IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 47 Topic 5 Discussion

IIA-CIA-Part3 Exam Topic 5 Question 47 Discussion:

Question #: 47

Topic #: 5

An IT auditor is evaluating IT controls of a newly purchased information system. The auditor discovers that logging is not configured al database and application levels. Operational management explains that they do not have enough personnel to manage the logs and they see no benefit in keeping logs. Which of the fallowing responses best explains risks associated with insufficient or absent logging practices?

The organization will be unable to develop preventative actions based on analytics.

The organization will not be able to trace and monitor the activities of database administers.

The organization will be unable to determine why intrusions and cyber incidents took place.

The organization will be unable to upgrade the system to newer versions.

Get Premium IIA-CIA-Part3 Questions

Explanation

Logging at the database and application levels is a critical security control that enables monitoring, detecting, and investigating potential security incidents. The absence of logging significantly increases cybersecurity risks and can leave an organization vulnerable to undetected attacks.

Incident Response & Forensics: Without logs, the organization will be unable to determine the cause, origin, and impact of cyber incidents or system intrusions.

Compliance Requirements: Many regulatory frameworks (e.g., ISO 27001, NIST 800-53, GDPR, PCI-DSS, SOX) require logging for security monitoring and auditability.

Threat Detection: Logs help in identifying malicious activities, unauthorized access, and data breaches.

Accountability: Ensures that actions taken within the system can be traced back to specific users or administrators.

Option A (The organization will be unable to develop preventative actions based on analytics): While logging helps in analytics, its primary function is incident detection and forensic investigation.

Option B (The organization will not be able to trace and monitor the activities of database administrators): This is partially correct, but logging is not just for administrators—it is essential for monitoring all system activities, including unauthorized access attempts.

Option D (The organization will be unable to upgrade the system to newer versions): Logging does not impact system upgrades; upgrades are related to software lifecycle management, not logging practices.

IIA’s Global Technology Audit Guide (GTAG) – Information Security Controls recommends logging as a fundamental security control.

IIA Standard 2110 – IT Governance: Emphasizes the need for adequate IT risk management, including logging.

COSO Framework (Monitoring Component): Highlights the importance of system monitoring, which includes logging.

Why Option C is Correct:Why Other Options Are Incorrect:IIA References:Thus, the most appropriate answer is C. The organization will be unable to determine why intrusions and cyber incidents took place.

Actual exam question for IIA IIA-CIA-Part3 exam by Onyx39917 at Aug 3, 2025, 6:34:34 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 47 Topic 5 Discussion

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 47 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 47 Topic 5 Discussion

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 47 Topic 5 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval