Certified Information Systems Auditor (CISA) — Question 1017

Which type of review is MOST important to conduct when an IS auditor is informed that a recent internal exploitation of a bug has been discovered in a business application?

Answer options

• A. Application security testing
• B. Forensic audit
• C. Server security audit
• D. Penetration testing

Correct answer: A

Explanation

Application security testing is crucial in this scenario as it focuses on identifying vulnerabilities within the application itself, which is where the exploitation occurred. While a forensic audit may help understand the breach, it doesn't address the security flaws directly. A server security audit and penetration testing are also important but do not specifically target the application where the bug was exploited.