Certified Information Systems Auditor (CISA) — Question 36

Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

Answer options

• A. Security awareness training was not provided prior to the test.
• B. Staff members were not notified about the test beforehand.
• C. Staff members who failed the test did not receive follow-up education.
• D. Test results were not communicated to staff members.

Correct answer: C

Explanation

The most critical concern is that staff members who did not pass the test did not get additional education, as this could leave them unprepared for real phishing attacks. While the lack of prior training, notification, or communication of results are important, failing to educate those who struggled directly impacts their ability to recognize future threats.