IIA CIA IIA-CIA-Part3 Question # 116 Topic 12 Discussion

Understanding Information Security Responsibilities:

Executive management sets the overall strategy and ensures resources are allocated for information security.

Internal auditors provide independent assurance on security effectiveness.

The board provides oversight and ensures that security risks are managed appropriately.

Line management is responsible for day-to-day operations, including the review and monitoring of security controls to ensure compliance with security policies.

Why Reviewing and Monitoring Security Controls is a Line Management Function:

Line management directly oversees operational security measures, ensuring that established controls are functioning effectively.

They address security gaps, enforce security policies, and report issues to senior management when necessary.

This aligns with IIA Standard 2120 – Risk Management, which requires management to implement and monitor risk mitigation controls.

Why Other Options Are Incorrect:

B. Dedicate sufficient security resources: This is the responsibility of executive management, as they control resource allocation.

C. Provide oversight to the security function: The board and executive management provide oversight, not line management.

D. Assess information control environments: Internal auditors assess control environments, ensuring compliance and effectiveness.

IIA Standards and References:

IIA Standard 2110 – Governance: Emphasizes the board’s role in overseeing security.

IIA Standard 2120 – Risk Management: States that management must monitor security risks.

IIA GTAG (Global Technology Audit Guide) on Information Security (2016): Outlines that line management is responsible for monitoring security controls on a daily basis.

Thus, the correct answer is A: Review and monitor security controls.