Certified Information Systems Auditor (CISA) — Question 202

Which of the following is the GREATEST concern associated with a high number of IT policy exceptions approved by management?

Answer options

• A. The exceptions are likely to continue indefinitely.
• B. The exceptions may negatively impact process efficiency.
• C. The exceptions may elevate the level of operational risk.
• D. The exceptions may result in noncompliance.

Correct answer: D

Explanation

The correct answer is D because a high number of exceptions can create a situation where policies are not followed, leading to regulatory and compliance issues. While the other options highlight valid concerns, none of them directly address the potential legal and regulatory implications of noncompliance, which is often the most serious consequence.