CISA Certified Information Systems Auditor – Question0299

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s information security program?

A.
The program was not formally signed off by the sponsor.
B. Key performance indicators (KPIs) are not established.
C. Not all IT staff are aware of the program.
D. The program was last updated five years ago.

Correct Answer: B