Certified Information Systems Auditor (CISA) — Question 365

An employee transfers from an organization's risk management department to become the lead IS auditor. While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?

Answer options

• A. Evaluating the effectiveness of IT risk management processes
• B. Recommending controls to address the IT risks identified by KPIs
• C. Developing KPIs to measure the internal audit team
• D. Training the IT audit team on IT risk management processes

Correct answer: C

Explanation

Option C poses the greatest threat to the auditor's independence because the auditor would be involved in creating performance metrics for their own team, which could lead to conflicts of interest. Options A, B, and D involve evaluating or training on processes without directly impacting the auditor's own performance metrics, thus maintaining a level of objectivity.