CISA Question #354: Real Exam Question with Answer & Explanation

The correct answer is B: Independent audit reports. Independent audit reports (such as SOC 2 or ISO 27001 audit reports) provide objective, verified evidence that a third party's controls have been tested and assessed by a neutral party. They confirm actual implementation, not just intent. Security policies (A) only document what

Submitted by takeshi77· Apr 18, 2026Information System Auditing Process

Question

Which of the following would provide an organization with the BEST evidence that a third party's controls are aligned with the organization's requirements?

Options

AThe third party's information security policies
BIndependent audit reports
CThe organization's regulatory requirements
DService level agreements (SLAs)

Explanation

Independent audit reports (such as SOC 2 or ISO 27001 audit reports) provide objective, verified evidence that a third party's controls have been tested and assessed by a neutral party. They confirm actual implementation, not just intent. Security policies (A) only document what the third party intends to do, not what they actually do. SLAs (D) define performance expectations but are not an assessment of control effectiveness. The organization's own regulatory requirements (C) describe what is needed, not what the third party has implemented.

Topics

#Third-party risk management#Vendor management#Control assurance#Audit evidence

Community Discussion

No community discussion yet for this question.

Full CISA Practice Browse All CISA Questions