Certified Information Systems Auditor (CISA) — Question 987

Which of the following observations should be of GREATEST concern to an IS auditor reviewing an organization's enterprise architecture (EA) program?

Answer options

• A. The EA program governs projects that are not IT-related.
• B. Information security requirements are reviewed by the EA program.
• C. IT application owners have sole responsibility for architecture approval.
• D. The architecture review board is chaired by the chief information officer (CIO).

Correct answer: C

Explanation

Option C is concerning because it indicates a lack of checks and balances in the architecture approval process, which can lead to biased decisions. Options A and B are less concerning as they show broader governance and security considerations. Option D is also not a major concern, as having the CIO chair the board may ensure alignment with business objectives.