CISA Question #448: Real Exam Question with Answer & Explanation

Sign in or unlock CISA to reveal the answer and full explanation for question #448. The question stem and answer options stay visible for context.

Submitted by anna_se· Apr 18, 2026Information Systems Acquisition, Development, and Implementation

Question

An IS auditor learns that an organization did not conduct any penetration testing over one internet-facing webpage prior to its production deployment. Which of the following is the auditor's BEST course of action?

Options

ARevise IT security procedures to require penetration tests for internally developed services prior
BReport a control deficiency, as no penetration test has been conducted and documented.
CConfirm whether vulnerability scanning was conducted after the webpage was deployed.
DMeet with IT and the information security team to determine why testing was not completed.

Unlock CISA to see the answer

You've previewed enough free CISA questions. Unlock CISA for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.

Unlock CISA - $49.99 / 30 days Sign in

Topics

#Penetration Testing#SDLC Security#Auditor Investigation#Control Deficiency

Full CISA Practice Browse All CISA Questions