An IS auditor discovers that while a corporate policy document exists and is published on the company website, random employee surveys reveal only 30% can locate it within reasonable time. According to the evidence rule, what is the MOST appropriate audit conclusion?

Home › MCQs › CISA › Question #6818

CISA QUESTION #6818

Question 1

Policy exists and is compliant
Policy exists but insufficient evidence of effective implementation✔️
Policy requires updating
Policy is satisfactory but employees need training

Correct Answer Explanation

The evidence rule requires that claims be substantiated through verifiable proof. While the policy exists, the inability of 70% of employees to locate it indicates it is not actively used or effectively implemented. Existence alone does not satisfy the evidence requirement—actual use and accessibility must be demonstrated.

More Options