Certified Information Systems Auditor (CISA) — Question 875

A business has requested an audit to determine whether information stored in an application is adequately protected. Which of the following is the MOST important action before the audit work begins?

Answer options

• A. Assess the threat landscape.
• B. Perform penetration testing.
• C. Review remediation reports.
• D. Establish control objectives.

Correct answer: D

Explanation

Establishing control objectives is essential as it sets the framework for what needs to be audited and what security measures should be in place. Without clear objectives, the audit may lack direction and fail to address key vulnerabilities. The other options, while important, do not provide the foundational guidelines necessary to effectively conduct the audit.