Certified Information Systems Auditor (CISA) — Question 1118

An IS auditor is evaluating the IT business planning process. Which of the following should be of GREATEST concern to the auditor?

Answer options

• A. Several business cases are found to be based on a misdiagnosed problem.
• B. End users are not involved in business case development.
• C. Business case development is completed before strategic initiatives are finalized.
• D. Business impact analysis (BIA) results are not included in the business case.

Correct answer: A

Explanation

Option A is the most concerning because if business cases are based on a misdiagnosed problem, it could lead to ineffective or irrelevant initiatives. While options B, C, and D are important, they don't have as direct an impact on the foundational validity of the business cases as a misdiagnosed problem does.