Area I: Information Systems

A CPA is performing a risk assessment for a client that uses a public cloud provider for its core ERP system. The client utilizes an Infrastructure as a Service (IaaS) model. When defining the scope of the IT audit, which of the following components is the client's management primarily responsible for securing, rather than the cloud service provider?

During a walkthrough of a client's change management process, the auditor notes that developers have write access to the production environment to facilitate quick hotfixes. The client argues that a code review tool logs all changes. Which of the following represents the MOST significant risk associated with this configuration?

A service organization provides a real-time transaction processing platform. The service level agreement (SLA) guarantees a Recovery Point Objective (RPO) of 15 minutes. The auditor discovers that the organization performs full backups nightly at midnight and ships tapes to offsite storage daily. No other backup mechanisms are in place. What is the auditor's conclusion?

An auditor is reviewing a SQL query used by the finance team to generate a report of all sales transactions above $10,000 for the first quarter of 2024. The query is:<br/><br/>SELECT * FROM Sales<br/>WHERE Amount > 10000<br/>AND Date BETWEEN '2024-01-01' AND '2024-03-31'<br/><br/>Assuming the 'Amount' column includes cents and the 'Date' column is a standard date type, which potential issue should the auditor investigate regarding the completeness of this population?

A healthcare clearinghouse is preparing for a SOC 2® engagement. They utilize a private cloud deployment model hosted in their own data center. Which of the following statements accurately describes the auditor's responsibility regarding the infrastructure in this scenario?

An auditor is evaluating the design of a disaster recovery plan (DRP). The organization uses a 'differential' backup strategy during the week and a 'full' backup on weekends. If the system crashes on Thursday afternoon, which files are required to restore the system to the most recent state?

A company is implementing a new ERP system. The project team decides to run the old system and the new system simultaneously for two months, comparing the outputs of both systems before decommissioning the old one. Which implementation strategy is this?

Under the COSO Internal Control framework, which of the following is a critical risk associated with the use of blockchain technology in financial reporting that an auditor must evaluate?

An auditor is reviewing the data integration process between a CRM system and the General Ledger. The process uses an ETL (Extract, Transform, Load) tool. The auditor observes that the 'Transform' step includes logic to map 'State' codes (e.g., 'NY') to 'Region' IDs (e.g., '101'). Which control is MOST important to ensure data integrity during this step?

A company uses a 'Data Lake' architecture to store unstructured customer feedback logs alongside structured transaction data. When auditing the completeness of data retrieval for analysis, what is a primary challenge the auditor should anticipate compared to a traditional Data Warehouse?

Which of the following scenarios represents a violation of the 'Segregation of Duties' principle in the context of IT change management?

A service organization uses a 'hot site' for disaster recovery. Which of the following best describes the readiness of this facility?

An auditor is testing the 'completeness' of a data extraction from a legacy mainframe to a new cloud database. The auditor sums the 'TotalAccountValue' field in the source system and compares it to the sum in the destination system. This technique is known as:

A company uses a SaaS-based CRM. The auditor wants to verify that the company's data is backed up. The SaaS provider's contract states they perform daily backups. What is the MOST appropriate evidence for the auditor to request?

A company uses a 'Platform as a Service' (PaaS) environment to develop and host its web application. The auditor asks for evidence of 'patch management'. Which response from the client is most appropriate regarding the underlying operating system?

Which of the following SQL statements would an auditor use to identify duplicate invoice numbers in the 'Sales' table?

An auditor is examining the 'User Acceptance Testing' (UAT) phase of a software implementation. Who is the MOST appropriate party to sign off on UAT results?

Which of the following is a characteristic of a 'hardened' operating system?

Which of the following is a 'detective' control for ensuring data integrity in a batch processing system?

Which of the following is a primary benefit of using a 'Hybrid Cloud' deployment model?

What is the primary purpose of a 'Data Warehouse' compared to an operational database (OLTP)?

An auditor is reviewing the 'Change Management' process. They find a change ticket labeled 'Emergency Fix' that was deployed to production without prior testing. The policy allows this if retrospective approval is granted within 24 hours. What is the auditor's primary concern?

An auditor is reviewing a 'Business Continuity Plan' (BCP). The plan relies on a 'Reciprocal Agreement' with a neighboring company. What is a major risk of this strategy?

Which of the following is a 'Risk Response' strategy where the organization decides to stop the activity that causes the risk?

A company uses a 'Waterfall' methodology for software development. Which of the following is a primary characteristic of this model?

An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The query uses an 'INNER JOIN'. Which records will be included in the result?

A company uses a 'Cold Site' for disaster recovery. What is the primary disadvantage of this approach?

Which of the following is a 'Corrective' control in the Change Management process?

A service organization provides a cloud-based payroll platform where clients access the software via a web browser. The clients do not manage the underlying infrastructure, operating systems, or application capabilities. Which cloud service model is the service organization providing?

An auditor is reviewing the backup strategy for a financial institution that requires a Recovery Point Objective (RPO) of 15 minutes. The current strategy involves a daily full backup at midnight. Which conclusion should the auditor draw?

During a walkthrough of the change management process, an auditor observes that developers have write access to the production environment to deploy hotfixes quickly. Which principle does this violate?

An auditor is reviewing a SQL query used to generate a list of active customers for a marketing campaign. The query is:<br/>SELECT * FROM Customers WHERE Status = 'Active' OR LastOrderDate > '2023-01-01'.<br/>What is the potential issue with this query regarding data accuracy?

Which component of the COSO Internal Control framework is most directly related to the 'Governance and Culture' component of the COSO ERM framework when applied to cloud governance?

A company wants to ensure that if a disaster occurs, they can restore data to the state it was in no more than 1 hour ago. This requirement defines the:

An auditor observes that a company uses a 'test' environment that is an exact replica of the 'production' environment, including real customer data. What is the primary risk associated with this practice?

A company uses a 'Data Lake' architecture. Which characteristic best describes a Data Lake?

An auditor is reviewing a flowchart of the 'Order-to-Cash' process. The flowchart shows that the 'Sales Department' approves credit limits for new customers. What is the control deficiency?

Which SQL command is used to remove a table and all its data permanently from the database?

Which cloud deployment model involves infrastructure provisioned for exclusive use by a single organization comprising multiple consumers (e.g., business units)?

What is the primary function of a 'Hypervisor' in a virtualized environment?

Which of the following SQL clauses is used to filter the results of a query based on a specific condition?

A company uses 'Incremental' backups daily and a 'Full' backup on Sundays. If the system crashes on Thursday, what is required to restore the data?

An auditor is reviewing a blockchain implementation used for supply chain tracking. Which risk is unique to the 'Immutability' feature of blockchain?

An auditor is testing the 'Change Management' process. They select a sample of 30 changes. They find that 2 changes were deployed to production without the required 'User Acceptance Testing' (UAT) sign-off. The IT Manager explains these were 'Emergency Changes'. What should the auditor look for next?

A company uses 'Mirroring' for its database. What is the primary advantage of this approach?

Which SQL aggregate function is used to count the number of rows in a result set?

A company uses 'Asynchronous Replication' to a disaster recovery site. What is the primary risk associated with this method?

An auditor is testing the 'Completeness' of a data extraction from an ERP system. They compare the record count in the source system to the record count in the destination file. This is an example of:

Which of the following is a 'Unit Test' in software development?

An auditor is reviewing a database schema. They notice that the 'SocialSecurityNumber' column is indexed. What is the security risk?

A company uses a 'Cold Site' for disaster recovery. What is the main characteristic of a Cold Site?

Which of the following is an example of 'Inherent Risk' in a cloud environment?

What is the purpose of a 'Data Dictionary'?

An auditor is reviewing the 'System Development Life Cycle' (SDLC). Which phase should include the definition of security requirements?

Which of the following is a 'Batch Processing' characteristic?

Which of the following is a 'PaaS' (Platform as a Service) example?

A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud-based solution. The client wants to minimize their internal IT team's responsibility for managing the underlying operating system, middleware, and runtime environment, but they want to retain control over the deployed applications and configuration settings. Which cloud service model is MOST appropriate for this client?

During a review of a client's cloud governance structure, an auditor notes that the client uses a public cloud provider for customer-facing web applications but keeps sensitive financial data on a private on-premise server. The two environments are connected via an encrypted VPN. Which deployment model is this client utilizing?

An auditor is evaluating the 'Processing Integrity' principle for a financial institution's loan origination system. The auditor discovers that the system automatically rejects loan applications with incomplete data fields but does not generate an error log for these rejections. Which specific processing integrity risk does this control deficiency primarily exacerbate?

A company uses a batch processing system to update inventory records overnight. The 'Grandfather-Father-Son' backup rotation scheme is used. On Thursday morning, the 'Son' (Wednesday night's backup) is found to be corrupted. To restore the system to the most current state possible before the corruption, which tapes are required?

During a walkthrough of the change management process, an auditor observes that the 'Developer' role in the ERP system has access to 'Migrate to Production'. The IT Manager explains this is necessary for emergency fixes overnight when the Change Manager is unavailable. What is the auditor's BEST course of action?

An auditor is reviewing a SQL query used to extract 'Active Customers' for a marketing report. The query is:<br/><br/>SELECT CustomerID, Name FROM Customers WHERE Status = 'Active' OR Status = 'Pending' AND CreditLimit > 1000<br/><br/>The auditor suspects the logic is flawed because of operator precedence. Which customers will this query actually return?

An IT auditor is reviewing the 'Recovery Point Objective' (RPO) for a critical transaction database. Management has set the RPO at 1 hour. The current backup strategy involves a full backup every Sunday at midnight and incremental backups every night at midnight. Is this strategy adequate?

An auditor is testing a control that requires 'Three-way matching' before a payment is authorized. Which three documents must match?

A company uses an 'Incremental' backup strategy. A full backup is performed on Sunday. Incremental backups are performed Monday through Saturday. If the system crashes on Thursday morning (before Thursday's backup), what is required to restore the system?

Which of the following SQL commands is used to remove a table and all its data permanently from the database?

An auditor is assessing the 'Availability' criteria for a cloud service provider. The provider claims 99.9% uptime. Which of the following metrics would be MOST useful to verify this claim?

An auditor observes that a company uses a 'Hot Site' for disaster recovery. What does this imply?

A developer is writing a SQL query to combine customer data from the 'Sales' table and the 'Support' table. They want to see ALL customers from the 'Sales' table, and matching support tickets if they exist. If a customer has no support tickets, they should still appear in the list. Which JOIN type should be used?

An auditor is reviewing the 'Change Management' process. They find that the 'Request for Change' (RFC) form does not require a back-out plan. Why is this a control deficiency?

Which of the following is a risk associated with using a 'Public Blockchain' for financial reporting?

A company wants to ensure that their web application can handle a sudden spike in traffic during Black Friday sales. They configure their cloud environment to automatically add more virtual servers when CPU usage exceeds 80%. This capability is known as:

Which of the following is a primary benefit of using a 'Data Lake' compared to a 'Data Warehouse'?

A company uses a 'Cold Site' for disaster recovery. Which of the following is the primary disadvantage of this approach?

An auditor is reviewing the 'Segregation of Duties' (SoD) in the payroll process. Which two roles should be separated?

An auditor is evaluating the 'Completeness' of data transfer from a legacy system to a new ERP. Which technique is MOST effective?

Which of the following is an example of 'SaaS' (Software as a Service)?

An auditor is reviewing a SQL query: `SELECT * FROM Employees WHERE Salary > 100000;`. What is the risk of using `SELECT *` in production code?

Which of the following is a 'Physical' security control?

An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Emergency Fix' that was deployed without prior testing in the staging environment. The policy allows this but requires 'Post-Implementation Review' within 24 hours. The auditor finds the review was completed 3 days later. What is the finding?

In a relational database, what is a 'Foreign Key'?

A company uses 'Containerization' (e.g., Docker) for its applications. From an auditor's perspective, what is a key difference between a Container and a Virtual Machine (VM)?

An auditor is reviewing the 'Business Continuity Plan' (BCP). Which of the following is a key component that determines the order in which business processes should be restored?

A CPA is advising a client who is migrating their legacy on-premise ERP system to a cloud environment. The client wants to minimize their responsibility for managing the underlying operating system, middleware, and runtime environment, but wants to retain control over the deployed applications and configuration settings. Which cloud service model is most appropriate for this client?

An auditor is reviewing the Service Level Agreement (SLA) for a client using a public cloud provider. The client handles highly sensitive healthcare data. The auditor notes that the cloud provider stores data in a multi-tenant environment. Which specific risk is MOST heightened in this deployment model compared to a private cloud?

A company uses an Infrastructure as a Service (IaaS) model. During an IT audit, the auditor discovers that the operating system of the virtual machines has not been patched for critical vulnerabilities. Under the shared responsibility model, who is responsible for this control failure?

An organization is implementing the COSO Enterprise Risk Management (ERM) framework to govern its migration to the cloud. Which of the following actions best aligns with the 'Governance and Culture' component of COSO ERM in this context?

During a walkthrough of an order-to-cash process, the auditor observes that the sales manager can both authorize credit limits for new customers and approve sales orders exceeding those limits. The documented process flow states these functions should be separated. Which type of deficiency has the auditor identified?

An auditor is reviewing the backup strategy for a financial transaction system with a Recovery Point Objective (RPO) of 1 hour. The current strategy involves a full backup every Sunday at midnight and differential backups every night at midnight. Is this strategy adequate?

A developer at a software company has access to write code in the development environment and also has administrative access to promote that code directly to the production environment. Which specific IT general control (ITGC) principle is violated?

An auditor is examining a SQL query used to generate a report of all sales transactions for the fiscal year 2024. The query is:<br/>SELECT * FROM Sales WHERE SaleDate > '2024-01-01' AND SaleDate < '2024-12-31'.<br/>What is the potential issue with this query regarding data completeness?

An auditor is reviewing a company's disaster recovery plan (DRP). The company uses a 'Hot Site' for recovery. Which characteristic best describes a Hot Site?

Which of the following SQL statements would be most useful for an auditor attempting to identify duplicate invoice numbers in a table named 'Invoices'?

A company uses a blockchain ledger to record supply chain transactions. An auditor is assessing the risk of '51% attacks'. What is the primary implication of a successful 51% attack on a blockchain?

An auditor is testing the 'Processing Integrity' criteria for a payroll system. They find that the system accepts negative values for 'Hours Worked'. Which type of application control is missing?

A company uses a 'Data Lake' architecture. What is a primary characteristic of a Data Lake compared to a Data Warehouse?

An auditor is reviewing the 'Change Management' process. They observe that emergency changes are allowed to bypass the standard testing phase to restore service quickly. What is the compensating control that MUST be in place for this process to be acceptable?

An auditor is reviewing a SQL query that joins two tables: 'Customers' and 'Orders'. The goal is to list ALL customers, including those who have not placed any orders. Which JOIN type should be used?

A company is designing a new data center. They install a 'mantrap' at the entrance to the server room. Which type of control is this?

An auditor is reviewing the 'Logical Access' controls. They find that user accounts are not disabled immediately upon termination of employment. This control deficiency primarily increases the risk of:

An auditor is assessing the 'Availability' criteria in a SOC 2® engagement. The client claims to have high availability. Which metric best measures the percentage of time the system is operational?

Which of the following is a 'Corrective' control?

A company uses a 'Hybrid Cloud' model. Which of the following best describes this architecture?

An auditor is reviewing the 'Change Management' logs and notices a change labeled 'Standard Change'. How does a Standard Change typically differ from a Normal Change?

An auditor is reviewing the 'System Development Life Cycle' (SDLC). In which phase should security requirements be defined?

An auditor is testing a control that requires 'Three-Way Matching' for accounts payable. What three documents must match?

A company uses 'Ransomware' protection. Which backup strategy is most effective against ransomware that encrypts connected drives?

An auditor is testing 'Logical Access'. They find that the 'Administrator' group contains 15 users, including 5 who left the company years ago. This violates which principle?

Which of the following describes a 'Cold Site' for disaster recovery?

An auditor is reviewing a 'Batch Processing' job that runs overnight. The job log shows 'Error: Input file footer count does not match record count'. Which control detected this?

What is the primary function of a 'Circuit Breaker' pattern in modern microservices architecture (though not explicitly detailed in the blueprint, the concept relates to Availability)?

Which SQL command is used to remove a table and all its data permanently from the database?

Which of the following is a 'Technical' (Logical) control?

A company uses 'Containerization' (e.g., Docker) for its applications. What is a key security benefit of containers compared to traditional virtual machines?

An auditor is reviewing the 'Business Continuity Plan' (BCP). What is the primary goal of BCP?

An auditor is reviewing the 'Risk Assessment' component of COSO. Which of the following is a prerequisite for risk assessment?

A service organization provides a cloud-based payroll processing application to its user entities. The user entities access the software via a web browser, but the service organization manages the underlying infrastructure, operating system, and application updates. Which cloud service model is the service organization providing?

An auditor is reviewing the shared responsibility model for a client using an Infrastructure as a Service (IaaS) provider. Which of the following responsibilities typically remains with the client (user entity) rather than the cloud provider?

A financial institution requires a cloud deployment model that offers the highest level of control and isolation for its sensitive data, even if it requires higher costs and maintenance. Which deployment model is most appropriate?

During an IT audit, you observe that a company uses a 'Hybrid Cloud' architecture. Which scenario best describes this architecture?

Which component of IT architecture is primarily responsible for translating domain names (like www.aicpa.org) into IP addresses that computers use to communicate?

In the context of COSO Enterprise Risk Management, which principle is most relevant when an organization evaluates the risks associated with migrating its core financial system to the cloud?

An auditor is reviewing the 'Order-to-Cash' process. The documented flowchart indicates that a credit check is performed automatically by the system before a sales order is approved. However, during a walkthrough, the auditor observes a sales representative manually overriding the credit hold to expedite a shipment for a VIP client. What is the primary concern?

A company uses a private blockchain to record supply chain transactions. Which of the following is a unique risk associated with blockchain technology that an auditor should consider regarding financial reporting?

An auditor is testing processing integrity controls for a payroll system. The auditor inputs a test transaction with an employee working 400 hours in a single week. The system accepts the input and processes the check. Which type of control is likely missing or ineffective?

Which of the following best describes the 'Three-Way Match' control in a procurement process?

A company is implementing an ERP system. Which of the following represents a 'Segregation of Duties' conflict that should be flagged during the design phase?

In a batch processing system for utility billing, which control would best detect if a transaction file was processed twice by accident?

A company has a Recovery Point Objective (RPO) of 4 hours. They currently perform a full backup every Sunday at midnight and incremental backups every night at midnight. Is this backup strategy adequate to meet the RPO?

Which disaster recovery site option provides the fastest recovery time (lowest RTO) but incurs the highest cost?

A database administrator implements 'disk mirroring' (RAID 1). Which availability risk does this primarily mitigate?

What is the primary difference between a Differential Backup and an Incremental Backup?

During a SOC 2 engagement, you observe that the organization tests its Disaster Recovery Plan (DRP) annually using a 'Tabletop Exercise'. What does this involve?

Which of the following metrics would be most critical to review when assessing the effectiveness of an organization's Business Continuity Plan regarding revenue loss?

An auditor observes that a developer has 'write' access to the production environment to fix urgent bugs. The developer also writes the code in the development environment. What is the primary risk?

In a formal change management process, which testing stage is performed by the end-users to verify the system meets business requirements?

A company uses a 'Continuous Integration/Continuous Deployment' (CI/CD) pipeline. An auditor notes that code is automatically deployed to production after passing automated tests. What is the most appropriate compensating control to look for?

Which document should be updated immediately following an emergency change to the production system?

An auditor is reviewing a population of changes. They select a sample of changes and trace them back to the Change Request tickets. What assertion is the auditor primarily testing?

Which environment is used to combine individual software modules and test their interaction before UAT?

An auditor wants to extract all customers from the 'Sales' table who live in 'NY' and spent more than $1,000. Which SQL clause is required to filter the data?

Review the following SQL query:<br/>SELECT CustomerID, SUM(OrderAmount)<br/>FROM Orders<br/>GROUP BY CustomerID<br/>HAVING SUM(OrderAmount) > 10000;<br/><br/>What is the purpose of this query?

Which data storage concept refers to a vast pool of raw, undefined data (structured and unstructured) stored for future purpose?

In the ETL (Extract, Transform, Load) process, at which stage is data cleaned, deduplicated, and converted into a consistent format?

An auditor is validating the completeness of a data migration from a legacy system to a new ERP. Which procedure is most effective?

Which SQL command is used to combine rows from two or more tables based on a related column between them?