An organization offers an online information security awareness program to employees on an annual basis.
Which of the following from an audit of the program should be the auditor's GREATEST concern?
Which of the following is a risk of cross-training?
An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective
actions have not been taken and that the associated risk has been accepted by senior management. If the
auditor disagrees with management's decision, what is the BEST way to address the situation?
An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The
IS auditor should FIRST:
Which of the following should an IS auditor expect to find when reviewing IT security policy?
