Which of the following would an IS auditor consider a weakness when performing an audit of an
organization that uses a public key infrastructure with digital certificates for its business-toconsumer
transactions via the internet?

A.
Customers are widely dispersed geographically, but the certificate authorities are not.

B.
Customers can make their transactions from any computer or mobile device.

C.
The certificate authority has several data processingsubcenters to administer certificates.

D.
The organization is the owner of the certificate authority.

Explanation:
If the certificate authority belongs to the same organization, this would generate a conflict of
interest. That is, if a customer wanted to repudiate a transaction, they could allege that because of
the shared interests, an unlawful agreement exists between the parties generating the certificates, if
a customer wanted to repudiate a transaction, they could argue that there exists a bribery between

the parties to generate the certificates, as shared interests exist. The other options are not
weaknesses.