Certified Information Systems Auditor (CISA) — Question 1356

During a review of an organization’s technology policies, which of the following observations should be of MOST concern to the IS auditor?

Answer options

• A. Business objectives are not defined.
• B. Legal requirements are not considered.
• C. A globally acknowledged framework is not used.
• D. The policies have not been reviewed within the last three years.

Correct answer: B

Explanation

The correct answer is B because neglecting legal requirements can lead to significant compliance issues and potential legal liabilities for the organization. While the other options are concerning, they do not pose as immediate and severe risks as failing to consider legal obligations.