An internal auditor is assessing the risks related to an organization's mobile device policy.

IIA IIA-CIA-Part3 Question Answer

An internal auditor is assessing the risks related to an organization's mobile device policy. She notes that the organization allows third parties (vendors and visitors) to use outside smart devices to access its proprietary networks and systems. Which of the following types of smart device risks should the internal

Auditor be most concerned about?

Compliance.

Privacy

Strategic

Physical security

Explanation:

Understanding Mobile Device Risks in an Organization:

When an organization allows third parties (vendors and visitors) to use outside smart devices to access its proprietary networks and systems, it introduces significant compliance risks.

These risks include violations of regulatory requirements, industry standards, and internal security policies.

Compliance Risks in Smart Device Usage:

Unauthorized Access: External users may bypass security controls, leading to data breaches or regulatory non-compliance (e.g., GDPR, HIPAA, or PCI-DSS violations).

Lack of Encryption and Data Protection: If smart devices access sensitive information without proper security protocols, the organization may fail to comply with industry regulations.

Failure to Enforce Mobile Device Management (MDM): Without proper policy enforcement, organizations risk failing audits and facing penalties.

Why Other Options Are Incorrect:

B. Privacy:

Privacy concerns relate to handling personal data, but in this scenario, the focus is on third-party access risks, which fall under compliance.

C. Strategic:

Strategic risks relate to long-term business objectives, whereas compliance risks are more immediate and regulatory in nature.

D. Physical security:

Physical security deals with preventing unauthorized access to buildings or devices, not cybersecurity risks from external smart devices.

IIA’s Perspective on Compliance and IT Security:

IIA Standard 2110 – Governance emphasizes the need to evaluate IT security risks, including third-party access risks.

IIA GTAG (Global Technology Audit Guide) on IT Risks highlights compliance risks in Bring Your Own Device (BYOD) and third-party access policies.

ISO 27001 Information Security Standard mandates controls to manage external device access risks.

IIA References:

IIA Standard 2110 – Governance and IT Security

IIA GTAG – IT Risks and BYOD Policies

ISO 27001 Information Security Standard

NIST Cybersecurity Framework for Mobile Device Security

Thus, the correct and verified answer is A. Compliance.

IIA IIA-CIA-Part3 View All Questions