Certified Information Systems Auditor (CISA) — Question 1206

An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?

Answer options

• A. Penetration testing
• B. Threat risk assessment
• C. Compliance testing
• D. Vulnerability assessment

Correct answer: A

Explanation

Penetration testing simulates real-world attacks to identify vulnerabilities that could be exploited, thus providing concrete evidence of inadequate controls. While a threat risk assessment evaluates potential risks, it does not demonstrate vulnerabilities directly. Compliance testing checks adherence to standards, and a vulnerability assessment identifies weaknesses but doesn’t exploit them to show their potential impact.