How often should an independent review of the security controls be performed, according to OMB
Circular A-130?

A.
Never

B.
Every five years

C.
Every three years

D.
Every year

Explanation:
The correct answer is “Every three years”. OMB Circular A-130 requires that a review of the security
controls for each major government application be performed at least every three years. For general
support systems, OMB Circular A-130 requires that the security controls be reviewed either by an
independent audit or self review. Audits can be selfadministered or independent (either internal or
external). The essential difference between a self-audit and an independent audit is objectivity;
however, some systems may require a fully independent review. Source: Office of Management and
Budget Circular A-130, revised November 30, 2000 .