CISSP · Question #674
What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?
The correct answer is A. The auditor must be independent and report directly to the management.. Internal security audits require auditor independence to ensure objective, unbiased findings free from organizational pressure or retaliation. Independence is a foundational principle of auditing standards.
Question
What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?
Options
- AThe auditor must be independent and report directly to the management.
- BThe auditor must utilize automated tools to back their findings.
- CThe auditor must work closely with both the information Technology (IT) and security sections of
- DThe auditor must perform manual reviews of systems and processes.
How the community answered
(43 responses)- A81% (35)
- B9% (4)
- C7% (3)
- D2% (1)
Why each option
Internal security audits require auditor independence to ensure objective, unbiased findings free from organizational pressure or retaliation. Independence is a foundational principle of auditing standards.
Auditor independence is a core requirement in auditing standards (e.g., ISO 19011, IIA Standards) because it ensures the auditor has no conflicts of interest and can report findings objectively. Reporting directly to management (or an audit committee) rather than to the department being audited protects the auditor from retaliation and organizational influence, preserving the integrity of the audit results.
While automated tools can enhance audit efficiency and evidence collection, their use does not inherently protect the auditor from retaliation or ensure objectivity in reporting.
Collaborating closely with IT and security teams can create familiarity bias and compromise auditor independence, increasing rather than reducing the risk of influenced or non-objective findings.
Manual review is one audit methodology among many and does not address the organizational or structural requirement needed to prevent retaliation and ensure objective reporting.
Concept tested: Auditor independence and objectivity in security audits
Source: https://www.iso.org/standard/70017.html
Topics
Community Discussion
No community discussion yet for this question.