ISC Stimulated Exam
All of the following are considered requirements by the Payment Card Industry Data Security Standard (PCI DSS) except which of the following? A. Enhancing accessibility of stored cardholder data by utilizing shared storage drives between banks, retailers, and customers B. Restricting access to cardholder data through the utilization of need-to-know restrictions C. Enhancing the protection all organization systems to combat malware and regularly update antivirus software or programs D. Updating all passwords and parameters to ensure that vendor-supplied defaults for system passwords and other security parameters are not in use
A
An SQL (Structured Query Language) Injection is an example of what type of attack? A. Application-based attack B. Host-based attack C. Network-based attack D. Supply chain attack
A
An accounts payable clerk is accused of making unauthorized changes to previous payments to a vendor. Proof could be uncovered in which of the following places? A. Transaction logs. B. Error files. C. Validated data file. D. Error reports.
A
An enterprise resource planning system is designed to: A. Integrate data from all business functions across departments. B. Present executives with the information needed to make strategic plans. C. Allow nonexperts to make decisions about a particular problem. D. Automate the decision-making process.
A
An inclusive report on controls of a subservice organization is most useful in which of the following circumstances? A. The subservice organization's services and controls have a pervasive effect on the service organization's system. B. The service organization is unable to obtain contractual or other commitment from the subservice organization regarding its willingness to be included in the SOC 2® engagement. C. A Type 1 or Type 2 SOC report related to the subservice organization, meeting user needs, is available. D. The service auditor is not independent of the subservice organization.
A
General controls in an information system include each of the following, except: A. Logic tests. B. Software acquisition. C. Security management. D. Information technology infrastructure.
A
In addressing IT system availability risks, replication is different from mirroring in that it: A. Copies and transfers data to a different physical site. B. Allows operations to resume quickly at the same site. C. Can not be combined with mirroring. D. Is used for database redundancy.
A
Review of the audit log is an example of which of the following types of security control? A. Detective. B. Corrective. C. Governance. D. Preventive.
A
Service organizations have contracts with their clients with terms outlining standards for system availability, such as an agreed service time (AST), a minimal amount of downtime (DT), and the mean time to repair (MTTR) a damaged device. This is referred to as a: A. Service level agreement. B. Business impact analysis. C. Crisis management plan. D. Business continuity plan.
A
What is the purpose of disclosing relevant complementary user entity controls in a SOC engagement? A. To provide report users with an understanding of controls at the user entity that must be implemented, in combination with the service organization controls, to provide reasonable assurance that control objectives are met. B. To shift responsibility for the achievement of control objectives from the service organization to the user entity. C. To provide report users with an understanding of controls that are necessary to provide absolute assurance that control objectives are met. D. To provide report users with an understanding of controls at a subservice organization that must be implemented, in combination with the service organization controls, to provide reasonable assurance that control objectives are met.
A
Which control family under NIST SP 800-53 is best described as how the company should deliver instructional material on information security risk? A. Awareness and training B. Personnel security C. Planning D. Risk assessment
A
Which of the GDPR principles to follow when processing data is best defined as what is relevant, adequate, and limited to what is necessary for the applicable purpose? A. Data minimization B. Purpose limitation C. Accuracy D. Integrity and confidentiality
A
Which of the following descriptions best summarizes the holistic approach governance system principle under COBIT 2019? A. Governance systems for IT can comprise diverse components. B. Management activities and governance systems should clearly be distinguished from each other. C. Governance models should be customized to each company, using design factors to prioritize and tailor the system. D. More than just the IT function should be considered in a governance system. All processes in the organization involving information and technology should be factored into the approach.
A
Which of the following is not considered an intended audience for NIST SP 800-53? A. Individuals with marketing and advertising responsibilities B. Individuals with system development responsibilities C. Individuals with logistical or disposition-related responsibilities D. Individuals with security and privacy assessment and monitoring responsibilities
A
Which of the following represents a best practice in patch management? A. Evaluate new patches and test in a non-production environment. B. Deploy a patch in production and use a vulnerability tool to evaluate its performance. C. Verify that a patch has been deployed and then test it in a non-production environment. D. Apply a patch as a pilot in a production environment and proceed if the pilot is successful.
A
Which of the following should be evaluated when testing whether data is secure while also providing sufficient computing power? A. Operating system B. Switch C. Router D. Firmware
A
Which of the following statements is true related to service commitments and system requirements in a SOC 2® engagement? A. Service commitments may be made about one or more of the trust services categories addressed by management's system description and such declarations may result in specific system requirements. B. Service organization management is responsible for disclosing all service commitments and system requirements that are made to a user entity. C. Service requirements may be made about one or more of the trust services categories addressed by management's system description, and such declarations may result in specific system commitments. D. Service commitments and system requirements are established by the service auditor and disclosed in the auditor's SOC report.
A
Which of the following statements is true with respect to system requirements? A. System requirements are the specifications by which the system should function to meet the service commitments to user entities and others. B. System requirements determine the service commitments of a service organization. C. Service requirements are related to the service organization's system but are not related to the service commitments to user entities and others. D. System requirements are declarations made by service organization management to user entities and others about the system used to provide the service.
A
Which of the following would most likely be a user of a SOC 1® report? A. The independent auditor of the user entity B. Potential customers of the service organization C. The independent auditor of a subservice organization D. Potential customers of the user entity
A
A company implements an enterprise resource planning application to help improve its financial and operational reporting, while gaining other efficiencies related to sales and inventory management. For the implementation, the company hires an individual specializing in preparing the company for the changes through documenting new policies and procedures and developing new training. This is an example of: A. A social event. B. Change management. C. Segregation of duties. D. An economic event.
B
A service auditor's report issued by Joyce, a CPA firm, includes the following language, "the controls and control objectives included in the description are those that management of Lill Service Organization believes are likely to be relevant to user entities' internal control over financial reporting, and the description does not include those aspects of the payroll system that are not likely to be relevant to user entities' internal control over financial reporting." Based on this language, Joyce is most likely to issue what type of SOC report? A. SOC 3® Type 2 B. SOC 1® Type 2 C. SOC 2® Type 2 D. SOC 2® Type 1
B
In all SOC engagements, risk assessment primarily focuses on: A. IT risk. B. Inherent risk. C. Detection risk. D. Control risk.
B
In an effort to recognize improvement opportunities, a company is reviewing its in-house systems. The best reason for the company to consider switching to cloud computing as a solution is that it: A. Provides better program modification options. B. Usually has lower upfront costs for equipment and maintenance. C. Is the best way to secure sensitive corporate information. D. Is accessible only from within the company on its Intranet.
B
In which cyberattack stage do the attackers discover and collect as much information about the target IT system as possible? A. Research B. Reconnaissance C. Espionage D. Intel gathering
B
John works in the IT department of ABC Co. John circumvented controls to gain unauthorized access to certain data for eventual sale on the dark web. John is both: A. An attacker and a state-sponsored actor. B. An insider and a hacker. C. An adversary and an external threat. D. A hacktivist and a government-sponsored actor.
B
Metrics such as the maximum tolerable downtime (MTD) and recovery point objective (RPO) help organizations monitor which of the following Trust Services Criteria regarding system performance? A. Processing integrity B. Availability C. Security D. Confidentiality
B
Sarah approached a secured, but highly trafficked, facility containing sensitive data in Washington D.C. Sarah wore a pregnancy prosthetic and carried seemingly heavy bags in both hands in hopes that a sympathetic employee would break protocol and hold the door open for Sarah, despite her not presenting a facility keycard for scanning. Once inside the facility, Sarah planned to exploit network vulnerabilities to access the sensitive data. Which of the following attack types did Sarah initially employ? A. Man-in-the-middle (MITM) attack B. Social engineering C. Host-based attack D. Cross-site scripting
B
The chief information officer (CIO) of a growing nationwide clothing retailer is looking to implement a system backup strategy that is moderately quick to restore and affordable yet current in that it captures newly generated data each day. To accomplish this, she is considering combining two forms of backup since the company pays an outside firm an hourly rate based on the amount of time it takes to perform each backup. What kind of backup strategy is the CIO likely to move forward with? A. Daily full and daily differential backup B. Daily incremental and weekly full backup C. Daily incremental and daily differential backup D. Weekly differential and daily full backup
B
The primary difference between IaaS (Infrastructure-as-a-Service) and PaaS (Platform-as-a-Service) is the: A. Scalability of each platform. B. Control over underlying infrastructure and availability of tools for a specific function. C. Location of the underlying infrastructure and the entity maintaining it. D. Ability to design applications.
B
Under what circumstances would a service auditor be required to be independent from a subservice organization used by a service organization in an engagement to report on controls at a service organization? A. Independence is required when a subservice organization is used and management elects to use the carve-out method to present its system description. B. Independence is required when a subservice organization is used and management elects to use the inclusive method to present its system description. C. Independence is never required between the service auditor and a subservice organization. D. Independence is always required between the service auditor and a subservice organization.
B
What is the primary disadvantage of using a cold site as a disaster recovery site? A. Existing equipment or software at the site may not be compatible. B. Delivery of equipment and software may be delayed. C. Cold site compilers may not have adequate processing capacity. D. Frequent upgrades to equipment and software increase costs.
B
What would least likely be considered a physical safeguard required by HIPAA for an organization? A. Controls restricting the use of personal devices for storing protected health information (PHI) B. Controls embedded in organization software helping ensure that data integrity is not compromised C. Controls limiting access to file cabinets and computers that contain protected health information (PHI) D. Controls restricting the use of workspaces designated for processing protected health information (PHI) to only authorized personnel
B
When complementary user entity controls are identified, the scope section of the service auditor's SOC 1® Type 2 report will be amended to include which of the following? A. The scope section should not be amended to reference the complementary user entity controls. B. A statement that the service auditor did not evaluate the suitability of the design or operating effectiveness of the complementary user entity controls. C. A statement that the engagement includes the evaluation of suitability of the design and operating effectiveness of the complementary user entity controls. D. A statement that the engagement includes the evaluation of the suitability of the design but not the operating effectiveness of the complementary user entity controls.
B
Which CIS Control best describes the prevention or control of the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets? A. Control 16: Application Software Security B. Control 10: Malware Defenses C. Control 12: Network Infrastructure Management D. Control 15: Service Provider Management
B
Which of the following control activities should be taken to reduce the risk of incorrect processing in a newly installed computerized accounting system? A. Adequately safeguard assets. B. System testing through independent verification of the transaction processing results. C. Ensure proper authorization of transactions. D. Segregation of duties.
B
Which of the following is not a disadvantage of outsourcing? A. Security issues. B. Risk mitigation. C. Quality of service. D. Language barriers.
B
Which of the following statements describes the purpose of obtaining written representations in a SOC engagement? A. To confirm that the service auditor believes that the effects of any uncorrected misstatements are immaterial B. To confirm representations given to the service auditor during the engagement and reduce the possibility of a misunderstanding between the service auditor and management C. To confirm the responsibility of the service auditor around the subject matter and assertions related to the engagement D. To shift the responsibility for the fair presentation of the system from the service auditor back to management
B
Which of the following terms best describes a payroll system? A. Database management system (DBMS). B. Transaction processing system (TPS). C. Decision support system (DSS). D. Enterprise resource planning (ERP) system.
B
D
Brown Corporation is holding an internal meeting with its executive leadership to discuss how sensitive and confidential information is handled. As part of this discussion, executives were asked to voice any concerns and critical recommendations for handling such information. Brown Corporation's general counsel stressed the importance of implementing common operational safeguards, privacy-specific safeguards, and security controls. Which of the following reasons would most likely support the general counsel's recommendation for incorporating such implementations? A. By not implementing relevant safeguards, Brown Corporation is at risk of network connectivity slowdowns for employees. B. By not implementing relevant safeguards, Brown Corporation is more susceptible to theft of physical assets by customers and employees. C. Absence of these safeguards and controls would increase the likelihood of data breaches subjecting Brown Corporation to an unfavorable image compared to other competitors within the industry. D. Absence of these safeguards and controls would increase the likelihood of data breaches subjecting Brown Corporation to potential litigation, which would result in monetary losses.
A service auditor is engaged to issue a report on a subject matter using the trust services criteria. Which of the following reports would not be issued by a service auditor engaged to report on a subject matter using the trust services criteria? A. SOC for Cybersecurity B. SOC 2® C. SOC 1® D. SOC for Supply Chain
C
Devices that have a primary function of enabling other machines in a network to share an IP address so that identities may be hidden are referred to as: A. Application-level gateways. B. Software-defined wide-area network (SD-WAN) devices. C. Network address translation firewalls. D. Circuit-level gateways.
C
During the payment clearing process, which of the following methods of data obfuscation would most likely be used in relation to credit card transactions? A. Symmetric encryption B. Asymmetric encryption C. Tokenization D. Masking
C
Each of the following examples would be considered examples of a cybersecurity incident except for which of the following? A. Phishing emails resulting in users downloading tools that infect the user's computer B. A ransomware attack holding an enterprise's data hostage C. Cybersecurity changes that have an effect on an organization's operation, mission, manufacturing capabilities, or reputation D. Seemingly harmless events exposing sensitive information to unintended parties because of careless use practices
C
If a business impact analysis (BIA) identifies a resource as one that could have a significant recovery cost, but the organization could still partially function for a limited period of time, that resource would be classified as which of the following? A. Moderate-impact (M) to low-impact (L) B. Low-impact only (L) C. High-impact (H) to moderate-impact (M) D. Moderate-impact (M) only
C
Management's description of an entity's cybersecurity risk management program should include information regarding: A. The cybersecurity risk governance structure and risk assessment process, cybersecurity control processes, and a listing of all prior breaches of cybersecurity, including timing. B. The responsibility of the service auditor for establishing and maintaining a cybersecurity risk management program that includes governance, risk assessment, control activities, monitoring, and information and communication. C. The nature of business and operations, nature of information at risk, and information on the cybersecurity risk governance structure. D. The cybersecurity risk management programs of direct competitors of the service organization.
C
Priya, an IT security associate, is evaluating security awareness at Financial Horizon Works Co. As part of this process, she decided to measure the average time taken per security training session and the click rate for emails that mirror scam emails. What components of security awareness is Priya measuring? A. Reply rates and phishing simulations B. Security behaviors (with and without champions) and report rates C. Employee engagement and phishing simulations D. Security behaviors (with and without champions) and re-click rates
C
Rathway Audit Consultants is engaged as a service auditor for a SOC 1® Type 2 engagement. In performing its final procedures of the engagement, Rathway has inquired of management about the occurrence of any subsequent events. Which of the following events would be the most likely to impact the SOC report issued by Rathway? A. The service organization CEO retired and was replaced by an external candidate. B. An annual system upgrade to ensure that functionality remained adequate to meet customer expectations. C. An audit of the internal controls over financial reporting of the service organization was issued with a modified opinion due to fraud. D. The service organization was considering the acquisition of a competitor after the report date.
C
The following characteristics are best represented by which type of cloud deployment model? Number of OrganizationsUsing the Same Cloud Entity ThatOwns the Cloud Location of CloudNetwork Equipment Purpose of Cloud Two or more A third-party cloud service provider Off site Redundancy and data sharing with industry peers A. Hybrid B. Private C. Community D. Public
C
The trust services categories include: A. Authorization, confidentiality, privacy, processing efficiency, and service. B. Authorization, controls, processing efficiency, processing integrity, and security. C. Availability, confidentiality, privacy, processing integrity, and security. D. Availability, controls, privacy, processing integrity, and service.
C
Vulnerability management refers to which of the following? A. A database of security vulnerabilities that provides unique identifiers for different vulnerabilities and risk exposures B. The process of hiding the complexity of certain tasks so that only the relevant information to a specific person performing a function is presented C. A proactive security practice designed to prevent the exploitation of IT vulnerabilities that could potentially harm a system or organization D. The idea that employees are only given what they must know to perform their job
C
Which of the following best describes a foreign key within a relational database? A. When more than one attribute is necessary to function as a unique identifier B. The space created at the intersection of a column and row in a table in which data is entered C. Attributes in one table that are also primary keys in another table D. The key that helps solidify whether each row in the table is unique
C
Which of the following is a common document found in the human resources and payroll cycle? A. Voucher B. Production schedule C. Earnings statement D. Receipt
C
Which of the following is a key difference between a management assertion included in a Type 1 and Type 2 SOC report? A. A management assertion in a Type 1 report includes a statement that controls were suitably designed throughout the period. B. A management assertion in a Type 1 report includes a statement that controls were suitably designed and operated effectively, whereas a Type 2 report only includes a statement regarding the operating effectiveness of controls. C. A management assertion in a Type 2 report includes a statement that the controls operated effectively throughout the period. D. A management assertion in a Type 2 report includes a statement that the controls operated effectively as of a specified date.
C
Which of the following would best provide a detailed and structured review of program logic? A. Direct conversion B. Acceptance C. Walk-through D. Test data processing
C
Which of the following would generally be considered an end-user device (EUD)? A. Servers B. Switches C. Tablets D. Routers
C
After choosing a software application, an organization must merge it with existing systems and business processes. Risk at this point in the software acquisition and change management process is referred to as: A. Quality risk. B. Selection and acquisition risk. C. Outsourcing risk. D. Integration risk.
D
Both a SOC 1® and SOC 2® system description documented by the management of the service organization would contain the following common components: A. Any services provided by a subservice entity, the applicable trust services criteria, and the principal service commitments and system requirements. B. A list of the types of services provided, the applicable trust services criteria, and the components of the system used to provide services. C. A list of the types of services provided, management's opinion on the suitability of the design of the system, and any relevant complementary user entity controls that must be implemented to meet control objectives. D. A list of the types of services provided, any services provided by a subservice entity, and any relevant complementary user entity controls that must be implemented to meet control objectives.
D
Bret needs to document the expenditure cycle of Cloverleaf Designs as part of his current audit engagement. He wants to create an easy-to-follow visual depiction of the process with a focus on the logical flow of data as opposed to the physical flow. What type of process documentation technique should Bret utilize? A. Process narrative B. Flowchart C. System interface diagram D. Data flow diagram
D
During the risk assessment process of a business impact analysis (BIA), resources are categorized by the impact to the day-to-day operations of an organization. If the organization could work around the loss of an information resource for days or perhaps a week, but eventual restoration of the resource must occur, this would imply that the information resource should be categorized as: A. No impact B. High impact (H). C. Low impact (L). D. Medium impact (M).
D
Each of the following describe how the NIST Privacy Framework helps organizations manage privacy except for which of the following? A. Encouraging cross-organizational workforce collaboration relating to user privacy and IT security B. Communicating privacy practices to the rest of the organization C. Considering privacy best practices as they design and deploy systems, products, and services that affect individuals D. Reducing personal information gathered to the minimum necessary for critical business functions
D
Each of the following stages within the data life cycle is likely considered a necessary stage except: A. Preparation. B. Capture/Creation. C. Purging. D. Synthesis.
D
Hi Tech Corporation is a California based company that has contracted with a separate company in India to handle its customer service call center. Hi Tech Corporation's practice is most accurately described using the term: A. Globalization B. Business process automation C. Shared services D. Offshore operations
D
Software engineers have tested and debugged code for a new product prototype and are about to perform the final phases of evaluation prior to deployment. This next round of validation would most likely happen in which of the following types of environments? A. Production B. Testing C. Development D. Staging
D
When an adverse opinion is issued in a SOC 2® engagement, which section of the service auditor's report should include the matter(s) giving rise to the adverse opinion? A. The service auditor's responsibility section B. The inherent limitations section C. The scope section D. The adverse opinion section in a separate paragraph before the opinion paragraph
D
Which database schema, commonly used for dimensional modeling, is best described as one where data is organized into a central fact table with associated dimension tables surrounding it? A. Flat model B. Hierarchical model C. Snowflake schema D. Star schema
D
Which of the following assumes that a company's network is always at risk and focuses on continuous validation? A. Least privilege B. Whitelisting C. Need-to-know D. Zero trust
D
Which of the following best describes a service auditor's consideration of materiality in a SOC 2® Type 1 engagement? A. The service auditor need not assess materiality in a Type 1 engagement as it is focused on the design and implementation of controls. B. The service auditor should consider the impact that deviations may have on the internal control over financial reporting of a broad range of report users. C. The service auditor should consider whether misstatements in the description or deficiencies in the suitability of the design and operating effectiveness of controls could reasonably be expected to influence the decisions of a broad range of report users. D. The service auditor should consider the nature of threats and the likelihood and magnitude of the risks arising from those threats to the achievement of the organization's system commitments and service requirements.
D
Which of the following best describes an example of active data collection as a method of collecting data? A. Obtaining information about customers based on time stamps when they interact with a website. B. Taking existing user data from a master database, cleaning the unnecessary data, and loading the transformed data into an analysis tool. C. Tracking web usage of users by pulling data from cookies. D. Interviewing users directly to gather information on user addresses.
D
Which of the following best describes an insurance policy that helps organizations hedge against cyberattacks by providing financial relief in the event of a successful attack? A. Business interruption insurance policies B. Commercial property insurance policies C. General liability insurance policies D. Cyber insurance policies
D
Which of the following best describes the overview of CIS Control 05: Account Management? A. Improve protections and detections of threats from email and web vectors. B. Collect, alert, review, and retain logs of events that could help to understand and recover from attacks. C. Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, admin, and service accounts for enterprise assets and software. D. Use processes and tools to assign and manage authorization to credentials for user accounts to enterprise assets and software.
D
Which of the following best describes the overview of CIS Control 15: Service Provider Management? A. Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base. B. Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack. C. Establish, implement, and actively manage (track, report, and correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points. D. Develop a process to evaluate relevant third parties who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
D
Which of the following circumstances would most likely give rise to a modified opinion from the service auditor in a SOC 1® Type 1 engagement? A. A deficiency in the operation of a relevant control was noted, but the service auditor determined the impact was neither material nor pervasive. B. The controls are not suitably designed to provide reasonable assurance that the service organization's service commitments and system requirements would be achieved based on the applicable trust services criteria. C. The controls did not operate effectively throughout the specified period to achieve the related control objectives stated in management's description of the service organization's system, in all material respects. D. Management's description of the service organization's system is not fairly presented, in all material respects.
D
Which of the following framework functions in the Privacy Framework Core best describes how the organization answers what the company's privacy risks related to data processing activities are? A. Control B. Communicate C. Govern D. Identify
D
Which of the following is a likely example of a cybersecurity threat in an organization's connections with vendors? A. Insiders in an organization could attack vendors. B. Hyperlinks could be spoofed. C. An attacker could install a keystroke logger on a key vendor. D. Vendors of target organizations could be collateral damage in supply chain disruptions.
D
Which of the following is not a network security method? A. System hardening B. Network segmentation C. Disabling service set identifier (SSID) broadcasting D. Bridges
D
Which of the following programming languages would most likely be used to run queries to retrieve specific subsets within a data set during data extraction? A. C++ B. JavaScript C. C D. SQL
D
Which of the following terms refers to a site that has been identified and maintained by the organization as a data processing disaster recovery site but has not been stocked with equipment? A. Hot. B. Warm. C. Flying start. D. Cold.
D
Which of the following utilizes cryptography to protect against data breaches and losses? A. Data collection B. Data storage C. Data deletion/purging D. Data encryption
D
C
Dave manages end-point security solutions for a health care consortium. Dave is implementing a solution in which software quarantines malware detected on user devices. What is the purpose of quarantining in this context? A. Scanning files in real-time and comparing them to a library of known viruses. Scheduled scans of systems should occur automatically and be performed on a regular basis. B. Monitoring and filtering traffic based on a set of predefined rules so that only trusted parties and networks can connect or interact with an organization's network, which prevents threat actors from compromising the network. C. Removing a virus's threat from the rest of a company's network, usually accomplished in an automated manner via antivirus software or manually after suspicious activity has been flagged from the review of system logs. D. Modifying the existing software program to resolve newly discovered design flaws, operating errors, or gaps that pose cybersecurity risks.
C
Pay Right Processing Inc. has engaged Olly CPA firm to perform a SOC 2® Type 2 engagement. Pay Right Processing Inc.'s internal audit department has performed testing over the design and operating effectiveness of certain controls that are relevant to the report. Which language would be most appropriate for inclusion in the service auditor's report when describing the tests of controls? A. During the examination, the internal auditor assisted with performing certain tests of design and operating effectiveness, and no additional procedures were performed with respect to the work of the internal auditor. B. Tests performed by members of the internal audit function included the inquiry of personnel performing the control, inspection of supporting documentation, and reperformance of the control. Due to the inherent limitations of an examination, we cannot provide assurance that the testing was done in accordance with relevant standards. C. Tests performed by members of the internal audit function included the inquiry of personnel performing the control, inspection of supporting documentation, and reperformance of the control. Olly reperformed a sample of tests that had been performed by the internal audit members and noted no exceptions. D. No reference to the work of the internal auditor should be made.
B
The following table presents a series of testing objects' current performance and targeted performance. Which of these testing objects would result in the documentation of "other than satisfied" findings? Testing Object Current Performance Target Performance On-premises applicationsNumber of available updates/patches not yet applied:0Number of available updates/patches not yet applied:0Wi-Fi Protected AccessWPA3At least WPA2 with AESAuthenticationStrong passwords (12 characters)Multifactor authenticationSecurity awareness Phishing simulation click rate:15% Phishing simulation re-click rate:10% Phishing simulation report rate:60% Training exam average score:73% Phishing simulation click rate:<10% Phishing simulation re-click rate:<5% Phishing simulation report rate:>50% Training exam average score:>70% Network firewallIntrusion detection alerts:3Intrusion detection alerts:<5 A. Wi-Fi Protected Access and authentication B. Authentication and phishing simulation click rates C. Phishing simulation re-click rates and Wi-Fi Protected Access D. On-premises application updates and network firewalls
A
Which of the following appropriately describes a service auditor's responsibilities regarding a service organization's description of the system, the suitability of the design of controls, the operating effectiveness of controls, or management's assertion after the date of the service auditor's report? A. The service auditor is not required to perform any procedures after the date of the service auditor's report but must respond appropriately to any subsequently discovered facts. B. The service auditor is required to inquire of management and perform procedures to obtain evidence after the date of the service auditor's report. C. The service auditor is not required to perform any procedures after the date of the service auditor's report and has no responsibility to follow up on any subsequently discovered facts. D. The service auditor is required to inquire of management about subsequent events occurring after the date of the auditor's report.
