The Impact of Findings on an Organization's IS Audit Review

C.

The greatest concern for an IS auditor reviewing an organization's newly implemented online security awareness program would be the lack of metrics to assess training results. Therefore, the correct answer is C.

Explanation:

A. Only new employees are required to attend the program: This is not ideal, but it is not the greatest concern for an IS auditor. It is common for new employees to undergo mandatory security awareness training, and it is still better than having no training program at all. However, the auditor may recommend that all employees undergo training regularly, not just new hires.

B. The timing for program updates has not been determined: While it is important to update the security awareness program regularly, the timing for updates not being determined is not the greatest concern. It is a procedural matter that can be addressed easily.

C. Metrics have not been established to assess training results: This is the correct answer because without metrics, it is impossible to determine the effectiveness of the training program. Metrics are essential to measuring the success of the program, identifying gaps in knowledge and behavior, and improving the program. The IS auditor would recommend that the organization establish metrics and track the results to assess the effectiveness of the training program.

D. Employees do not receive immediate notification of results: While it is important to provide immediate feedback to employees on their performance, this is not the greatest concern for an IS auditor. It is still important, but not having immediate notification of results does not impact the overall effectiveness of the training program. The auditor may recommend that employees receive immediate feedback, but it is not the top priority.