CISA Certified Information Systems Auditor - Questions + Answers Part 4
Posted: Tue Feb 22, 2022 6:39 am
A1-132 Which of the following choices would be the BEST source of information when developing a risk-based audit plan?
A. Process owners identify key controls.
B. System custodians identify vulnerabilities.
C. Peer auditors understand previous audit results.
D. Senior management identify key business processes.
D is the correct answer.
Justification:
A. While process owners should be consulted to identify key controls, senior management would be a better source to identify business processes, which are more important.
B. System custodians would be a good source to better understand the risk and controls as they apply to specific applications; however, senior management would be a better source to identify business processes, which are more important.
C. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope or if the key business processes have changed and/or new business processes have been introduced, then this would not contribute to the development of a risk-based audit plan.
D. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.
A1-133 While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:
A. report the issue to IT management.
B. discuss the issue with the service provider.
C. perform a risk assessment.
D. perform an access review.
A is the correct answer.
Justification:
A. During the course of an audit, if there are material issues that are of concern, they need to be
reported immediately.
B. The IS auditor may discuss the issue with the service provider to clarify it; however, the appropriate response is to report the issue to IT management.
C. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes that there is a significant risk.
D. The IS auditor should not perform an access review on behalf of the third-party IT service provider.
The control may be re-performed to determine any actual violations resulting from the lack of review.
A1-134 Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is:
A. prepared according to a predefined and standard template.
B. backed by sufficient and appropriate audit evidence.
C. comprehensive in coverage of enterprise processes.
D. reviewed and approved by audit management.
B is the correct answer.
Justification:
A. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required.
B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate audit evidence so that they demonstrate the application of the minimum standard of performance and the findings and recommendations can be validated, if required.
C. The scope and coverage of IS audit is defined by a risk assessment process, which may not always provide comprehensive coverage of processes of the enterprise.
D. While from an operational standpoint an audit report should be reviewed and approved by audit management, the more critical consideration is that all conclusions are backed by sufficient and appropriate audit evidence.
A1-135 An IS auditor performing an audit of the risk assessment process should FIRST confirm that:
A. reasonable threats to the information assets are identified.
B. technical and organizational vulnerabilities have been analyzed.
C. assets have been identified and ranked.
D. the effects of potential security breaches have been evaluated.
C is the correct answer.
Justification:
A. The threats facing each of the organization’s assets should be analyzed according to their value to the organization. This would occur after identifying and ranking assets.
B. Analyzing how these weaknesses, in the absence of mitigating controls, would impact the organization’s information assets would occur after the assets and weaknesses have been identified.
C. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets)
will set the tone or scope of how to assess risk in relation to the organizational value of the asset.
D. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectiveness of mitigating controls. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses.
A1-136 Which of the following represents an example of a preventive control with respect to IT personnel?
A. Review of visitor logs for the data center
B. A log server that tracks logon IP addresses of users
C. Implementation of a badge entry system for the IT facility
D. An accounting system that tracks employee telephone calls
C is the correct answer.
Justification:
A. Review of visitor logs is a detective control in most circumstances.
B. Review of log servers is a detective control in most circumstances.
C. Preventive controls are used to reduce the probability of an adverse event occurring. A badge
entry system would prevent unauthorized entry to the facility.
D. Review of telephone call accounting systems is a detective control in most circumstances.
A1-137 Which of the following is an attribute of the control self-assessment (CSA) approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven
A is the correct answer.
Justification:
A. The control self-assessment (CSA) approach emphasizes management of and accountability for
developing and monitoring the controls of an organization’s business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement.
B. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors.
C. Limited employee participation is an attribute of a traditional audit approach.
D. Policy-driven is an attribute of a traditional audit approach.
A1-138 An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:
• The existing DRP was compiled two years earlier by a systems analyst in the organization’s IT department using transaction flow projections from the operations department.
• The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention.
• The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident.
The IS auditor’s report should recommend that:
A. the deputy CEO be censured for failure to approve the plan.
B. a board of senior managers is set up to review the existing plan.
C. the existing plan is approved and circulated to all key management and staff.
D. a manager coordinates the creation of a new or revised plan within a defined time limit.
D is the correct answer.
Justification:
A. Censuring the deputy chief executive officer (CEO) will not improve the current situation and is generally not within the scope of an IS auditor to recommend.
B. Establishing a board to review the disaster recovery plan (DRP), which is two years out of date, may achieve an updated DRP but is not likely to be a speedy operation; issuing the existing DRP would be folly without first ensuring that it is workable.
C. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP
may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.
D. The primary concern is to establish a workable DRP, which reflects current processing volumes to protect the organization from any disruptive incident.
A1-139 When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems.
B. Cancel the audit.
C. Complete the audit of the systems covered by the existing DRP.
D. Postpone the audit until the systems are added to the DRP.
A is the correct answer.
Justification:
A. An IS auditor should make management aware that some systems are omitted from the disaster
recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the
impact of not including all systems in the DRP.
B. Canceling the audit is an inappropriate action.
C. Ignoring the fact that some systems are not covered would violate audit standards that require
reporting all material findings and is an inappropriate action.
D. Postponing the audit is an inappropriate action. The audit should be completed according to the initial
scope with identification to management of the risk of systems not being covered.
A1-140 Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?
A. Generalized audit software (GAS)
B. Integrated test facility
C. Regression tests
D. Snapshots
A is the correct answer.
Justification:
A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts
of data.
B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.
C. Regression tests are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes.
D. Snapshot takes pictures of information it observes in the execution of program logic.
A1-141 Which of the following is MOST important to ensure that effective application controls are maintained?
A. Exception reporting
B. Manager involvement
C. Control self-assessment (CSA)
D. Peer review
C is the correct answer.
Justification:
A. Exception reporting only looks at errors or problems, but will not ensure that controls are still working.
B. Manager involvement is important, but may not be a consistent or well-defined process compared
to control self-assessment (CSA).
C. CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls.
D. Peer review lacks the direct involvement of audit specialists and management.
A1-142 The success of control self-assessment (CSA) depends highly on:
A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and the monitoring of controls of assigned duties.
A is the correct answer.
Justification:
A. The primary objective of a control self-assessment (CSA) program is to leverage the internal
audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
B. CSA requires managers to participate in the monitoring of controls.
C. The implementation of stringent controls will not ensure that the controls are working correctly.
D. Better supervision is a compensating and detective control and may assist in ensuring control
effectiveness, but would work best when used in a formal process such as CSA.
A1-143 Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
C is the correct answer.
Justification:
A. Transaction logs are a detective control and provide audit trails.
B. Before and after image reporting makes it possible to trace the impact that transactions have on
computer records. This is a detective control.
C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.
A1-144 Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
A is the correct answer.
Justification:
A. Embedding a module for continuous auditing within an application processing a large number
of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits.
C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently.
D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
A1-145 An IS audit department considers implementing continuous auditing techniques for a multinational retail enterprise that requires high availability of its key systems. A PRIMARY benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
D is the correct answer.
Justification:
A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies.
B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources.
C. Continuous audit will detect errors but not correct them. Correcting errors is the function of the organization’s management and not the internal audit function. Continuous auditing benefits the internal audit function because it reduces the use of auditing resources to create a more efficient auditing function.
D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists the IS auditors in identifying fraud in a timely fashion and allows the auditors to focus on relevant data.
A1-146 An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness?
A. Observation of a logged event
B. Review of the procedure manual
C. Interview with management
D. Interview with security personnel
A is the correct answer.
Justification:
A. Observation of the process to reset an employee’s security access to the server room and the
subsequent logging of this event provide the best evidence of the adequacy of the physical
security control.
B. Although reviewing the procedure manual can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.
C. Although interviewing management can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.
D. Although interviewing security personnel can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.
A. Process owners identify key controls.
B. System custodians identify vulnerabilities.
C. Peer auditors understand previous audit results.
D. Senior management identify key business processes.
D is the correct answer.
Justification:
A. While process owners should be consulted to identify key controls, senior management would be a better source to identify business processes, which are more important.
B. System custodians would be a good source to better understand the risk and controls as they apply to specific applications; however, senior management would be a better source to identify business processes, which are more important.
C. The review of previous audit results is one input into the audit planning process; however, if previous audits focused on a limited or a restricted scope or if the key business processes have changed and/or new business processes have been introduced, then this would not contribute to the development of a risk-based audit plan.
D. Developing a risk-based audit plan must start with the identification of key business processes, which will determine and identify the risk that needs to be addressed.
A1-133 While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:
A. report the issue to IT management.
B. discuss the issue with the service provider.
C. perform a risk assessment.
D. perform an access review.
A is the correct answer.
Justification:
A. During the course of an audit, if there are material issues that are of concern, they need to be
reported immediately.
B. The IS auditor may discuss the issue with the service provider to clarify it; however, the appropriate response is to report the issue to IT management.
C. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes that there is a significant risk.
D. The IS auditor should not perform an access review on behalf of the third-party IT service provider.
The control may be re-performed to determine any actual violations resulting from the lack of review.
A1-134 Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is:
A. prepared according to a predefined and standard template.
B. backed by sufficient and appropriate audit evidence.
C. comprehensive in coverage of enterprise processes.
D. reviewed and approved by audit management.
B is the correct answer.
Justification:
A. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required.
B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate audit evidence so that they demonstrate the application of the minimum standard of performance and the findings and recommendations can be validated, if required.
C. The scope and coverage of IS audit is defined by a risk assessment process, which may not always provide comprehensive coverage of processes of the enterprise.
D. While from an operational standpoint an audit report should be reviewed and approved by audit management, the more critical consideration is that all conclusions are backed by sufficient and appropriate audit evidence.
A1-135 An IS auditor performing an audit of the risk assessment process should FIRST confirm that:
A. reasonable threats to the information assets are identified.
B. technical and organizational vulnerabilities have been analyzed.
C. assets have been identified and ranked.
D. the effects of potential security breaches have been evaluated.
C is the correct answer.
Justification:
A. The threats facing each of the organization’s assets should be analyzed according to their value to the organization. This would occur after identifying and ranking assets.
B. Analyzing how these weaknesses, in the absence of mitigating controls, would impact the organization’s information assets would occur after the assets and weaknesses have been identified.
C. Identification and ranking of information assets (e.g., data criticality, sensitivity, locations of assets)
will set the tone or scope of how to assess risk in relation to the organizational value of the asset.
D. The effect of security breaches is dependent on the value of the assets and the threats, vulnerabilities and effectiveness of mitigating controls. The impact of an attack against a weakness should be identified so that controls can be evaluated to determine if they effectively mitigate the weaknesses.
A1-136 Which of the following represents an example of a preventive control with respect to IT personnel?
A. Review of visitor logs for the data center
B. A log server that tracks logon IP addresses of users
C. Implementation of a badge entry system for the IT facility
D. An accounting system that tracks employee telephone calls
C is the correct answer.
Justification:
A. Review of visitor logs is a detective control in most circumstances.
B. Review of log servers is a detective control in most circumstances.
C. Preventive controls are used to reduce the probability of an adverse event occurring. A badge
entry system would prevent unauthorized entry to the facility.
D. Review of telephone call accounting systems is a detective control in most circumstances.
A1-137 Which of the following is an attribute of the control self-assessment (CSA) approach?
A. Broad stakeholder involvement
B. Auditors are the primary control analysts
C. Limited employee participation
D. Policy driven
A is the correct answer.
Justification:
A. The control self-assessment (CSA) approach emphasizes management of and accountability for
developing and monitoring the controls of an organization’s business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training—all of which are representations of broad stakeholder involvement.
B. IS auditors are the primary control analysts in a traditional audit approach. CSA involves many stakeholders, not just auditors.
C. Limited employee participation is an attribute of a traditional audit approach.
D. Policy-driven is an attribute of a traditional audit approach.
A1-138 An IS auditor conducting a review of disaster recovery planning (DRP) at a financial processing organization has discovered the following:
• The existing DRP was compiled two years earlier by a systems analyst in the organization’s IT department using transaction flow projections from the operations department.
• The DRP was presented to the deputy chief executive officer (CEO) for approval and formal issue, but it is still awaiting attention.
• The DRP has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for its area in the event of a disruptive incident.
The IS auditor’s report should recommend that:
A. the deputy CEO be censured for failure to approve the plan.
B. a board of senior managers is set up to review the existing plan.
C. the existing plan is approved and circulated to all key management and staff.
D. a manager coordinates the creation of a new or revised plan within a defined time limit.
D is the correct answer.
Justification:
A. Censuring the deputy chief executive officer (CEO) will not improve the current situation and is generally not within the scope of an IS auditor to recommend.
B. Establishing a board to review the disaster recovery plan (DRP), which is two years out of date, may achieve an updated DRP but is not likely to be a speedy operation; issuing the existing DRP would be folly without first ensuring that it is workable.
C. The current DRP may be unacceptable or ineffective and recommending the approval of the DRP
may be unwise. The best way to develop a DRP in a short time is to make an experienced manager responsible for coordinating the knowledge of other managers into a single, formal document within a defined time limit.
D. The primary concern is to establish a workable DRP, which reflects current processing volumes to protect the organization from any disruptive incident.
A1-139 When auditing a disaster recovery plan (DRP) for a critical business area, an IS auditor finds that it does not cover all of the systems. Which of the following is the MOST appropriate action for the IS auditor?
A. Alert management and evaluate the impact of not covering all systems.
B. Cancel the audit.
C. Complete the audit of the systems covered by the existing DRP.
D. Postpone the audit until the systems are added to the DRP.
A is the correct answer.
Justification:
A. An IS auditor should make management aware that some systems are omitted from the disaster
recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the
impact of not including all systems in the DRP.
B. Canceling the audit is an inappropriate action.
C. Ignoring the fact that some systems are not covered would violate audit standards that require
reporting all material findings and is an inappropriate action.
D. Postponing the audit is an inappropriate action. The audit should be completed according to the initial
scope with identification to management of the risk of systems not being covered.
A1-140 Which of the following is the MOST effective tool for monitoring transactions that exceed predetermined thresholds?
A. Generalized audit software (GAS)
B. Integrated test facility
C. Regression tests
D. Snapshots
A is the correct answer.
Justification:
A. Generalized audit software (GAS) is a data analytic tool that can be used to filter large amounts
of data.
B. The integrated test facility tests the processing of the data and cannot be used to monitor real-time transactions.
C. Regression tests are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes.
D. Snapshot takes pictures of information it observes in the execution of program logic.
A1-141 Which of the following is MOST important to ensure that effective application controls are maintained?
A. Exception reporting
B. Manager involvement
C. Control self-assessment (CSA)
D. Peer review
C is the correct answer.
Justification:
A. Exception reporting only looks at errors or problems, but will not ensure that controls are still working.
B. Manager involvement is important, but may not be a consistent or well-defined process compared
to control self-assessment (CSA).
C. CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls.
D. Peer review lacks the direct involvement of audit specialists and management.
A1-142 The success of control self-assessment (CSA) depends highly on:
A. having line managers assume a portion of the responsibility for control monitoring.
B. assigning staff managers the responsibility for building, but not monitoring, controls.
C. the implementation of a stringent control policy and rule-driven controls.
D. the implementation of supervision and the monitoring of controls of assigned duties.
A is the correct answer.
Justification:
A. The primary objective of a control self-assessment (CSA) program is to leverage the internal
audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly.
B. CSA requires managers to participate in the monitoring of controls.
C. The implementation of stringent controls will not ensure that the controls are working correctly.
D. Better supervision is a compensating and detective control and may assist in ensuring control
effectiveness, but would work best when used in a formal process such as CSA.
A1-143 Which of the following would be evaluated as a preventive control by an IS auditor performing an audit?
A. Transaction logs
B. Before and after image reporting
C. Table lookups
D. Tracing and tagging
C is the correct answer.
Justification:
A. Transaction logs are a detective control and provide audit trails.
B. Before and after image reporting makes it possible to trace the impact that transactions have on
computer records. This is a detective control.
C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered.
D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself.
A1-144 Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
A is the correct answer.
Justification:
A. Embedding a module for continuous auditing within an application processing a large number
of transactions provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer.
B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits.
C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently.
D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
A1-145 An IS audit department considers implementing continuous auditing techniques for a multinational retail enterprise that requires high availability of its key systems. A PRIMARY benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
D is the correct answer.
Justification:
A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies.
B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources.
C. Continuous audit will detect errors but not correct them. Correcting errors is the function of the organization’s management and not the internal audit function. Continuous auditing benefits the internal audit function because it reduces the use of auditing resources to create a more efficient auditing function.
D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists the IS auditors in identifying fraud in a timely fashion and allows the auditors to focus on relevant data.
A1-146 An IS auditor wishes to determine the effectiveness of managing user access to a server room. Which of the following is the BEST evidence of effectiveness?
A. Observation of a logged event
B. Review of the procedure manual
C. Interview with management
D. Interview with security personnel
A is the correct answer.
Justification:
A. Observation of the process to reset an employee’s security access to the server room and the
subsequent logging of this event provide the best evidence of the adequacy of the physical
security control.
B. Although reviewing the procedure manual can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.
C. Although interviewing management can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.
D. Although interviewing security personnel can be helpful in gaining an overall understanding of a process, it is not evidence of the effectiveness of the execution of a control.