During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
A.
reflect current practices.
B.
be subject to adequate quality assurance (QA).
C.
include new systems and corresponding process changes.
Review is conducted to be sure it reflects current practices. Regulation change may change your way of doing your business but law/regulation change may happen in 10 years. I am asking "is it ok for a company not to review their policies and procedures for 10 years?". Answer is is clearly A. If regulation change you will change your way of doing your business, therefor its main purpose.
The outdated IT policies and procedures might not reflect changes in relevant laws and regulations. This poses significant compliance risks, legal liabilities, and potential penalties for the organization. Ensuring policies are updated to incorporate changes to laws is critical for maintaining regulatory compliance and avoiding legal exposure.
D. incorporate changes to relevant laws.
The greatest concern for an IS auditor when IT policies and procedures are not regularly reviewed and updated is that they might not incorporate changes to relevant laws and regulations. Compliance with legal and regulatory requirements is critical for any organization, and failure to do so can result in significant legal penalties, financial losses, and damage to the organization's reputation.
However, the term "GREATEST concern" in the question implies identifying the most critical issue among the options. Reflecting current practices (Option A) is often considered the top priority because it ensures that policies and procedures are not only compliant but also effective in addressing the current state of technology, business operations, and security practices. Keeping policies in line with current practices is fundamental for maintaining a robust IT governance framework.
While incorporating changes to relevant laws, subjecting policies and procedures to adequate quality assurance (QA), and including new systems and corresponding process changes are all important considerations, they are not the greatest concern to the IS auditor. These issues can also be addressed through regular policy and procedure reviews and updates, ensuring that the policies and procedures reflect current best practices, legal requirements, and organizational needs.
A. reflect current practices.
Regular review and updates of IT policies and procedures are important to ensure that they align with current practices and standards. Failure to do so can result in policies and procedures becoming outdated, which can create risks and vulnerabilities for the organization. While the other options listed are also important, the primary concern for the IS auditor is to ensure that policies and procedures are up-to-date and accurately reflect the organization's current IT environment.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Victor83516
Highly Voted 1 year, 10 months agofrisbg
Highly Voted 1 year, 1 month ago1Naa
Most Recent 3 weeks, 3 days agoKAP2HURUF
1 month, 1 week agoa84n
2 months, 2 weeks ago5b56aae
2 months, 3 weeks agosundersam23
5 months, 1 week agoKAP2HURUF
6 months, 2 weeks agooldmagic
1 year, 1 month ago3008
1 year, 1 month agoNDUBU
1 year, 2 months agosaado9
1 year, 3 months agoMAKAYA
1 year, 6 months ago