Chapter 118 · Quiz

Audits and Assessments — Quiz

Ten questions covering cybersecurity audits, attestation, internal audit components (compliance, audit committees, self-assessments), external audit requirements, examination processes, and the benefits of continuous assessment programs.

1. A CISO explains to the board: "After reviewing our systems and controls, our independent auditor will provide a formal statement of their professional opinion about whether our security posture is accurate and whether our compliance claims are truthful." What term describes this formal professional opinion?
2. A company's security governance structure includes a committee responsible for authorizing all internal audits, overseeing risk management activities, reviewing audit findings, and ensuring corrective actions are implemented. Which governance body is described?
3. A healthcare organization requires every department to periodically evaluate its own security controls, data handling practices, and HIPAA compliance status against a checklist. Results are submitted to the compliance team and consolidated into an organizational risk report. What type of audit activity is this?
4. A retail company processes credit card transactions. Regulators inform the company that it must undergo an annual security assessment conducted by a Qualified Security Assessor (QSA) from an independent firm. The company cannot choose whether to have this assessment — it is required by the applicable standard. What type of audit is this, and what drives its requirement?
5. An external auditor spends two weeks at a financial institution examining system configurations, reviewing access logs, interviewing IT administrators about security procedures, and collecting documentation that supports the audit conclusions. What term describes this hands-on phase of the audit process?
6. A security manager argues for implementing a regular internal audit program. She states: "The single most important security benefit is that audits allow us to find our weaknesses on our schedule, rather than having attackers find them on theirs." Which benefit of cybersecurity audits is she describing?
Matching: Audit Concepts

Match each concept (1–4) to its correct description (A–D).

1Audit Committee
2Attestation
3Self-Assessment
4External Audit
AFormal professional opinion of the truth or accuracy of an organization's security posture, issued after an independent examination
BIndependent third-party examination often mandated by regulation; provides high-credibility findings because the auditor has no financial stake in the outcome
CGovernance body responsible for risk management oversight; all internal audits start and stop with this body's authorization and review
DDepartment-level evaluation of own compliance and security practices; results consolidated into organizational reports that provide visibility into overall security health