What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

A. Ensure the open issues are retained in the audit results.

B. Terminate the follow-up because open issues are not resolved

C. Recommend compensating controls for open issues.

D. Evaluate the residual risk due to open issues.

An organization has outsourced some of its subprocesses to a service provider. When scoping the audit of the provider, the organization's internal auditor should FIRST:

A. evaluate operational controls of the provider

B. discuss audit objectives with the provider

C. review internal audit reports of the provider

D. review the contract with the provider

In the absence of technical controls, what would be the BEST way to reduce unauthorized text messaging on company-supplied mobile devices?

A. Update the corporate mobile usage policy to prohibit texting.

B. Conduct a business impact analysis (BIA) and provide the report to management.

C. Stop providing mobile devices until the organization is able to implement controls.

D. Include the topic of prohibited texting in security awareness training.

Which of the following is the BEST source for describing the objectives of an organization's information systems?

A. Business process owners

B. End users

C. IT management

D. Information security management

Which of the following should be the FIRST step when drafting an incident response plan for a new cyber-attack scenario?

A. Schedule response testing

B. Create a new incident response team

C. Create a reporting template

D. Identify relevant stakeholders