Certified Information Systems Auditor (CISA) — Question 1396

During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

Answer options

• A. reflect current practices.
• B. be subject to adequate quality assurance (QA).
• C. include new systems and corresponding process changes.
• D. incorporate changes to relevant laws.

Correct answer: D

Explanation

The correct answer is D because failing to incorporate changes to relevant laws can lead to legal non-compliance, which poses a major risk to the organization. While the other options are also important, the legal implications of outdated policies are often the most critical concern for IS auditors.