Certified Information Systems Auditor (CISA) — Question 964

An IS auditor reviewing an IT organization should be MOST concerned if the IT steering committee:

Answer options

• A. does not meet regularly for oversight of IT investments and projects.
• B. consults the board of directors on procedural and standard changes.
• C. reviews IT-related policies and standards only once per year.
• D. does not include business-level representation.

Correct answer: D

Explanation

The correct answer, D, is critical because the absence of business-level representation in the IT steering committee can lead to misalignment between IT initiatives and business goals. Options A and C indicate issues with oversight frequency and policy review but do not directly impact the alignment with business strategy. Option B suggests a positive engagement with the board, which is not a concern.