CompTIA Security+ (SY0-701) — Question 315

Which of the following should an internal auditor check for first when conducting an audit of the organization’s risk management program?

Answer options

• A. Policies and procedures
• B. Asset management
• C. Vulnerability assessment
• D. Business impact analysis

Correct answer: A

Explanation

The correct answer is A, as policies and procedures provide the foundational framework for the risk management program, guiding its implementation and effectiveness. The other options, while important, are secondary steps that depend on established policies and procedures to ensure they are carried out correctly.