CompTIA CASP+ (CAS-004) — Question 482

The Chief Information Security Officer (CISO) is working with the compliance team to perform vendor selection for an upcoming audit engagement. One of the firms providing an offer for services was recently fined by a regulatory authority for ethical violations associated with licensing exams. Which of the following criteria would be most appropriate to consider when selecting a vendor?

Answer options

• A. Negative press associated with the audit firm may bring into question the integrity of the audit performed against the organization's systems.
• B. The CISO should select the firm offering the best financial terms regardless of the background of the firm.
• C. Since the CISO will be involved in the audit process, the CISO should recuse themselves from the selection process.
• D. Since the audit firm will be a trusted third party, it is not necessary to perform due diligence activities as part of the engagement.

Correct answer: A

Explanation

The correct answer is A because negative press can significantly undermine the trustworthiness of the audit, affecting the organization’s reputation and compliance. Options B and C disregard the importance of ethical considerations and proper involvement in the selection process, while D incorrectly assumes that due diligence is not required for trusted vendors.