ISC — Information Systems & Controls

A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?

During a walkthrough of a client's change management process, the auditor notes that developers have write access to the production environment to facilitate quick hotfixes. The client argues that a code review tool logs all changes. Which of the following represents the MOST significant risk associated with this configuration?

A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guarantees a Recovery Point Objective (RPO) of 15 minutes. The auditor discovers that the organization performs full backups nightly at midnight and ships tapes to offsite storage daily. No other backup mechanisms are in place. What is the auditor's conclusion?

An auditor is reviewing a SQL query used by the finance team to generate a report of all sales transactions above $10,000 for the first quarter of 2024. The query is:<br/><br/>SELECT * FROM Sales<br/>WHERE Amount > 10000<br/>AND Date BETWEEN '2024-01-01' AND '2024-03-31'<br/><br/>Assuming the 'Amount' column includes cents and the 'Date' column is a standard date type, which potential issue should the auditor investigate regarding the completeness of this population?

A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?

An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'differential' backup strategy during the week and a 'full' backup on weekends. If the system crashes on Thursday afternoon, which files are required to restore the system to the most recent state?

A company is implementing a new ERP system. The project team decides to run the old system and the new system simultaneously for two months, comparing the outputs of both systems before decommissioning the old one. Which implementation strategy is this?

Under the COSO Internal Control framework, which of the following is a critical risk associated with the use of blockchain technology in financial reporting that an auditor must evaluate?

An auditor is reviewing the data integration process between a CRM system and the General Ledger. The process uses an ETL (Extract, Transform, Load) tool. The auditor observes that the 'Transform' step includes logic to map 'State' codes (e.g., 'NY') to 'Region' IDs (e.g., '101'). Which control is MOST important to ensure data integrity during this step?

A company uses a 'Data Lake' architecture to store unstructured customer feedback logs alongside structured transaction data. When auditing the completeness of data retrieval for analysis, what is a primary challenge the auditor should anticipate compared to a traditional Data Warehouse?

Which of the following scenarios represents a violation of the 'Segregation of Duties' principle in the context of IT change management?

A service organization uses a 'hot site' for disaster recovery. Which of the following best describes the readiness of this facility?

An auditor is testing the 'completeness' of a data extraction from a legacy mainframe to a new cloud database. The auditor sums the 'TotalAccountValue' field in the source system and compares it to the sum in the destination system. This technique is known as:

A company uses a SaaS-based CRM. The auditor wants to verify that the company's data is backed up. The SaaS provider's contract states they perform daily backups. What is the MOST appropriate evidence for the auditor to request?

Which of the following is a 'preventive' control in the context of network security?

A covered entity under HIPAA uses a cloud service to store Patient Health Information (PHI). The cloud provider experiences a data breach where unencrypted PHI is exposed. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?

Under the General Data Protection Regulation (GDPR), a 'Data Controller' is defined as:

A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), which of the following data elements is permitted to be stored after authorization, provided it is encrypted?

The NIST Cybersecurity Framework (CSF) organizes its Core into five concurrent and continuous functions. Which function includes activities to 'develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services'?

An organization is adopting the COBIT 2019 framework. Which of the following is NOT one of the six 'Governance System Principles' of COBIT 2019?

A penetration tester is hired to assess a company's external security. The tester sends a deceptive email to the HR department claiming to be an applicant, with a malicious attachment designed to harvest credentials. This type of attack is best classified as:

Which of the following authentication methods provides the highest level of security for remote access to a corporate network?

An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role has 'DROP TABLE' permissions. Why is this a control deficiency?

Which of the following best describes the concept of 'Defense in Depth'?

A service organization is undergoing a SOC 2® engagement. The auditor observes that the organization uses a 'bastion host' or 'jump box' to access the production network. What is the primary security purpose of this component?

In the context of encryption, what is the primary difference between symmetric and asymmetric encryption?

A company wants to ensure that sensitive emails sent to external clients cannot be read by interceptors. They implement a solution where the sender uses the recipient's public key to encrypt the message. This ensures:

An auditor is reviewing the incident response plan of a financial institution. The plan states that in the event of a ransomware attack, the first step is to 'Pay the ransom immediately to restore operations.' How should the auditor evaluate this procedure?

Which of the following is a key requirement of the NIST Privacy Framework's 'Control' function?

A CPA is engaged to perform a SOC 1® engagement. Which of the following best describes the subject matter of this engagement?