nerdexam
(ISC)2

CISSP · Question #674

What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?

The correct answer is A. The auditor must be independent and report directly to the management.. Internal security audits require auditor independence to ensure objective, unbiased findings free from organizational pressure or retaliation. Independence is a foundational principle of auditing standards.

Submitted by tarun92· Mar 5, 2026Security Assessment and Testing

Question

What requirement MUST be met during internal security audits to ensure that all information provided is expressed as an objective assessment without risk of retaliation?

Options

  • AThe auditor must be independent and report directly to the management.
  • BThe auditor must utilize automated tools to back their findings.
  • CThe auditor must work closely with both the information Technology (IT) and security sections of
  • DThe auditor must perform manual reviews of systems and processes.

How the community answered

(43 responses)
  • A
    81% (35)
  • B
    9% (4)
  • C
    7% (3)
  • D
    2% (1)

Why each option

Internal security audits require auditor independence to ensure objective, unbiased findings free from organizational pressure or retaliation. Independence is a foundational principle of auditing standards.

AThe auditor must be independent and report directly to the management.Correct

Auditor independence is a core requirement in auditing standards (e.g., ISO 19011, IIA Standards) because it ensures the auditor has no conflicts of interest and can report findings objectively. Reporting directly to management (or an audit committee) rather than to the department being audited protects the auditor from retaliation and organizational influence, preserving the integrity of the audit results.

BThe auditor must utilize automated tools to back their findings.

While automated tools can enhance audit efficiency and evidence collection, their use does not inherently protect the auditor from retaliation or ensure objectivity in reporting.

CThe auditor must work closely with both the information Technology (IT) and security sections of

Collaborating closely with IT and security teams can create familiarity bias and compromise auditor independence, increasing rather than reducing the risk of influenced or non-objective findings.

DThe auditor must perform manual reviews of systems and processes.

Manual review is one audit methodology among many and does not address the organizational or structural requirement needed to prevent retaliation and ensure objective reporting.

Concept tested: Auditor independence and objectivity in security audits

Source: https://www.iso.org/standard/70017.html

Topics

#auditing principles#auditor independence#risk management#governance

Community Discussion

No community discussion yet for this question.

Full CISSP Practice