Which of the following should be of MOST concern to an IS auditor?

A.
Lack of reporting of a successful attack on the network

B.
Failure to notify police of an attempted intrusion

C.
Lack of periodic examination of access rights

D.
Lack of notification to the public of an intrusion

Explanation:
Not reporting an intrusion is equivalent to an IS auditor hiding a malicious intrusion, which would be a
professional mistake. Although notification to the police may be required and the lack of a periodic examination
of access rights might be a concern, they do not represent as big a concern as the failure to report the attack.
Reporting to the public is not a requirement and is dependent on the organization’s desire, or lack thereof, tomake the intrusion known.