Certified Information Systems Auditor (CISA) — Question 882

Halfway through an enterprise-wide project to implement business solutions, an IS auditor is called in to do a project risk evaluation. The results from this audit are to be communicated directly to the project steering committee. What should the auditor do FIRST?

Answer options

• A. Assess the project organization and actual cost incurred.
• B. Interview the project manager about the project scope and current status.
• C. Review the organization's project management framework.
• D. Perform a risk assessment of the project based on best practices.

Correct answer: C

Explanation

The correct answer is C because reviewing the organization's project management framework provides the auditor with essential context and guidelines for assessing the project. Options A, B, and D, while important, should follow after understanding the framework to ensure that the audit aligns with the organization's standards and practices.