A
What is the primary purpose of an IT audit report's executive summary?
a) To list all the server IP addresses tested.
b) To provide a high-level overview of the most critical IT risks for business leaders.
c) To detail the specific audit software used.
d) To thank the system administrators for their cooperation.
b) To provide a high-level overview of the most critical IT risks for business leaders.
In an IT audit finding, the "Criteria" most often comes from:
a) The auditor's personal opinion.
b) An external hacker's blog.
c) The organization's Information Security Policy or an industry standard like NIST.
d) The system administrator's verbal explanation.
c) The organization's Information Security Policy or an industry standard like NIST.
The acronym S.M.A.R.T. is used for creating effective:
a) Firewall rules
b) Encryption algorithms
c) Recommendations for remediation
d) User passwords
c) Recommendations for remediation
Which of the following is NOT a characteristic of a good IT audit report?
a) Timely
b) Ambiguous
c) Constructive
d) Accurate
b) Ambiguous
What is the main goal of re-running a vulnerability scan during a follow-up?
a) To find new vulnerabilities.
b) To verify that previously identified vulnerabilities have been patched.
c) To test the performance of the scanning tool.
d) To fulfill a daily task checklist.
b) To verify that previously identified vulnerabilities have been patched.
When presenting a finding about a critical database vulnerability to the board of directors, an IT auditor should emphasize the:
a) Specific version of the database software.
b) Complexity of the exploit code.
c) Potential for a major data breach and its impact on the business.
d) Number of hours it will take a developer to fix it.
c) Potential for a major data breach and its impact on the business.
A Governance, Risk, and Compliance (GRC) tool is primarily used in the audit follow-up phase for:
a) Planning the next audit cycle.
b) Storing user credentials.
c) Monitoring the implementation status of recommendations.
d) Performing penetration testing.
c) Monitoring the implementation status of recommendations.
Which section of the IT audit report would specify that the audit covered "all Windows servers in the production environment"?
a) Executive Summary
b) Findings
c) Objectives and Scope
d) Conclusion
c) Objectives and Scope
An IT audit finding states: "20 servers are missing the latest critical security patch." Which "C" of the 5 Cs is missing to fully explain the impact?
a) Criteria
b) Condition
c) Cause
d) Consequence
d) Consequence
Which of the following is the best example of a S.M.A.R.T. recommendation?
a) IT should improve its patch management process.
b) The Server Admin team will deploy Microsoft patch MS25-007 to all production web servers (list attached) by Friday at 5 PM to mitigate the critical vulnerability (CVE-2025-12345).
c) We need to install antivirus software on all computers soon.
d) The firewall configuration should be updated for better security.
b) The Server Admin team will deploy Microsoft patch MS25-007 to all production web servers (list attached) by Friday at 5 PM to mitigate the critical vulnerability (CVE-2025-12345).
An auditor finds that the company's disaster recovery plan was last tested in 2019. Company policy requires an annual test. The "Condition" in this finding is:
a) The policy requiring an annual test.
b) The DR plan has not been tested since 2019.
c) The risk of prolonged system downtime after an incident.
d) The IT Director retired and a replacement has not been hired.
b) The DR plan has not been tested since 2019.
During a presentation to the Chief Information Security Officer (CISO), an IT auditor should focus on:
a) Minor typos in the user-facing help files.
b) The color scheme of the IT helpdesk portal.
c) Findings that represent a gap in the security framework and could be exploited.
d) The brand of monitors used by the development team.
c) Findings that represent a gap in the security framework and could be exploited.
An audit report detailing a critical remote code execution vulnerability is issued three months after the fieldwork. This violates the characteristic of being:
a) Accurate
b) Objective
c) Constructive
d) Timely
d) Timely
The root cause of a phishing attack's success is determined to be a lack of employee awareness. The most relevant recommendation would be to:
a) Purchase a more expensive email filtering gateway.
b) Block all external emails.
c) Implement a mandatory, recurring cybersecurity awareness training and phishing simulation program for all staff.
d) Fire the employee who clicked the link.
c) Implement a mandatory, recurring cybersecurity awareness training and phishing simulation program for all staff.
IT management disagrees with a finding about weak password policies, claiming a stronger policy would lead to too many helpdesk calls. The auditor's most appropriate initial step is to:
a) Immediately remove the finding from the report.
b) Escalate the issue to the Audit Committee without further discussion.
c) Acknowledge their concern and provide industry data on how multi-factor authentication (MFA) can mitigate the risk without relying solely on password complexity.
d) Insist that management must comply with the policy exactly as written.
c) Acknowledge their concern and provide industry data on how multi-factor authentication (MFA) can mitigate the risk without relying solely on password complexity.
An audit reveals that server backup jobs fail 15% of the time. To best illustrate the consequence in a presentation, the auditor should use:
a) A list of the specific servers with failed backups.
b) A copy of the backup policy (the criteria).
c) An estimate of potential data loss in hours or days if a critical server crashed right after a failed backup.
d) The name of the administrator responsible for backups.
c) An estimate of potential data loss in hours or days if a critical server crashed right after a failed backup.
A recommendation states: "The network administrator must review all firewall rules every week." Which S.M.A.R.T. element might be the most difficult to justify as being met for a large organization with thousands of rules?
a) Specific
b) Measurable
c) Achievable
d) Time-bound
c) Achievable
An IT audit report identifies a critical vulnerability (the condition) but fails to explain why the patch management system didn't deploy the fix (the root cause). The resulting recommendation will likely:
a) Be too specific for the sysadmin to implement.
b) Instruct the team to patch the server manually, which doesn't fix the broken underlying process.
c) Be irrelevant to the identified vulnerability.
d) Be impossible to measure.
b) Instruct the team to patch the server manually, which doesn't fix the broken underlying process.
An audit manager reviews a draft report where the conclusion is "effective," but the findings section lists multiple servers with default administrative passwords and no network segmentation. The manager should:
a) Approve the report since the auditor on the ground knows best.
b) Change the conclusion to "ineffective" without consulting the auditor.
c) Ask the auditor to justify how the control environment can be "effective" with such critical control failures.
d) Remove the critical findings to align with the positive conclusion.
c) Ask the auditor to justify how the control environment can be "effective" with such critical control failures.
During a follow-up, the IT team provides a change management ticket showing a new firewall rule has been implemented. When can the auditor officially close this finding?
a) As soon as the ticket is marked "closed" by the IT team.
b) After receiving an email from the IT manager confirming the work is done.
c) After performing an independent port scan or reviewing the firewall configuration to verify the rule is active and working as intended.
d) Once the due date in the action tracker has passed.
c) After performing an independent port scan or reviewing the firewall configuration to verify the rule is active and working as intended.
A critical application has both a development team and an infrastructure team responsible for its security. A finding reveals the application code is vulnerable. The most effective recommendation should:
a) Assign remediation solely to the infrastructure team.
b) Assign remediation to the Chief Technology Officer (CTO) to ensure it gets done.
c) Assign primary responsibility to the development team to fix the code, with a related action for the infrastructure team to implement a Web Application Firewall (WAF) as a compensating control.
d) Omit assigning responsibility and let the teams decide.
c) Assign primary responsibility to the development team to fix the code, with a related action for the infrastructure team to implement a Web Application Firewall (WAF) as a compensating control.
Management agrees to remediate a critical vulnerability but sets a deadline one year in the future due to "competing projects." This is:
a) A reasonable S.M.A.R.T. action plan.
b) A satisfactory resolution.
c) An unreasonable delay that likely constitutes risk acceptance, which the auditor must ensure is formally documented and approved at the appropriate level.
d) An issue that is no longer the auditor's responsibility.
c) An unreasonable delay that likely constitutes risk acceptance, which the auditor must ensure is formally documented and approved at the appropriate level.
A well-written IT audit finding allows management to:
a) Identify which system administrator to blame for the misconfiguration.
b) Understand the business risk of a technical issue, its root cause, and the importance of allocating resources to fix it.
c) Argue that the finding is too technical and therefore not a real risk.
d) Delay remediation until a bigger incident occurs.
b) Understand the business risk of a technical issue, its root cause, and the importance of allocating resources to fix it.
An IT auditor is presenting a finding about poor data backup practices to a department head who is not technical. The best way to phrase the consequence is:
a) "The RPO is being exceeded because the SQL transaction log backups are failing."
b) "If the server that runs your department's main application crashes, we could lose up to a week's worth of data and it may take days to recover."
c) "The backup script is generating a NULL value which causes the job to error out."
d) "You are not in compliance with section 4.2 of the IT backup policy."
b) "If the server that runs your department's main application crashes, we could lose up to a week's worth of data and it may take days to recover."
The Audit Committee is most concerned with which aspect of the IT audit follow-up process?
a) The specific software used to track findings.
b) The status and aging of high-risk cybersecurity and compliance-related findings.
c) The exact number of low-risk findings closed this quarter.
d) The format of the evidence provided for closed findings.
b) The status and aging of high-risk cybersecurity and compliance-related findings.