Certified Information Systems Auditor (CISA) — Question 572

Which of the following reports would provide the GREATEST assurance to an IS auditor about the controls of a third party that processes critical data for the organization?

Answer options

• A. Independent control assessment
• B. Black box penetration test report
• C. The third party's control self-assessment (CSA)
• D. Vulnerability scan report

Correct answer: A

Explanation

The Independent control assessment (A) is conducted by an external party and provides an objective evaluation of the controls in place, thus offering the highest level of assurance. In contrast, a Black box penetration test report (B) focuses on identifying vulnerabilities, the control self-assessment (C) may lack independent verification, and a vulnerability scan report (D) primarily identifies weaknesses without assessing the effectiveness of controls.