Certified Information Systems Auditor (CISA) — Question 1064

Which of the following BEST indicates a need to review an organization's information security policy?

Answer options

• A. Increasing exceptions approved by management
• B. Completion of annual IT risk assessment
• C. High number of low-risk findings in the audit report
• D. Increasing complexity of business transactions

Correct answer: A

Explanation

Option A is correct because an increase in management-approved exceptions suggests that the current policy may not be adequate or is being circumvented, indicating a need for review. Options B, C, and D, while they may reflect certain aspects of security or business operations, do not directly imply that the security policy itself is insufficient or needs reevaluation.