Effective CISSP Questions

As a lead auditor, you lead an audit team to conduct a security audit. Which of the following is the least ideal audience to whom you functionally report? (Wentz QOTD)
A. Chief executive officer (CEO)
B. Chief audit executive (CAE)
C. Audit committee
D. Board of directors

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is A. Chief executive officer (CEO).

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Audit Function
Audit Function

Even though it’s not uncommon for the audit function to directly report to the CEO, separating the functional reporting line from the administrative one is a trendy and generally accepted practice. As a lead auditor, it’s a commonly accepted arrangement for you to report to the chief audit executive (CAE), who reports to the audit committee or the board of directors functionally. You may occasionally report to the audit committee or the board of directors on a project basis.

Independence and objectivity are crucial to the audit function. The functional or direct reporting line of the audit function is one of the most critical factors that affect dependence and objectivity and is subject to the organizational stature and assurance needs. Functionally reporting to a superior is direct reporting distinguished from administrative reporting.

Administrative reporting is distinguished from direct reporting in the sense that the administrative unit facilitates the day-to-day operations of the internal audit activity, i.e., approving budgets and preparing performance evaluations. However, it should be noted that the Standards and many corporate governance reports are suggesting that overall responsibility for the internal audit budget be the responsibility of the audit committee.

Source: The IIA Research Foundation

According to the Standards for the Professional Practice of Internal Auditing by the Institute of Internal Auditors,

  • The internal audit activity should be free from interference in determining the scope of internal auditing, performing work, and communicating results.
  • Appropriate reporting lines are critical to achieve the independence, objectivity, and organizational stature for an internal audit function necessary to effectively fulfill its obligations.
  • CAE reporting lines are also critical to ensuring the appropriate flow of information and access to key executives and managers that are the foundations of risk assessment and reporting of results of audit activities.
  • Conversely, any reporting relationship that impedes the independence and effective operations of the internal audit function should be viewed by the CAE as a serious scope limitation, which should be brought to the attention of the audit committee or its equivalent.
Governance Structure
Governance Structure


作為主導稽核員,您領導稽核團隊進行安全稽核。 以下哪項是您職能報告(functionally)最不理想的受眾? (Wentz QOTD)
A. 首席執行官(CEO)
B. 首席審計執行官 (CAE)
C. 審計委員會
D. 董事會

Leave a Reply