Compliance requirements are crucial to organizations. As an auditor, which of the following is least likely to be included in the audit scope?
A. Organizational policies issued by the policy approval authority
B. Code of ethics defined in the ethics program
C. Rules formulated by the regulatory agency
D. Inapplicable laws legislated by the Congress
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Inapplicable laws legislated by the Congress.
The diagram demonstrates typical compliance requirements. “A legal audit is an appraisal of an organization’s operations to determine its compliance with the laws and regulations that apply to it.” (Harris) In other words, laws inapplicable to an organization are typically not concerns of an auditor and won’t be included in the audit scope.
It’s also a crucial issue for a global company with branches or subsidiaries around the world to identify applicable laws and regulations. Laws applicable to branches and subsidiaries and the headquarters may vary.
Both laws and regulations are rules. However, there exist differences between them.
- Laws are written by legislators and goes through the bill process.
- Regulations are created by a government agency, often to implement a
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.