The absence of periodic external assessments is a direct violation of mandatory professional standards, such as The Institute of Internal Auditors (IIA) Standard 1312, which requires an external quality assessment at least once every five years. This is a fundamental component of a Quality Assurance and Improvement Program (QAIP). Failure to perform this independent review presents the greatest concern because it undermines the credibility, objectivity, and perceived value of the entire internal audit function. It deprives the audit committee and senior management of independent assurance that the audit activity conforms with globally recognized standards and operates effectively.

B. While reporting to the audit committee is critical, the specific frequency (e.g., quarterly) is a procedural detail; a lack of reporting altogether would be the core issue.

C. Inconsistent tracking of corrective actions is a significant internal process weakness, but the lack of an external assessment is a more fundamental governance failure that would likely identify such issues.

D. The use of substantive testing depends on the specific audit's objectives and risk assessment; its absence is not inherently a quality assurance failure for all audits.

---

1. The Institute of Internal Auditors (IIA)

International Standards for the Professional Practice of Internal Auditing (Standards)

July 2023. Standard 1312: External Assessments states

"External assessments must be conducted at least once every five years by a qualified

independent assessor or assessment team from outside the organization." The standard's interpretation notes that this assessment provides an independent opinion on the internal audit activity's conformance with the Standards and Code of Ethics.

2. ISACA

CISA Review Manual

27th Edition

2019. Domain 1: Information System Auditing Process

Section 1.5.4 Quality Assurance of the Audit Function. This section discusses the need for a quality assurance and improvement program that includes both internal and external reviews to ensure the audit function's compliance with standards and its overall effectiveness. The manual emphasizes that external reviews provide independent assurance to stakeholders.

3. Anderson

U. L.

Head

M. J.

Ramamoorti

S.

Riddle

C.

Salamasick

M.

& Sobel

P. J. Internal Auditing: Assurance & Advisory Services

4th Edition. The IIA Research Foundation

2017. Chapter 2

"The International Professional Practices Framework: Authoritative Guidance for the Internal Audit Profession

" details the components of a QAIP

explicitly citing Standard 1312 and explaining that external assessments are crucial for validating the internal audit function's conformance with professional standards and identifying opportunities for improvement.

The IS auditor's immediate responsibility is to report findings and significant developments within the audit's chain of command. The decision by new management to not implement previously accepted recommendations represents a change in risk acceptance and is a material finding for the follow-up audit. The auditor must report this to the audit manager, who is responsible for overseeing the audit engagement. The audit manager will then determine the appropriate next steps, which may include discussing the issue with senior management and deciding whether escalation to the audit committee is warranted. This ensures that the audit function's internal procedures and reporting lines are respected.

A. Notifying the chair of the audit committee is a significant escalation. This step should be determined by audit management, not undertaken unilaterally by the auditor as a first action.

C. Retesting the control is irrelevant. The issue is not the control's operational effectiveness but management's conscious decision not to implement the agreed-upon remediation.

D. Closing the audit finding is incorrect. The finding cannot be closed because the risk has not been mitigated as planned. Management's decision to accept the risk must be documented and reported.

---

1. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 59. The manual states

"The IS auditor should report to the audit manager/director... The audit manager/director is responsible for ensuring that the communication is directed to the appropriate parties." This establishes the correct internal reporting line that the auditor must follow.

2. ISACA

ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2401 Reporting

Section 2401.7 Supervisory Review. This guideline emphasizes that "IS audit and assurance work papers should be reviewed by a senior member of the IS audit and assurance function before the audit reports are finalized and issued." This reinforces the principle that findings

especially significant ones like a change in management's risk posture

must be reviewed internally by management (i.e.

the audit manager) first.

3. ISACA

CISA Review Manual

27th Edition. Chapter 1

The Process of Auditing Information Systems

p. 61. Regarding follow-up

it notes

"If management has assumed the risk of not correcting the reported condition

this should be documented by the IS auditor and communicated to senior management and the audit committee." While this communication is necessary

the process begins with reporting the situation to the audit manager

who then directs these subsequent communications.

The principle of least privilege is a fundamental security concept requiring that users be granted only the access and permissions necessary to perform their job duties. In this scenario, providing administrator rights to most users on an externally facing system containing sensitive data is a severe violation of this principle. Administrator privileges inherently grant the ability to alter system configurations, modify or delete data, and change security settings. This creates the greatest risk of unauthorized changes, whether malicious or accidental, which directly compromises the integrity, availability, and confidentiality of the system and its data.

A. While administrators can export logs, this is a specific action. The ability to make any unauthorized change is a much broader and more significant risk.

B. Viewing sensitive data is a function of the system for both user types. The core issue highlighted is the risk from excessive privileges, not authorized access.

D. Installing software is a subset of the actions an administrator can perform. The overarching risk is the general capability to make unauthorized changes, which includes more than just software installation.

---

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations

Maintenance and Service Management

Section 4.4 Logical Access. The manual emphasizes that access rights should be granted based on the "need-to-know" and "need-to-do" principles

and that powerful privileges (such as administrator rights) must be strictly controlled to prevent unauthorized activities that could compromise the system.

2. National Institute of Standards and Technology (NIST) Special Publication 800-53

Revision 5. Security and Privacy Controls for Information Systems and Organizations

Control AC-6 "Least Privilege." This control states: "The organization employs the principle of least privilege

allowing only authorized accesses for users...that are necessary to accomplish assigned tasks." The discussion section notes that this prevents users from making unauthorized changes or performing functions outside their roles.

3. Saltzer

J. H.

& Schroeder

M. D. (1975). The Protection of Information in Computer Systems. Proceedings of the IEEE

63(9)

1278-1308. This foundational academic paper introduces the principle of least privilege

stating

"Every program and every user of the system should operate using the least set of privileges necessary to complete the job." The rationale is to limit the damage that can result from an accident or error. (DOI: https://doi.org/10.1109/PROC.1975.9939

Section I.A.3).

The integrity of the audit trail is paramount for an IS auditor. If a firewall is compromised, an attacker's first action is often to alter or delete local logs to cover their tracks. Storing logs on a separate, protected host (e.g., a SIEM or a hardened log server) ensures that a reliable and tamper-evident record of all network activity and potential security incidents is preserved. This preserved evidence is essential for forensic investigation, incident response, and for the auditor to verify the firewall's operational effectiveness over time.

B. Automated alerts are being sent when a risk is detected: Alerts are generated from log data. If the underlying logs are not protected and can be tampered with (as addressed in A), the alerts become unreliable or may not be generated at all.

C. Insider attacks are being controlled: This is a broad security objective, not a specific firewall control. A firewall is only one component in a defense-in-depth strategy to mitigate insider threats.

D. Access to configuration files Is restricted: While this is a critical preventive control, a system can still be compromised via other means (e.g., a zero-day vulnerability). In such a case, secure, external logs are the only way to detect and investigate the breach. The integrity of evidence (logs) is fundamental to the audit function.

---

1. ISACA

CISA Review Manual

27th Edition

2019.

Page 213

Section 4.4.4 Security Event Logging and Monitoring: "The IS auditor should verify that security events are logged and that the logs are secured to prevent tampering... Log data should be sent to a dedicated log server to prevent the logs from being destroyed by an attacker." This directly supports the critical need to secure logs on a separate host to prevent tampering

which is a primary concern for an auditor.

2. ISACA

"Auditing Network Perimeters

" Audit Program

2016.

Section 3.2.4: The audit program directs the auditor to "Verify that firewall logs are enabled to log all inbound and outbound traffic

and sent to a dedicated and secured log server." This step is crucial for ensuring a complete and reliable audit trail

which underpins the entire audit of the control's operation.

3. NIST Special Publication 800-92

"Guide to Computer Security Log Management

" 2006.

Section 3.4.1

Page 3-10: "Organizations should store logs on dedicated log servers

not on the hosts that generate the logs... Storing logs on a different system from the one that generates them makes it more difficult for attackers to tamper with the logs." This official guideline establishes the practice as a fundamental security principle for maintaining log integrity.

The primary objective of an IT strategy is to ensure that IT plans and activities support and enable the overall business strategy. An IT strategy derived solely from market trends is fundamentally misaligned with the organization's specific goals and needs. This represents the greatest strategic risk because it can lead to the misallocation of resources, investment in inappropriate technologies, and a failure to deliver value to the business. The IS auditor's main concern in a strategic review is this alignment between business objectives and IT initiatives.

A. Defining target architecture at a technical level within a strategy document can indicate thorough planning and is not inherently a concern.

B. While not achieving prior goals is a concern about execution, a flawed basis for the current strategy is a more fundamental and critical issue.

D. Including financial estimates is a best practice for effective planning, budgeting, and demonstrating due diligence, not a point of concern.

1. ISACA. (2019). CISA Review Manual

27th Edition. Domain 2: Governance and Management of IT

Section 2.3.1 IT Strategic Plan. The manual states

"The IT strategic plan must be an integral part of the overall business strategic plan... The focus should be on strategic alignment..." This highlights that the business plan

not external trends alone

must be the primary driver.

2. ISACA. (2018). COBIT 2019 Framework: Introduction and Methodology. Chapter 3

The COBIT Core Model

p. 21. The COBIT goals cascade model explicitly shows that enterprise goals are derived from stakeholder needs

and alignment goals (IT-related goals) are derived from enterprise goals. This framework establishes a clear top-down linkage from business needs to IT strategy.

3. Luftman

J. N. (2000). Assessing business-IT alignment maturity. Communications of the Association for Information Systems

4(1)

Article 14. This foundational academic paper on strategic alignment maturity notes that lower levels of maturity are characterized by a lack of a clear

business-driven IT strategy. Relying on trends instead of business goals is indicative of low alignment maturity. (DOI: https://doi.org/10.17705/1CAIS.00414)

The primary consideration for an IS auditor when determining which issues to include in an audit report is materiality. Materiality refers to the significance of a finding in the context of the audit objectives. An audit finding is material if its omission or misstatement could influence the decisions of management or other stakeholders. The purpose of the audit report is to communicate significant findings that require management's attention and potential action. Focusing on material issues ensures that the report is relevant, impactful, and drives improvements in governance, risk management, and control, rather than overwhelming stakeholders with trivial details.

A. Professional skepticism is a critical professional attitude and mindset that must be applied throughout the entire audit process, not a specific criterion for selecting which findings to report.

B. Requiring management's agreement on findings before inclusion would fundamentally compromise the auditor's independence and objectivity, which are cornerstones of the audit profession.

D. Inherent risk is assessed during the audit planning phase to determine the nature and extent of audit procedures, not to decide which identified findings are significant enough for the final report.

---

1. ISACA. (2019). CISA Review Manual

27th Edition. Section 1.3.2

"Materiality

" states

"Materiality is a key concept that will be used when planning the audit and when evaluating the identified errors and irregularities... The IS auditor should consider materiality when determining the reportable findings."

2. ISACA. (2014). ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition. Guideline 2204

"Materiality

" Section 3.1

notes that "IS audit and assurance professionals should consider materiality and its relationship to audit risk when... evaluating the effect of identified control weaknesses and/or lack of compliance with established processes." This evaluation directly informs what is reported.

3. Singleton

T. (2011). The Core of the CISA Exam. ISACA Journal

Volume 2. This article emphasizes that a CISA candidate must understand core concepts

stating

"Materiality is a concept that relates to the importance or significance of an amount

transaction or discrepancy... The IS auditor must consider materiality in determining the appropriate reportable conditions."

The presence of unused applications indicates a failure in managing the entire lifespan of IT assets. Asset life cycle management is a comprehensive process that governs an asset from planning and acquisition through deployment, utilization, maintenance, and eventual retirement. Implementing this framework ensures that applications are periodically reviewed for their continued business value and are properly decommissioned when no longer needed. This proactive management directly prevents the accumulation of unused software ("shelfware") by embedding review and retirement phases into standard procedure, addressing the root cause of the problem.

A. A formal request for proposal (RFP) process only addresses the procurement phase, not the ongoing management or retirement of the asset.

B. Business case development justifies the initial acquisition but does not ensure the asset is used or retired appropriately later in its life cycle.

C. An information asset acquisition policy governs how assets are purchased but does not cover their management throughout their useful life and disposal.

---

1. ISACA

CISA Review Manual

27th Edition (2019). Domain 2: IT Governance and Management

Section 2.5

"IT Resource Management." This section details the importance of managing IT assets throughout their life cycle

including acquisition

deployment

maintenance

and retirement

to ensure they continue to provide value to the business.

2. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective BAI09

Managed Assets. This objective explicitly covers the need to "Manage IT assets through their life cycle to make sure that their use is optimized for value

and they are disposed of in a timely and proper manner." (p. 153).

3. ISACA

COBIT 2019 Framework: Governance and Management Objectives (2018). Management Objective APO05

Managed Portfolio. This objective includes practices for managing the portfolio of IT-enabled investments

which involves evaluating and retiring obsolete or low-value applications and services to optimize overall portfolio value. (p. 85).

Information classification is a fundamental process in information security governance and risk management. Its primary purpose is to ensure that security controls are applied in a manner that is proportionate to the value of the information and the potential impact of its compromise. This potential impact—covering confidentiality, integrity, and availability—is the definition of business risk. Therefore, aligning the classification scheme directly with business risk ensures that the most critical assets receive the highest level of protection, optimizing security investments and effectively mitigating threats to the organization's objectives.

B. The security policy mandates and defines the classification process, but the classification levels within the policy must be based on business risk.

C. Data retention requirements are an important part of the information lifecycle but are a consequence of classification and legal/regulatory needs, not the primary driver for it.

D. Industry standards provide valuable frameworks and best practices, but they must be adapted to the specific business context and risk appetite of the organization.

1. ISACA

CISA Review Manual

27th Edition. Domain 3: Information Systems Acquisition

Development

and Implementation

Section 3.4.2

"Information Asset Classification." The manual states

"The objective of classification is to ensure that information assets receive an appropriate level of protection... The classification is based on the value of the asset to the organization

its sensitivity and its criticality." This concept of value

sensitivity

and criticality is a direct measure of business risk.

2. ISACA

COBIT® 2019 Framework: Governance and Management Objectives. Management Objective APO14

"Managed Data." The description for this objective emphasizes the need to "Classify data in accordance with its business criticality." This directly links the classification process to the data's importance to business operations

which is a core component of business risk assessment.

3. National Institute of Standards and Technology (NIST)

Special Publication 800-53 Revision 5

Security and Privacy Controls for Information Systems and Organizations. Control Family: Program Management (PM)

Control: PM-11

"Mission/Business Process Definition." The guidance notes that understanding mission/business processes is essential for determining information protection needs. This establishes a direct link between business context (and its associated risks) and the application of security controls

which is governed by classification.

The lack of standardized data formats across logs is the most significant concern for an IS auditor. Non-standardized logs severely hinder the ability to aggregate, correlate, and analyze security events across different systems and applications. This makes it extremely difficult, if not impossible, to perform effective automated monitoring, trace the sequence of events during a security incident, or conduct meaningful forensic analysis. This fundamental flaw undermines the primary purpose of log management, which is to provide a coherent and actionable view of operational and security-related activities throughout the IT environment.

A. Growing log file size is an expected operational trend, primarily representing a capacity and retention policy issue, not a fundamental control weakness.

B. Logging critical events to immutable files is a security best practice that ensures log integrity and is considered a control strength, not a concern.

C. It is common and often necessary for complex applications to generate multiple log files for different functions; this is manageable with proper log aggregation tools.

1. ISACA. (2019). CISA Review Manual

27th Edition. Page 238. The manual states that for logs to be useful for analysis and to create a proper audit trail

they should be "in a consistent format." A lack of standardization directly violates this principle.

2. National Institute of Standards and Technology (NIST). (2006). Special Publication 800-92: Guide to Computer Security Log Management. Section 3.1.2

"Log Generation." This guide explicitly states

"Organizations should also establish standardized log formats

such as the same timestamp format

for all logs. Standardization makes it much easier to perform automated log analysis."

3. Kent

K.

& Souppaya

M. (2006). The challenges of log analysis. CrossTalk

The Journal of Defense Software Engineering

19(5)

21-25. The article highlights that a major challenge in log analysis is the "lack of a standard logging format

" which complicates the correlation of events from diverse sources.

The principle of integrity in information security ensures that data has not been altered in an unauthorized manner. A log that cannot be modified (i.e., is immutable or write-once) provides the highest level of assurance that its contents are original, accurate, and trustworthy. This is a fundamental preventive control for maintaining the evidentiary value of logs. While other options are good security practices, they do not directly guarantee that the log data itself has not been tampered with. Immutability is the most direct and effective control for assuring log integrity.

A. Reviewing logs is a detective control used to identify anomalies after they occur; it does not prevent the log from being altered beforehand.

B. Authorized access is a control primarily for confidentiality. An authorized user with modification privileges could still alter the log, compromising its integrity.

D. Retaining logs according to policy ensures their availability for future analysis and meets compliance requirements, but it does not protect the content from modification.

---

1. ISACA

CISA Review Manual

27th Edition. Domain 4: Information Systems Operations and Business Resilience

Task Statement 4.5. The manual emphasizes that for logs to be effective for forensic analysis

their integrity must be maintained. It discusses techniques such as writing logs to write-once

read-many (WORM) devices or a separate

secured log server to prevent modification.

2. National Institute of Standards and Technology (NIST) Special Publication 800-92

"Guide to Computer Security Log Management." Section 3.3

"Log Storage and Disposal

" states

"Protecting log information from unauthorized modification and destruction is critical for preserving its integrity." It recommends storing logs on a separate

dedicated log server with restricted access and using append-only mechanisms to prevent alteration of existing log data.

3. ISACA

IT Audit

Control

and Security

by Robert R. Moeller (2009). Chapter 16

"Auditing Firewalls

Extranets

and Other Network Security Systems." The text discusses the importance of firewall logs as an audit trail and highlights that their value is contingent on controls that prevent tampering

such as remote logging to a secure

write-protected server. This directly supports the concept that immutability is the key to integrity.