410 questions across 5 exams
A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?
During a walkthrough of a client's change management process, the auditor notes that developers have write access to the production environment to facilitate quick hotfixes. The client argues that a code review tool logs all changes. Which of the following represents the MOST significant risk associated with this configuration?
A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guarantees a Recovery Point Objective (RPO) of 15 minutes. The auditor discovers that the organization performs full backups nightly at midnight and ships tapes to offsite storage daily. No other backup mechanisms are in place. What is the auditor's conclusion?
An auditor is reviewing a SQL query used by the finance team to generate a report of all sales transactions above $10,000 for the first quarter of 2024. The query is:<br/><br/>SELECT * FROM Sales<br/>WHERE Amount > 10000<br/>AND Date BETWEEN '2024-01-01' AND '2024-03-31'<br/><br/>Assuming the 'Amount' column includes cents and the 'Date' column is a standard date type, which potential issue should the auditor investigate regarding the completeness of this population?
A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?
An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'differential' backup strategy during the week and a 'full' backup on weekends. If the system crashes on Thursday afternoon, which files are required to restore the system to the most recent state?
A company is implementing a new ERP system. The project team decides to run the old system and the new system simultaneously for two months, comparing the outputs of both systems before decommissioning the old one. Which implementation strategy is this?
Under the COSO Internal Control framework, which of the following is a critical risk associated with the use of blockchain technology in financial reporting that an auditor must evaluate?
An auditor is reviewing the data integration process between a CRM system and the General Ledger. The process uses an ETL (Extract, Transform, Load) tool. The auditor observes that the 'Transform' step includes logic to map 'State' codes (e.g., 'NY') to 'Region' IDs (e.g., '101'). Which control is MOST important to ensure data integrity during this step?
A company uses a 'Data Lake' architecture to store unstructured customer feedback logs alongside structured transaction data. When auditing the completeness of data retrieval for analysis, what is a primary challenge the auditor should anticipate compared to a traditional Data Warehouse?
Which of the following scenarios represents a violation of the 'Segregation of Duties' principle in the context of IT change management?
A service organization uses a 'hot site' for disaster recovery. Which of the following best describes the readiness of this facility?
An auditor is testing the 'completeness' of a data extraction from a legacy mainframe to a new cloud database. The auditor sums the 'TotalAccountValue' field in the source system and compares it to the sum in the destination system. This technique is known as:
A company uses a SaaS-based CRM. The auditor wants to verify that the company's data is backed up. The SaaS provider's contract states they perform daily backups. What is the MOST appropriate evidence for the auditor to request?
Which of the following is a 'preventive' control in the context of network security?
A covered entity under HIPAA uses a cloud service to store Patient Health Information (PHI). The cloud provider experiences a data breach where unencrypted PHI is exposed. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
Under the General Data Protection Regulation (GDPR), a 'Data Controller' is defined as:
A retailer processes credit card transactions. According to PCI DSS Requirement 3 (Protect stored cardholder data), which of the following data elements is permitted to be stored after authorization, provided it is encrypted?
The NIST Cybersecurity Framework (CSF) organizes its Core into five concurrent and continuous functions. Which function includes activities to 'develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services'?
An organization is adopting the COBIT 2019 framework. Which of the following is NOT one of the six 'Governance System Principles' of COBIT 2019?
A penetration tester is hired to assess a company's external security. The tester sends a deceptive email to the HR department claiming to be an applicant, with a malicious attachment designed to harvest credentials. This type of attack is best classified as:
Which of the following authentication methods provides the highest level of security for remote access to a corporate network?
An auditor is reviewing the 'Least Privilege' implementation for a database. They find that the 'Reporting_User' role has 'DROP TABLE' permissions. Why is this a control deficiency?
Which of the following best describes the concept of 'Defense in Depth'?
A service organization is undergoing a SOC 2® engagement. The auditor observes that the organization uses a 'bastion host' or 'jump box' to access the production network. What is the primary security purpose of this component?
In the context of encryption, what is the primary difference between symmetric and asymmetric encryption?
A company wants to ensure that sensitive emails sent to external clients cannot be read by interceptors. They implement a solution where the sender uses the recipient's public key to encrypt the message. This ensures:
An auditor is reviewing the incident response plan of a financial institution. The plan states that in the event of a ransomware attack, the first step is to 'Pay the ransom immediately to restore operations.' How should the auditor evaluate this procedure?
Which of the following is a key requirement of the NIST Privacy Framework's 'Control' function?
A CPA is engaged to perform a SOC 1® engagement. Which of the following best describes the subject matter of this engagement?
A service organization's system description includes controls performed by a subservice organization (e.g., a data center). The service auditor decides to use the 'carve-out' method. What does this imply for the service auditor's report?
In a SOC 2® engagement, which of the following Trust Services Criteria is MANDATORY for every report?
A service auditor is issuing a SOC 2® Type II report. Testing identified that a key control for revoking terminated user access failed in 5 out of 25 instances sampled. The failure resulted in terminated employees retaining access for up to 2 weeks. What type of opinion should the auditor likely issue?
What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?
Which of the following is an example of a 'Complementary User Entity Control' (CUEC) that might be listed in a payroll service provider's SOC 1® report?
An auditor is testing a control that requires 'Quarterly access reviews'. The auditor selects a sample of one review from the year. Is this sample size appropriate?
Which of the following is a 'corrective' control?
A company uses a 'Platform as a Service' (PaaS) environment to develop and host its web application. The auditor asks for evidence of 'patch management'. Which response from the client is most appropriate regarding the underlying operating system?
An auditor is reviewing the logical access controls for a financial application. They notice that the 'Application Administrator' account is shared by three members of the IT support team. The password is stored in a password vault. What is the primary risk?
Which of the following SQL statements would an auditor use to identify duplicate invoice numbers in the 'Sales' table?
Under the CIS Controls (Center for Internet Security), Control 1 is 'Inventory and Control of Enterprise Assets'. Why is this considered the foundational control?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this model?
An auditor is examining the 'User Acceptance Testing' (UAT) phase of a software implementation. Who is the MOST appropriate party to sign off on UAT results?
A service organization provides a cloud-based data warehouse. A user entity auditor wants to know if the data in the warehouse is accurate and complete. Which Trust Services Criteria category is MOST relevant?
Which of the following is a characteristic of a 'hardened' operating system?
A company is subject to GDPR. They wish to use customer data for a new purpose (marketing) that was not disclosed when the data was originally collected. What must they typically do?
Which of the following is a 'detective' control for ensuring data integrity in a batch processing system?
An auditor is reviewing the 'Management's Assertion' in a SOC 2® report. Which of the following statements must be included in the assertion?
Which of the following is a primary benefit of using a 'Hybrid Cloud' deployment model?
An auditor is testing the 'Termination' process. They sample 10 employees who left the company. For one employee, the Active Directory account was disabled 3 days after their departure date. The policy states 'within 24 hours'. What is the auditor's next step?
What is the primary purpose of a 'Data Warehouse' compared to an operational database (OLTP)?
A company uses 'Tokenization' to protect credit card numbers. How does this differ from Encryption?
Which of the following is a 'physical' security control?
An auditor is reviewing the 'Change Management' process. They find a change ticket labeled 'Emergency Fix' that was deployed to production without prior testing. The policy allows this if retrospective approval is granted within 24 hours. What is the auditor's primary concern?
Which of the following is a requirement of the HIPAA Security Rule but NOT the Privacy Rule?
A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action must the auditor take?
Which of the following best describes 'Static Application Security Testing' (SAST)?
An auditor observes that a company uses 'Symmetric' encryption for transmitting large database backups across a public network. The key exchange is handled via a separate secure channel. Is this appropriate?
In the context of COBIT 2019, what is the purpose of the 'Goals Cascade'?
A company uses a 'Biometric' authentication system. The 'False Acceptance Rate' (FAR) is set to 0.01%. What does this mean?
An auditor is reviewing a 'Business Continuity Plan' (BCP). The plan relies on a 'Reciprocal Agreement' with a neighboring company. What is a major risk of this strategy?
Which of the following is a 'Logical' access control?
An auditor is reviewing the 'System Description' for a SOC 2® report. The description lists 'Google Cloud Platform' as a subservice organization. The auditor notes that the description does NOT include the specific controls performed by Google. This indicates:
Which of the following is a 'Risk Response' strategy where the organization decides to stop the activity that causes the risk?
An auditor is testing the 'Accuracy' of a report generated by an IT system. They trace a sample of items from the report back to the source documents (invoices). This test primarily provides evidence for:
Under the NIST Cybersecurity Framework, 'Recovery Planning' falls under which function?
A company stores customer passwords in a database. To protect them, they use a hashing algorithm. Which additional technique should be applied to prevent 'Rainbow Table' attacks?
An auditor is evaluating the 'Independence' of the personnel performing a SOC 2® engagement. Which of the following would impair independence?
Which of the following is a 'Social Engineering' technique where the attacker waits for an authorized user to pass through a secure door and then follows them inside?
A company uses a 'Waterfall' methodology for software development. Which of the following is a primary characteristic of this model?
An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The query uses an 'INNER JOIN'. Which records will be included in the result?
A service organization has a control that states: 'Firewall rules are reviewed semi-annually.' The auditor tests this by requesting the minutes of the review meetings. The client provides minutes for a meeting in January and a meeting in July. Is this sufficient evidence for a Type II report covering Jan 1 to Dec 31?
Which of the following is a 'Substantive Procedure' in an IT audit context?
A company uses a 'Cold Site' for disaster recovery. What is the primary disadvantage of this approach?
Which of the following is a 'Corrective' control in the Change Management process?
An auditor is reviewing the 'System Description' and notices it mentions 'The system is protected by a firewall'. However, the firewall is managed by a third-party MSP (Managed Service Provider) and is not included in the scope of the report (carve-out). What is the impact on the user entity?
Which of the following is a 'Privacy' control (as opposed to Security) in a SOC 2® engagement?
A company uses a 'Public Key Infrastructure' (PKI). What is the role of the 'Certificate Authority' (CA)?
An auditor is reviewing the 'Incident Response' log. They see an entry: 'Server detected high CPU usage. Investigation showed it was a scheduled backup. Ticket closed.' Was this an 'Incident'?
Which of the following is a requirement of PCI DSS Requirement 11 (Regularly test security systems and processes)?
An auditor is reviewing the 'System Description' for a SOC 2® report. The description includes a flowchart of the order processing system. The auditor notices a step in the flowchart where 'Orders > $5000 require Manager Approval'. During the walkthrough, the auditor observes that the system actually requires approval for orders > $10,000. What is the auditor's conclusion?
Which of the following is the MOST effective method to prevent 'SQL Injection' attacks in a web application?
A service organization provides a cloud-based payroll platform where clients access the software via a web browser. The clients do not manage the underlying infrastructure, operating systems, or application capabilities. Which cloud service model is the service organization providing?
An auditor is reviewing the backup strategy for a financial institution that requires a Recovery Point Objective (RPO) of 15 minutes. The current strategy involves a daily full backup at midnight. Which conclusion should the auditor draw?
During a walkthrough of the change management process, an auditor observes that developers have write access to the production environment to deploy hotfixes quickly. Which principle does this violate?
An auditor is reviewing a SQL query used to generate a list of active customers for a marketing campaign. The query is:<br/>SELECT * FROM Customers WHERE Status = 'Active' OR LastOrderDate > '2023-01-01'.<br/>What is the potential issue with this query regarding data accuracy?
Which of the following entities is considered a 'Covered Entity' under the HIPAA Privacy Rule?
Under GDPR, which principle requires that personal data be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed?
A service auditor is engaged to perform a SOC 2® examination. The client requests that the report focus solely on the security of the system and not on availability, processing integrity, confidentiality, or privacy. Is this permissible?
In a SOC 2® engagement, management asserts that they use a subservice organization for data center hosting. Management's description of the system excludes the controls performed by the data center. Which method of reporting is being used?
Which component of the COSO Internal Control framework is most directly related to the 'Governance and Culture' component of the COSO ERM framework when applied to cloud governance?
An organization uses a 'defense-in-depth' strategy. Which of the following best represents this approach?
Which NIST Cybersecurity Framework (CSF) function includes the category 'Recovery Planning'?
A company processes credit card transactions. Which standard is MOST applicable to their environment?
An auditor is testing a control that states: 'All new employees must undergo background checks.' The auditor selects a sample of 25 new hires. 24 have documented background checks, but 1 file is missing the documentation. The HR manager states the check was done but the file was lost. What is the appropriate conclusion?
Which type of attack involves an attacker inserting malicious code into a website's input field to manipulate the backend database?
A company wants to ensure that if a disaster occurs, they can restore data to the state it was in no more than 1 hour ago. This requirement defines the:
Which of the following is a detective control?
In the context of CIS Controls, what is the primary purpose of 'Inventory and Control of Enterprise Assets' (Control 1)?
A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What action should the service auditor take?
Which of the following is a key difference between SOC 1® and SOC 2® engagements?
An auditor observes that a company uses a 'test' environment that is an exact replica of the 'production' environment, including real customer data. What is the primary risk associated with this practice?
Which encryption method uses a pair of keys: a public key for encryption and a private key for decryption?
A company uses a 'Data Lake' architecture. Which characteristic best describes a Data Lake?
In a SOC 2® report, which opinion type is issued when the auditor concludes that controls were not suitably designed or operating effectively to achieve the control objectives?
Which NIST Special Publication provides a catalog of security and privacy controls for federal information systems?
An auditor is reviewing a flowchart of the 'Order-to-Cash' process. The flowchart shows that the 'Sales Department' approves credit limits for new customers. What is the control deficiency?
Which of the following best describes 'Tokenization'?
A healthcare provider stores patient records in a cloud database. Which HIPAA rule specifically governs the technical safeguards (like encryption and access control) for this electronic Protected Health Information (ePHI)?
What is the primary purpose of a 'Walkthrough' in an IT audit?
Which SQL command is used to remove a table and all its data permanently from the database?
A company uses a biometric scanner for server room access. This is an example of which authentication factor?
In the context of COBIT 2019, which of the following is a 'Governance Objective' rather than a 'Management Objective'?
A service organization provides a SOC 2® Type II report covering the period January 1 to December 31. A significant control failure occurred on December 28 and was corrected on January 2. How should this be reflected in the report?
Which of the following is a 'Corrective' control?
An auditor is evaluating the 'Processing Integrity' criterion in a SOC 2® engagement. Which of the following is a key requirement?
Which cloud deployment model involves infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)?
A company is subject to GDPR. A data breach occurs involving unencrypted personal data of 5,000 customers. Within what timeframe must the company generally notify the supervisory authority?
An auditor is reviewing the 'User Access Review' control. The policy states reviews happen quarterly. The auditor finds that for Q2, the review was signed off by the same person who has administrative rights to grant access. What is the risk?
What is the primary function of a 'Hypervisor' in a virtualized environment?
Which of the following SQL clauses is used to filter the results of a query based on a specific condition?
In a SOC 2® engagement, what are 'Complementary User Entity Controls' (CUECs)?
Which phase of the Cyber Kill Chain involves transmitting the weaponized code to the target environment (e.g., via email attachment)?
An auditor is testing the 'Logical Access' domain. They find that a terminated employee's account remained active for 3 weeks after departure. The policy requires removal within 24 hours. This is an example of:
Which of the following is a primary benefit of using a 'VPN' (Virtual Private Network) for remote employees?
A company uses 'Incremental' backups daily and a 'Full' backup on Sundays. If the system crashes on Thursday, what is required to restore the data?
Which NIST Privacy Framework function includes the category 'Data Processing Management'?
What is the primary difference between a 'Type I' and 'Type II' SOC report?
An auditor is reviewing a blockchain implementation used for supply chain tracking. Which risk is unique to the 'Immutability' feature of blockchain?
Which of the following is a 'Preventive' control?
Under the HIPAA Security Rule, 'Encryption' is classified as an 'Addressable' implementation specification. What does 'Addressable' mean?
An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes were deployed to production without the required 'User Acceptance Testing' (UAT) sign-off. The IT Manager explains these were 'Emergency Changes'. What should the auditor look for next?
Which of the following is a 'Social Engineering' attack?
A company uses 'Mirroring' for its database. What is the primary advantage of this approach?
Which SQL aggregate function is used to count the number of rows in a result set?
In a SOC 2® engagement, the 'System Description' is primarily the responsibility of:
Which of the following is a 'Physical' security control?
A company stores customer passwords in a database. To enhance security, they add a random string of characters to each password before hashing it. This technique is known as:
Which document in a SOC engagement outlines the auditor's opinion, the scope of the engagement, and the responsibilities of management and the auditor?
What is the primary purpose of a 'DDoS' (Distributed Denial of Service) attack?
An auditor is reviewing the 'Incident Response Plan'. Which phase should occur immediately after 'Containment'?
Which of the following is a 'Logical' access control?
A company uses 'Asynchronous Replication' to a disaster recovery site. What is the primary risk associated with this method?
Which GDPR right allows an individual to request that their personal data be sent to them or another controller in a structured, commonly used, and machine-readable format?
An auditor is testing the 'Completeness' of a data extraction from an ERP system. They compare the record count in the source system to the record count in the destination file. This is an example of:
Which of the following is a 'Unit Test' in software development?
A service organization uses a 'Bridge Letter' (Gap Letter). What is its purpose?
Which of the following is a key principle of 'Zero Trust' architecture?
An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is indexed. What is the security risk?
Which COBIT 2019 component describes the rules, regulations, and policies that the enterprise must comply with?
A company uses a 'Cold Site' for disaster recovery. What is the main characteristic of a Cold Site?
Which of the following is an example of 'Inherent Risk' in a cloud environment?
What is the purpose of a 'Data Dictionary'?
An auditor is testing 'Logical Access'. They find a user with the role 'SuperAdmin'. This user is also the 'HR Manager'. What is the primary concern?
Which of the following is a requirement of the 'Privacy' Trust Services Criterion?
A company uses 'Ransomware' insurance. This is an example of which risk response strategy?
Which of the following is a 'Data Loss Prevention' (DLP) control?
An auditor is reviewing the 'System Development Life Cycle' (SDLC). Which phase should include the definition of security requirements?
Which of the following is a 'Symmetric' encryption algorithm?
In a SOC 2® engagement, if the service organization uses the 'Inclusive Method' for a subservice organization, what is the auditor's responsibility?
Which of the following is a 'Batch Processing' characteristic?
An auditor is reviewing the 'Termination' process. They find that while network access is revoked immediately, physical access cards are often collected weeks later. What is the risk?
Which of the following is a 'PaaS' (Platform as a Service) example?
An auditor finds that a company's 'Incident Response Plan' has not been tested or updated in 3 years. What is the primary recommendation?
A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based solution. The client wants to minimize their internal IT team's responsibility for managing the underlying operating system, middleware, and runtime environment, but they want to retain control over the deployed applications and configuration settings. Which cloud service model is MOST appropriate for this client?
During a review of a client's cloud governance structure, an auditor notes that the client uses a public cloud provider for customer-facing web applications but keeps sensitive financial data on a private on-premise server. The two environments are connected via an encrypted VPN. Which deployment model is this client utilizing?
An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan origination system. The auditor discovers that the system automatically rejects loan applications with incomplete data fields but does not generate an error log for these rejections. Which specific processing integrity risk does this control deficiency primarily exacerbate?
A company uses a batch processing system to update inventory records overnight. The 'Grandfather-Father-Son' backup rotation scheme is used. On Thursday morning, the 'Son' (Wednesday night's backup) is found to be corrupted. To restore the system to the most current state possible before the corruption, which tapes are required?
During a walkthrough of the change management process, an auditor observes that the 'Developer' role in the ERP system has access to 'Migrate to Production'. The IT Manager explains this is necessary for emergency fixes overnight when the Change Manager is unavailable. What is the auditor's BEST course of action?
An auditor is reviewing a SQL query used to extract 'Active Customers' for a marketing report. The query is:<br/><br/>SELECT CustomerID, Name FROM Customers WHERE Status = 'Active' OR Status = 'Pending' AND CreditLimit > 1000<br/><br/>The auditor suspects the logic is flawed because of operator precedence. Which customers will this query actually return?
A healthcare provider stores patient records in a data warehouse. To comply with HIPAA while allowing data analysts to study demographic trends, the organization replaces patient names with unique alphanumeric codes that can be mapped back to the original data only by the database administrator. This technique is known as:
Under the General Data Protection Regulation (GDPR), a data subject requests that a company transmit their personal data directly to another service provider. This request falls under which specific right?
A service organization is undergoing a SOC 2® Type II engagement. The auditor finds that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. The control description states: 'All new hires complete security training within 30 days.' What is the MOST appropriate conclusion?
Which of the following scenarios BEST describes a 'Carve-out' method in a SOC 2® report involving a subservice organization?
An IT auditor is reviewing the 'Recovery Point Objective' (RPO) for a critical transaction database. Management has set the RPO at 1 hour. The current backup strategy involves a full backup every Sunday at midnight and incremental backups every night at midnight. Is this strategy adequate?
Which of the following NIST Cybersecurity Framework (CSF) functions is PRIMARILY associated with the implementation of safeguards to ensure delivery of critical infrastructure services, such as Access Control and Awareness Training?
A retailer processes credit card transactions. They have segmented their network so that the Cardholder Data Environment (CDE) is isolated from the corporate Wi-Fi network. According to PCI DSS, what is the primary benefit of this segmentation?
An organization uses a 'Defense in Depth' strategy. Which of the following represents a correct layering of controls from the perimeter inward?
A CPA is performing a SOC 2® engagement. The service organization uses a third-party data center for physical hosting. The service organization's management asserts that physical security is the responsibility of the data center and excludes it from their system description. Which reporting method is being used?
Which of the following is a 'Complementary User Entity Control' (CUEC) likely to be found in a payroll service provider's SOC 1® report?
In the context of COBIT 2019, which of the following best describes the distinction between Governance and Management?
An auditor is testing a control that requires 'Three-way matching' before a payment is authorized. Which three documents must match?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?
An auditor is reviewing a SOC 2® report and notices the opinion is 'Qualified'. What does this indicate?
Which of the following is a primary responsibility of the 'Data Controller' under GDPR?
A company uses an 'Incremental' backup strategy. A full backup is performed on Sunday. Incremental backups are performed Monday through Saturday. If the system crashes on Thursday morning (before Thursday's backup), what is required to restore the system?
Which of the following SQL commands is used to remove a table and all its data permanently from the database?
An auditor is assessing the 'Availability' criteria for a cloud service provider. The provider claims 99.9% uptime. Which of the following metrics would be MOST useful to verify this claim?
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information). Under the HIPAA Breach Notification Rule, what is the immediate requirement if the breach affects more than 500 individuals?
Which of the following is a characteristic of a 'Symmetric' encryption algorithm?
An auditor observes that a company uses a 'Hot Site' for disaster recovery. What does this imply?
In a SOC 2® engagement, which Trust Services Criteria category is MANDATORY for every report?
A developer is writing a SQL query to combine customer data from the 'Sales' table and the 'Support' table. They want to see ALL customers from the 'Sales' table, and matching support tickets if they exist. If a customer has no support tickets, they should still appear in the list. Which JOIN type should be used?
Which of the following is an example of a 'Preventive' control?
An auditor is reviewing a client's compliance with the NIST Privacy Framework. The client has a process to 'notify individuals about how their data is collected and used'. This aligns with which Function of the NIST Privacy Framework?
A company uses a 'Phishing Simulation' to test employees. This is primarily a test of which security domain?
Which of the following describes a 'Logic Bomb'?
An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not require a back-out plan. Why is this a control deficiency?
A service organization provides a cloud-based accounting platform. They want to assure their customers that the system is available and confidential. However, they do not want to reveal the detailed results of their control testing to the general public. Which report is MOST appropriate?
Which of the following is a key requirement of the HIPAA Security Rule but NOT the Privacy Rule?
An auditor is reviewing a firewall configuration. They see a rule at the bottom of the Access Control List (ACL) that says 'DENY ALL'. What is this practice called?
Which of the following is a risk associated with using a 'Public Blockchain' for financial reporting?
A company wants to ensure that their web application can handle a sudden spike in traffic during Black Friday sales. They configure their cloud environment to automatically add more virtual servers when CPU usage exceeds 80%. This capability is known as:
An auditor is testing the 'Logical Access' controls for an ERP system. They select a sample of new employees and verify that their access rights were approved by a manager. This test is designed to validate which assertion?
Which of the following is a primary benefit of using a 'Data Lake' compared to a 'Data Warehouse'?
An organization discovers a vulnerability in their web server software. The vendor has released a patch, but the organization cannot apply it immediately due to compatibility issues with a legacy application. What is the BEST temporary course of action?
Which of the following statements accurately describes the 'Integrity' component of the CIA Triad?
A company is using the 'Inclusive Method' for a subservice organization in their SOC 2® report. What does this imply for the service auditor?
Which of the following is a 'Corrective' control?
An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is stored in cleartext. Which control is missing?
What is the primary purpose of a 'Management Assertion' in a SOC engagement?
A company uses a biometric fingerprint scanner and a PIN code for server room access. What type of authentication is this?
Which CIS Control is typically prioritized as Control #1 because you cannot protect what you do not know you have?
An auditor is reviewing the 'Incident Response Plan'. The plan includes a step for 'Containment'. What is the primary goal of this phase?
A company uses a 'Cold Site' for disaster recovery. Which of the following is the primary disadvantage of this approach?
Which of the following attacks involves an attacker intercepting communication between two parties and relaying messages between them?
An auditor is reviewing the 'Segregation of Duties' (SoD) in the payroll process. Which two roles should be separated?
A company uses 'Asymmetric' encryption for secure email. If Alice wants to send a confidential email to Bob that only Bob can read, which key does she use to encrypt it?
Which of the following is a 'Detective' control?
An auditor is evaluating the 'Completeness' of data transfer from a legacy system to a new ERP. Which technique is MOST effective?
Under COBIT 2019, which component of the governance system describes the 'rules of the game'?
A company wants to implement a 'Least Privilege' model for its cloud storage buckets. What does this entail?
An auditor is reviewing a SOC 2® Type II report. The testing period covers January 1 to December 31. The auditor notices that a significant control failure occurred on December 28 and was not remediated by year-end. How should this be handled?
Which of the following is an example of 'SaaS' (Software as a Service)?
A company is designing a new data center. They install a 'Biometric Mantrap' at the entrance. What is the purpose of this control?
An auditor is reviewing a SQL query: `SELECT * FROM Employees WHERE Salary > 100000;`. What is the risk of using `SELECT *` in production code?
Which of the following is a 'Type 1' SOC report?
A company is implementing a 'Data Loss Prevention' (DLP) solution. Which of the following is a primary function of DLP?
Which of the following is a 'Physical' security control?
An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Emergency Fix' that was deployed without prior testing in the staging environment. The policy allows this but requires 'Post-Implementation Review' within 24 hours. The auditor finds the review was completed 3 days later. What is the finding?
Which of the following is a characteristic of 'Ransomware'?
A company uses a 'VPN' (Virtual Private Network) for remote employees. What is the primary security function of the VPN?
In a relational database, what is a 'Foreign Key'?
An auditor is testing the 'Termination' process. They find that a terminated employee's Active Directory account was disabled 5 days after their departure. The policy states 'Immediate' (within 24 hours). What is the risk?
Which of the following is a requirement of the 'NIST SP 800-53' framework?
A company uses 'Input Validation' on its web forms. Which attack does this primarily prevent?
An auditor is assessing 'Independence' for a SOC engagement. Which of the following would impair independence?
What is the difference between 'Authentication' and 'Authorization'?
A company uses 'Containerization' (e.g., Docker) for its applications. From an auditor's perspective, what is a key difference between a Container and a Virtual Machine (VM)?
An auditor is reviewing the 'System Description' in a SOC 2® report. Which of the following MUST be included?
Which of the following is a 'Social Engineering' technique?
A company uses 'Role-Based Access Control' (RBAC). How are permissions assigned?
An auditor is reviewing the 'Business Continuity Plan' (BCP). Which of the following is a key component that determines the order in which business processes should be restored?
Which of the following is a 'Subsequent Event' in a SOC engagement?
A company uses 'Hashing' to store passwords. Why is this better than encryption?
An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. The client has excluded their 'Customer Support Chatbot' from the system description. The chatbot collects customer names and account numbers. Is this exclusion appropriate?
A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environment. The client wants to minimize their responsibility for managing the underlying operating system, middleware, and runtime environment, but wants to retain control over the deployed applications and configuration settings. Which cloud service model is most appropriate for this client?
An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provider. The client handles highly sensitive healthcare data. The auditor notes that the cloud provider stores data in a multi-tenant environment. Which specific risk is MOST heightened in this deployment model compared to a private cloud?
A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?
An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its migration to the cloud. Which of the following actions best aligns with the 'Governance and Culture' component of COSO ERM in this context?
During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can both authorize credit limits for new customers and approve sales orders exceeding those limits. The documented process flow states these functions should be separated. Which type of deficiency has the auditor identified?
An auditor is reviewing the backup strategy for a financial transaction system with a Recovery Point Objective (RPO) of 1 hour. The current strategy involves a full backup every Sunday at midnight and differential backups every night at midnight. Is this strategy adequate?
A developer at a software company has access to write code in the development environment and also has administrative access to promote that code directly to the production environment. Which specific IT general control (ITGC) principle is violated?
An auditor is examining a SQL query used to generate a report of all sales transactions for the fiscal year 2024. The query is:<br/>SELECT * FROM Sales WHERE SaleDate > '2024-01-01' AND SaleDate < '2024-12-31'.<br/>What is the potential issue with this query regarding data completeness?
A healthcare provider stores patient records in a cloud database. To comply with HIPAA, they must ensure that even if the database storage media is stolen, the data remains unreadable. Which control is MOST appropriate to address this specific risk?
Under the General Data Protection Regulation (GDPR), a data subject requests that a company delete all their personal data. The company refuses because the data is required to be retained by tax laws. Which GDPR principle allows the company to refuse this request?
An auditor is evaluating a company's compliance with PCI DSS Requirement 3 (Protect stored cardholder data). The auditor finds that the Primary Account Number (PAN) is displayed in full on the customer service representative's screen. Which specific control is missing?
Which component of the NIST Cybersecurity Framework (CSF) focuses on developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event?
A service organization is preparing for a SOC 2® engagement. They have identified a risk that unauthorized changes to the production database could result in data integrity issues. Which of the following is a 'preventive' control addressing this risk?
During a SOC 2® Type II engagement, the auditor discovers that for a sample of 25 new hires, 2 did not complete the required security awareness training within 30 days of hire as mandated by company policy. What is the most appropriate next step for the auditor?
A service organization uses the 'Carve-out' method for a subservice organization that provides data center hosting. In the SOC 2® report, how are the controls of the data center presented?
Which of the following best describes the primary purpose of a SOC 3® report compared to a SOC 2® report?
An attacker sends an email to the HR department with an attachment named 'Payroll_Update.exe' that looks like a PDF icon. When clicked, it installs software that logs keystrokes. Which stage of the cyber-attack lifecycle does the 'clicking of the attachment' represent?
A company implements a 'Zero Trust' architecture. Which of the following principles is central to this approach?
An auditor is reviewing a company's disaster recovery plan (DRP). The company uses a 'Hot Site' for recovery. Which characteristic best describes a Hot Site?
Which of the following SQL statements would be most useful for an auditor attempting to identify duplicate invoice numbers in a table named 'Invoices'?
A company uses a blockchain ledger to record supply chain transactions. An auditor is assessing the risk of '51% attacks'. What is the primary implication of a successful 51% attack on a blockchain?
Which of the following is a key principle of the COBIT 2019 governance framework?
An auditor is testing the 'Processing Integrity' criteria for a payroll system. They find that the system accepts negative values for 'Hours Worked'. Which type of application control is missing?
A company is subject to HIPAA. An employee loses a company laptop containing unencrypted ePHI (electronic Protected Health Information) of 600 patients. Under the HIPAA Breach Notification Rule, which of the following actions is REQUIRED?
In the context of a SOC 2® engagement, what is the definition of a 'deviation'?
Which of the following best describes the 'Integrity' component of the CIA Triad in information security?
An auditor is reviewing the 'System Description' for a SOC 2® report. Which of the following is a REQUIRED element of the system description?
A company uses a 'Data Lake' architecture. What is a primary characteristic of a Data Lake compared to a Data Warehouse?
Which of the following authentication methods is considered 'Something you are'?
An auditor is reviewing the 'Change Management' process. They observe that emergency changes are allowed to bypass the standard testing phase to restore service quickly. What is the compensating control that MUST be in place for this process to be acceptable?
A service organization provides payroll processing services. They outsource the printing and mailing of checks to a third-party vendor. In the context of the service organization's SOC 1® report, what is the printing vendor considered?
Which CIS Control focuses on 'Inventory and Control of Enterprise Assets'?
An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The goal is to list ALL customers, including those who have not placed any orders. Which JOIN type should be used?
A company is designing a new data center. They install a 'mantrap' at the entrance to the server room. Which type of control is this?
In the context of NIST SP 800-53, what does the term 'Control Baseline' refer to?
An auditor is testing a client's firewall configuration. They notice a rule that allows 'Any' source IP to access the database port (1433) directly from the internet. Which security principle is violated?
A company is using a 'SaaS' CRM application. The auditor wants to verify that the SaaS provider backs up the data. Since the auditor cannot physically visit the SaaS provider, what is the most appropriate evidence to obtain?
Which of the following scenarios describes a 'Phishing' attack?
An auditor is reviewing the 'Logical Access' controls. They find that user accounts are not disabled immediately upon termination of employment. This control deficiency primarily increases the risk of:
What is the primary purpose of a 'VPN' (Virtual Private Network) for remote employees?
A company wants to ensure that their cloud provider cannot access their sensitive data, even if the provider is subpoenaed. Which control achieves this?
In a SOC 2® engagement, which of the following is a 'Trust Services Criterion' related to Privacy?
An auditor is reviewing the 'Incident Response Plan'. Which phase of incident response involves removing the threat from the environment (e.g., deleting malware, disabling breached accounts)?
Which of the following is an example of a 'Detective' control?
A company processes credit card payments. Which standard MUST they comply with?
An auditor is assessing the 'Availability' criteria in a SOC 2® engagement. The client claims to have high availability. Which metric best measures the percentage of time the system is operational?
Which of the following is a 'Corrective' control?
A company uses 'Asymmetric Encryption' for secure email. If User A wants to send a confidential message to User B, which key should User A use to encrypt the message?
What is the primary difference between a SOC 2® Type I and a SOC 2® Type II report?
An auditor observes that a company uses 'Hashing' to store passwords. Why is hashing preferred over encryption for password storage?
Which of the following is a 'Management Assertion' required in a SOC 2® report?
A company uses a 'Hybrid Cloud' model. Which of the following best describes this architecture?
An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Standard Change'. How does a Standard Change typically differ from a Normal Change?
Which of the following is a 'Physical' threat to information systems?
A company implements 'Data Loss Prevention' (DLP) software. Which of the following actions would the DLP system most likely block?
An auditor is reviewing the 'System Development Life Cycle' (SDLC). In which phase should security requirements be defined?
Which of the following is a 'Nation-State' threat actor most likely to target?
An auditor is testing a control that requires 'Three-Way Matching' for accounts payable. What three documents must match?
Under GDPR, which role determines the 'purposes and means' of processing personal data?
A company uses 'Tokenization' for credit card numbers. What is the primary benefit of tokenization over encryption for the merchant?
An auditor is reviewing the 'System Boundaries' in a SOC 2® engagement. Which of the following should be included in the system boundary definition?
Which of the following is a 'Risk Response' strategy where the company decides to stop the activity that causes the risk?
A company uses 'Ransomware' protection. Which backup strategy is most effective against ransomware that encrypts connected drives?
An auditor is testing 'Logical Access'. They find that the 'Administrator' group contains 15 users, including 5 who left the company years ago. This violates which principle?
Which of the following describes a 'Cold Site' for disaster recovery?
In a SOC 2® report, if the service auditor identifies a material weakness in the design of controls, what type of opinion should be issued?
Which NIST framework is specifically designed to help organizations manage privacy risks?
An auditor is reviewing a 'Batch Processing' job that runs overnight. The job log shows 'Error: Input file footer count does not match record count'. Which control detected this?
What is the primary function of a 'Circuit Breaker' pattern in modern microservices architecture (though not explicitly detailed in the blueprint, the concept relates to Availability)?
An auditor is reviewing the 'Complementary User Entity Controls' (CUECs) in a SOC 2® report. Who is responsible for implementing these controls?
Which SQL command is used to remove a table and all its data permanently from the database?
A company uses 'Symmetric Encryption'. Which of the following is a major challenge associated with this method?
An auditor is reviewing the 'Incident Response' logs. They see a 'False Positive'. What does this mean?
Which of the following is a 'Preventive' control for 'SQL Injection'?
A service organization's management refuses to provide a written assertion for a SOC 2® engagement. What should the service auditor do?
Which of the following is an example of 'Social Engineering'?
An auditor is reviewing the 'Data Retention Policy'. The policy states that customer data is deleted after 7 years. However, the auditor finds backups containing 10-year-old data. This is a violation of which GDPR principle?
Which of the following is a 'Technical' (Logical) control?
A company uses 'Containerization' (e.g., Docker) for its applications. What is a key security benefit of containers compared to traditional virtual machines?
An auditor is reviewing the 'Business Continuity Plan' (BCP). What is the primary goal of BCP?
Which of the following is a 'Subsequent Event' in a SOC 2® engagement?
An auditor is reviewing the 'Risk Assessment' component of COSO. Which of the following is a prerequisite for risk assessment?
A service organization provides a cloud-based payroll processing application to its user entities. The user entities access the software via a web browser, but the service organization manages the underlying infrastructure, operating system, and application updates. Which cloud service model is the service organization providing?
An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a Service (IaaS) provider. Which of the following responsibilities typically remains with the client (user entity) rather than the cloud provider?
A financial institution requires a cloud deployment model that offers the highest level of control and isolation for its sensitive data, even if it requires higher costs and maintenance. Which deployment model is most appropriate?
During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario best describes this architecture?
Which component of IT architecture is primarily responsible for translating domain names (like www.aicpa.org) into IP addresses that computers use to communicate?
In the context of COSO Enterprise Risk Management, which principle is most relevant when an organization evaluates the risks associated with migrating its core financial system to the cloud?
An auditor is reviewing the 'Order-to-Cash' process. The documented flowchart indicates that a credit check is performed automatically by the system before a sales order is approved. However, during a walkthrough, the auditor observes a sales representative manually overriding the credit hold to expedite a shipment for a VIP client. What is the primary concern?
A company uses a private blockchain to record supply chain transactions. Which of the following is a unique risk associated with blockchain technology that an auditor should consider regarding financial reporting?
An auditor is testing processing integrity controls for a payroll system. The auditor inputs a test transaction with an employee working 400 hours in a single week. The system accepts the input and processes the check. Which type of control is likely missing or ineffective?
Which of the following best describes the 'Three-Way Match' control in a procurement process?
A company is implementing an ERP system. Which of the following represents a 'Segregation of Duties' conflict that should be flagged during the design phase?
In a batch processing system for utility billing, which control would best detect if a transaction file was processed twice by accident?
A company has a Recovery Point Objective (RPO) of 4 hours. They currently perform a full backup every Sunday at midnight and incremental backups every night at midnight. Is this backup strategy adequate to meet the RPO?
Which disaster recovery site option provides the fastest recovery time (lowest RTO) but incurs the highest cost?
A database administrator implements 'disk mirroring' (RAID 1). Which availability risk does this primarily mitigate?
What is the primary difference between a Differential Backup and an Incremental Backup?
During a SOC 2 engagement, you observe that the organization tests its Disaster Recovery Plan (DRP) annually using a 'Tabletop Exercise'. What does this involve?
Which of the following metrics would be most critical to review when assessing the effectiveness of an organization's Business Continuity Plan regarding revenue loss?
An auditor observes that a developer has 'write' access to the production environment to fix urgent bugs. The developer also writes the code in the development environment. What is the primary risk?
In a formal change management process, which testing stage is performed by the end-users to verify the system meets business requirements?
A company uses a 'Continuous Integration/Continuous Deployment' (CI/CD) pipeline. An auditor notes that code is automatically deployed to production after passing automated tests. What is the most appropriate compensating control to look for?
Which document should be updated immediately following an emergency change to the production system?
An auditor is reviewing a population of changes. They select a sample of changes and trace them back to the Change Request tickets. What assertion is the auditor primarily testing?
Which environment is used to combine individual software modules and test their interaction before UAT?
An auditor wants to extract all customers from the 'Sales' table who live in 'NY' and spent more than $1,000. Which SQL clause is required to filter the data?
Review the following SQL query:<br/>SELECT CustomerID, SUM(OrderAmount)<br/>FROM Orders<br/>GROUP BY CustomerID<br/>HAVING SUM(OrderAmount) > 10000;<br/><br/>What is the purpose of this query?
Which data storage concept refers to a vast pool of raw, undefined data (structured and unstructured) stored for future purpose?
In the ETL (Extract, Transform, Load) process, at which stage is data cleaned, deduplicated, and converted into a consistent format?
An auditor is validating the completeness of a data migration from a legacy system to a new ERP. Which procedure is most effective?
Which SQL command is used to combine rows from two or more tables based on a related column between them?
Under the HIPAA Security Rule, which of the following is a 'Covered Entity'?
A European customer requests that a US-based company delete all their personal data. Under GDPR, this is known as:
Which PCI DSS requirement falls under the goal of 'Protect Cardholder Data'?
The NIST Cybersecurity Framework (CSF) is organized into five core functions. Which function involves developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event?
Which component of COBIT 2019 describes the 'Governance System'?
According to the CIS Controls v8, what is Control 1 (the most foundational control)?
NIST Special Publication 800-53 is primarily designed for:
Which part of the NIST Privacy Framework helps organizations determine their current privacy posture and their target state?
An employee receives an email appearing to be from the CEO asking for an urgent wire transfer. The email address is slightly misspelled. This is an example of:
A web application allows users to input text into a comment field. A malicious user enters a script that executes in the browsers of other users viewing the comment. This is known as:
Which stage of the 'Cyber Kill Chain' involves the attacker installing a backdoor or remote access trojan (RAT) to maintain access?
What is the primary purpose of a Distributed Denial of Service (DDoS) attack?
Which of the following is a characteristic of an 'Advanced Persistent Threat' (APT)?
An organization implements a 'Zero Trust' architecture. Which principle is central to this approach?
Which authentication factor is represented by a fingerprint scan?
A network administrator separates the Finance department's network traffic from the Engineering department's traffic using VLANs. This is an example of:
Which security device is primarily designed to detect and block malicious traffic patterns or signatures in real-time?
In an Identity and Access Management (IAM) system, 'Role-Based Access Control' (RBAC) assigns permissions based on:
Which cryptographic concept ensures that a message has not been altered in transit?
An auditor is reviewing the results of a penetration test. The report identifies a 'Critical' vulnerability involving an unpatched server exposed to the internet. What is the auditor's most appropriate next step?
What is the primary difference between Vulnerability Scanning and Penetration Testing?
During a security walkthrough, an auditor notices that employees are writing passwords on sticky notes attached to their monitors. Which control is failing?
Which type of security test involves the tester having full knowledge of the system (network diagrams, source code, IP addresses) beforehand?
A company replaces sensitive credit card numbers in their database with a random string of characters that has no mathematical relationship to the original number. The mapping is stored in a secure vault. This technique is called:
Which encryption type uses a public key to encrypt and a private key to decrypt?
Data Loss Prevention (DLP) tools are primarily designed to:
What is the difference between Confidentiality and Privacy?
Which phase of the data lifecycle involves securely removing data when it is no longer needed?
In Incident Response, what is the primary goal of the 'Containment' phase?
A company purchases cyber insurance. Which risk management strategy is this?
What is the difference between an 'Event' and an 'Incident' in cybersecurity?
After a ransomware attack is resolved, the team holds a 'Lessons Learned' meeting. What is the primary output of this meeting?
A service organization's clients need assurance regarding the controls over financial reporting. Which SOC report is most appropriate?
Which of the following is NOT one of the five Trust Services Criteria categories used in SOC 2 engagements?
A service organization wants a report to display on their website for potential customers to prove they are secure. The report should not contain sensitive technical details. Which report should they choose?
What is the primary difference between a Type I and a Type II SOC report?
In a SOC 2 engagement, which criteria is MANDATORY for every report?
A service organization uses a subservice organization for data center hosting. The service organization's auditor decides to use the 'Carve-Out' method. What does this mean for the report?
When using the 'Inclusive' method for a subservice organization, what is the service auditor's responsibility?
What are 'Complementary User Entity Controls' (CUECs)?
In planning a SOC 2 engagement, the auditor must assess 'Materiality'. How is materiality typically viewed in a SOC 2 compared to a financial audit?
Which section of a SOC 2 report contains the Management's Assertion?
During a SOC 2 Type II engagement, an auditor finds that a daily backup failed 3 times out of 365 days. The backups were successfully retried the next day. How should the auditor handle this?
Which testing procedure provides the highest level of assurance for operating effectiveness?
An auditor is testing a control that states 'All new hires must undergo a background check'. The auditor selects a sample of 25 new hires and finds 2 missing background checks. What is the deviation rate?
In a SOC engagement, what is the purpose of the 'System Description'?
If an auditor discovers a 'Subsequent Event' (after the period end but before the report date) that significantly affects the system's security, what should they do?
Which opinion type is issued when the system description is fairly presented and controls are effective, EXCEPT for one or more significant deficiencies?
What constitutes an 'Adverse Opinion' in a SOC report?
In a SOC 2 report, where would a user find the auditor's detailed tests and the results of those tests?
A service organization refuses to provide a written assertion (Section II). What must the auditor do?
Which of the following statements is TRUE regarding the use of a SOC 2 report?
Full answers, grading, and explanations on why each answer is correct.
Expert