CISA Certified Information Systems Auditor – Question0303

Which of the following is MOST important for an IS auditor to evaluate when determining the effectiveness of an information security program?

A.
Percentage of users aware of the objectives of the security program
B. Percentage of policy exceptions that were approved with justification
C. Percentage of desired control objectives achieved
D. Percentage of reported security incidents

Correct Answer: C