Certified Information Systems Auditor (CISA) — Question 745
An IS auditor assessing an organization’s information systems needs to understand management’s approach regarding controls. Which documentation should the auditor review FIRST?
Answer options
- A. Policies
- B. Standards
- C. Guidelines
- D. Procedures
Correct answer: A
Explanation
The correct answer is A, as policies provide the foundational framework and high-level directives that guide the organization’s approach to controls. Standards, guidelines, and procedures are more detailed and are developed based on the overarching policies, making them less critical to review first.