An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?
An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?
The action that would have best supported the audit findings is penetration testing. By actively demonstrating that network internal controls can be breached, it provides the strongest evidence of inadequacy, directly countering the challenge that no serious incidents have occurred. This aligns with the CISA Manual’s emphasis on penetration testing as a practical, evidence-based approach to assess control effectiveness (CISA Manual, p. 514).
Nail on the head. Correct.