Certified Information Systems Auditor (CISA) — Question 342

Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?

Answer options

• A. Data security requirements are not considered.
• B. Additional training is required for end users.
• C. The system is not supported by the IT department.
• D. Corporate procurement standards are not followed.

Correct answer: A

Explanation

The primary concern is that data security requirements may be overlooked, leading to vulnerabilities. While additional training and support issues are important, they are secondary to the critical risk of inadequate security measures. Similarly, not following procurement standards is a concern, but it does not impact security as directly as the first option.