should be the PRIMARY reason to establish a social media policy
for all employees?
A. To raise awareness and provide guidance about social media risks
B. To restrict access to social media during business hours to maintain productivity
C. To publish acceptable messages to be used by employees when posting
D. To prevent negative public social media postings and comments
NEW QUESTION: 232

Which of the following would be MOST effective to protect information assets in a data
center from theft by a vendor?
A. Issue an access card to the vendor
B. Monitor and restrict vendor activities
C. Conceal data devices and information labels
D. Restrict use of portable and wireless devices
NEW QUESTION: 233

The lack of which of the following represents the GREATEST risk to the quality of
developed software?
A. Load testing
B. An enterprise architecture
C. Periodic internal audits
D. Code reviews
NEW QUESTION: 234

An IS auditor found that a company executive is encouraging employee use of social
networking sites for business purposes. Which of the following recommendations would
BEST help to reduce the risk of data leakage?
A. Monitoring employees social networking usage
B. Requiring policy acknowledgment and nondisclosure agreements signed by employees
C. Establishing strong access controls on confidential data
D. Providing education and guidelines to employees on use of social networking sites
NEW QUESTION: 235

During an IS audit, it is discovered that security configurations differ across the
organization's virtual server farm. Which of the following is the IS auditor's BEST
recommendation to proving the control environment?
A. implement a security configuration baseline for virtual servers.
B. Conduct an independent review of each server s security configuration.
C. implement security monitoring controls for high-risk virtual servers
D. Conduct a standard patch management review across the virtual server farm.
NEW QUESTION: 236

Which type of control is an IS auditor assessing when reviewing the adequacy of existing
policies and procedures related to end-user computing activities?
A. Corrective control
B. Preventive control
C. Directive control
D. Detective control
NEW QUESTION: 237

The BEST access strategy while configuring a firewall would be to:
A. deny access to all except authorized programs.
B. deny access to all but permit selected.
C. permit access to all but deny selected.
D. permit access to all and log the activity.
NEW QUESTION: 238

A risk analysis is MOST useful when applied during which phase of the system
development process?
A. Feasibility
B. Pre-implementation
C. Design
D. Testing
NEW QUESTION: 239

After delivering an audit report, the audit manager discovers that evidence was overlooked
during the audit This evidence indicates that a procedural control may have failed and
could contradict a conclusion of the audit. Which of the following risks is MOST affected by
the oversight?
A. Audit
B. Financial
C. Inherent
D. Operational
NEW QUESTION: 240

An incorrect version of source code was amended by a development team, This MOST
likely indicates a weakness in:
A. Incident management.
B. quality assurance (QA)
C. project management.
D. change management.
NEW QUESTION: 241

Which of the following observations should be of MOST concern to an IS auditor
evaluating an IT security team's incident handling practices?
A. The team's scope covers any nonstandard operation of IT services within the
organization.
B. The prioritization of incidents is not done through a standardized process.
C. Unresolved incidents are escalated based on criteria set by the organization's CIO.
D. Defined acceptable ranges for incident resolution are not established.
NEW QUESTION: 242

A software development project has had a significant scope reduction. Which of the
following is the MOST important action for the IS auditor to perform in this situation?
A. Informing IT and management about the scope reduction
B. Verifying that IT costs have been reduced
C. Evaluating the effects on key controls
D. Determining if managed maturity levels have been employed
NEW QUESTION: 243

Which of the following is the BEST indication of control maturity in an organization's
systems development and implementation processes?
A. Code changes are deployed to a test server and then to production.
B. Code changes are tested and deployed manually.
C. Code changes are documented and approved.
D. Code changes are tested and deployed through automation.
NEW QUESTION: 244

An IS auditor discovers that due to resource constraints a database administrator (DBA) is
responsible for developing and executing changes into the production environment Which
of the following should the auditor do FIRST?
A. Determine whether another database administrator (DBA) could make the changes
B. Identify whether any compensating controls exist
C. Report a potential segregation of duties (SoD) violation
D. Ensure a change management process is followed prior to implementation
NEW QUESTION: 245

Low humidity levels In a staffed data center are a threat because they
A. Increase medical liability factors.
B. add to static electricity Buildup
C. reduce air conditioning performance
D. result in electrical insulation dry-out
NEW QUESTION: 246

A digital signature addresses which of the following concerns?
A. Message theft
B. Message alteration
C. Unauthorized reading
D. Message copying
NEW QUESTION: 247

Which of the following is the BEST example of a data analytics use case during the
planning phase of an IS audite
A. Reviewing DevOps procedures to understand how the test and production environment
are kept sync.
B. Extracting production data to determine the success rate of payroll software changes
C. Analyzing prior year it help desk tickets to determine the overall IT department risk
rating
D. Analyzing user profile data extracted from a directory server to determine the number of
admin groups available
NEW QUESTION: 248

Which of the following should be the MOST important consideration when prioritizing IS
audit activities
A. The number of audit team members required for the task
B. Process owner availability during the audit
C. The complexity level of the audit procedure
D. The criticality of IT processes for the business function
NEW QUESTION: 249

Which of the following would provide the BEST evidence of successfully completed batch
uploads?
A. Using sequence controls
B. Reviewing process logs
C. Enforcing batch cut-off times
D. Sign-off on the batch journal
NEW QUESTION: 250

Which of the following factors will BEST promote effective information security
management?
A. Senior management commitment
B. Security policy framework
C. Identification and risk assessment of sensitive resources
D. Security awareness training
NEW QUESTION: 251

Which of the following would BEST help management maintain a current and effective
business continuity plan (BCP)?
A. Perform a periodic recovery test and include a lessons-learned summary.
B. Perform an annual walk-through and verify resources at the recovery site.
C. Update the critical business software list on an annual basis.
D. Verify vendor restore requirements are consistent with the recovery plan.
NEW QUESTION: 252

An IS auditor is assessing a recent migration of mission critical applications to a virtual
platform. Which of the following observations poses the GREATEST risk to the
organization?
A. A post-implementation review of the hypervisor has not yet been conducted.
B. Training for staff with new virtualization responsibilities has not been conducted.
C. Role descriptions do not accurately reflect new virtualization responsibilities.
D. The migration was not approved by the board of directors.
NEW QUESTION: 253

Which of the following is the MOST important consideration when developing an online
business architecture and recovery strategy?
A. Vendors financial stability
B. Immediate problem resolution
C. Vendors network security
D. Single points of failure
NEW QUESTION: 254

When developing a disaster recovery plan (DRP). which of the following should be the
MOST important factor driving the availability requirements of individual applications?
A. Criticality of business processes supported by the applications.
B. Total cost of ownership (TCO) of the applications
C. Network bandwidth to support the applications
D. Confidentiality of data processed through the applications
NEW QUESTION: 255
Which of the following findings should be of GREATEST concern to an IS auditor
performing an information security audit of critical server log management activities?
A. Log records can be overwritten before being reviewed.
B. Logging procedures are insufficiently documented
C. Logs are monitored using manual processes.
D. Log records are dynamically dispersed into different servers
NEW QUESTION: 256

An organization has recently acquired and implemented intelligent-agent software for
granting loans to customers. During the post implementation review, which of the following
would be the KEY procedure for the IS auditor to perform?
A. Review signed approvals to ensure responsibilities for decisions of the system are
welldefined.
B. Ensure that a detection system designed to verify transaction accuracy is included.
C. Review system documentation to ensure completeness.
D. Review input and output control reports to verify the accuracy of the system decisions.
NEW QUESTION: 257

Which of the following Is MOST appropriate to prevent unauthorized retrieval of
confidential information stored in a business application system?
A. Implementation of segregation of duties
B. Application of single sign-on for access control
C. Enforcement of an internal data access policy
D. Enforcement of the use of digital signatures
NEW QUESTION: 258

Which of the following controls will BEST ensure that the board of directors receives
sufficient information about IT?
A. Board members are knowledgeable about IT and the CIO is consulted on IT issues.
B. The CIO reports on performance and corrective actions in a timely manner.
C. The CIO regularly sends IT trend reports to the board.
D. Regular meetings occur between the board the CIO and a technology committee
NEW QUESTION: 259

Which of the following is the GREATEST risk of using a reciprocal site for disaster
recovery?
A. Inability to test the recovery plans onsite
B. Equipment compatibility issues at the site
C. Mismatched organizational security policies
D. Inability to utilize the site when required
NEW QUESTION: 260

Which of the following actions should an organization's security policy require an employee
to take upon finding a security breach?
A. Report the incident to the manager immediately.
B. Confirm the breach can be exploited.
C. Devise appropriate countermeasures.
D. Inform IS audit management immediately.

ISACA CISA v2021-04-28 q260

Uploaded by

Copyright:

Available Formats

ISACA CISA v2021-04-28 q260

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ISACA CISA v2021-04-28 q260

Uploaded by

Copyright:

Available Formats

ISACA.CISA.v2021-04-28.

NEW QUESTION: 100

NEW QUESTION: 101

NEW QUESTION: 102

NEW QUESTION: 103

NEW QUESTION: 104

NEW QUESTION: 105

NEW QUESTION: 106

NEW QUESTION: 107

NEW QUESTION: 108

NEW QUESTION: 109

NEW QUESTION: 110

NEW QUESTION: 111

NEW QUESTION: 112

NEW QUESTION: 113

NEW QUESTION: 114

NEW QUESTION: 115

NEW QUESTION: 116

NEW QUESTION: 118

NEW QUESTION: 119

NEW QUESTION: 120

NEW QUESTION: 121

NEW QUESTION: 122

NEW QUESTION: 123

NEW QUESTION: 124

NEW QUESTION: 125

NEW QUESTION: 126

NEW QUESTION: 127

NEW QUESTION: 128

NEW QUESTION: 129

NEW QUESTION: 130

NEW QUESTION: 131

NEW QUESTION: 132

NEW QUESTION: 133

NEW QUESTION: 134

NEW QUESTION: 135

NEW QUESTION: 136

NEW QUESTION: 137

NEW QUESTION: 138

NEW QUESTION: 139

NEW QUESTION: 140

NEW QUESTION: 142

NEW QUESTION: 143

NEW QUESTION: 144

NEW QUESTION: 145

NEW QUESTION: 146

NEW QUESTION: 147

NEW QUESTION: 148

NEW QUESTION: 149

NEW QUESTION: 151

NEW QUESTION: 152

NEW QUESTION: 153

NEW QUESTION: 154

NEW QUESTION: 155

NEW QUESTION: 156

NEW QUESTION: 157

NEW QUESTION: 159

NEW QUESTION: 160

NEW QUESTION: 161