Exam CCSP topic 1 question 119 discussion

Costs is a focus of audit? disagree.

Speaking from experience doing security audits at clients, internal audits do NOT result in an official certification of any kind. See it as a way of 1) finding gaps and fixing them by a certain date by which an external audit will actually perform the audit and provide certification.

An internal audit typically focuses on verifying the design and effectiveness of internal controls, operational efficiency, and sometimes cost considerations (e.g., financial compliance). Certification, on the other hand, is usually part of an external or third-party audit process, aiming to validate that the organization meets a recognized external standard (e.g., ISO, SOC, etc.).

in my work, i don't think Internet audit focus on operation efficiency, our SOP will increase after their audit every time, our workload increases as well

Because external audits does not take on the role of a "trusted advisor" but more of a regulator with punitive capability, I see "A" as the BEST answer.

The CCSP offical guide mentioned that internal audit covers cost, design, performance...while external covers some sort of the efficiency of control implementation.

Certification,

Answer looks correct to me, note the word 'internal' got to be A

C, costs out of audit scope

Agree that Costs should be the correct answer. Certification I think is a red-herring (distractor).

internal audit may be the first phase of certification process, before going with external auditor for certification.Internal audit is recomanded.Costs should be best answer

Me too. Anyone else want to chime in?