GREATEST Concerns for Evaluating Organization Policies

C.

As an IS auditor evaluating an organization's policies, the greatest concern should be that the policies do not provide adequate protection to the organization.

A) Policies not formally approved by management: While it is important for policies to be approved by management, it may not be the greatest concern. The lack of formal approval may be an indication of inadequate management oversight, but it does not necessarily mean that the policies themselves are flawed.

B) Policies not formally acknowledged and signed by employees: Employee acknowledgment and signature on policies is important for ensuring that employees understand the policies and are held accountable for adhering to them. However, the lack of formal acknowledgment and signature may not be the greatest concern if the policies are well-written and effectively communicated to employees through other means.

C) Policies do not provide adequate protection to the organization: This is the greatest concern for an IS auditor evaluating an organization's policies. Policies that do not adequately protect the organization can leave it vulnerable to security breaches, legal and regulatory violations, and other risks. For example, if an organization's policies do not require strong passwords or limit access to sensitive data, it could be at risk of a data breach.

D) Policies not reviewed and updated frequently: While it is important for policies to be reviewed and updated on a regular basis to ensure they remain relevant and effective, it may not be the greatest concern. Policies that are outdated or not reviewed may not be as effective, but they are not necessarily flawed.

In summary, the greatest concern for an IS auditor evaluating an organization's policies is that the policies do not provide adequate protection to the organization.