Home MCQs CISA Question #1721
Back to Questions
CISA QUESTION #1721
Question 1
When considering who should be responsible for issuing and enforcing organisational policies, which of the following options reflects best practice?
  • Policies should be developed from the bottom up and elevated to the department manager for sign-off.
  • Auditors should draft policies in line with standards, which are then authorised by senior management.
  • Policies may be signed and enforced by any level of management deemed appropriate.
  • Policies must be signed and enforced by the most senior level of management to ensure organisation-wide compliance.✔️
Correct Answer Explanation
Policies derive their authority and enforceability from the level at which they are issued. For a policy to command compliance across the entire organisation, it must originate from — and be visibly backed by — the highest level of management. It is management's responsibility, not the auditor's, to design, implement, and enforce internal controls and governance policies.