Free Isaca AAISM Actual Exam Questions - Question 15 Discussion
MOST effective way to monitor vendors and ensure compliance with ethical and security standards?
D imo, audits (A) are good but can still miss subtle issues between checks. Just having source code (C) doesn’t guarantee you’ll catch ethical or security flaws unless you have the expertise to review it constantly. Self-attestation (D), while it sounds weak, paired with benchmark monitoring could mean vendors are held accountable through measurable outcomes, not just paperwork or occasional reviews. It adds a dynamic layer where performance data drives compliance checks, which might be more practical for ongoing oversight than just static audits or source code access.
If audits aren’t thorough or frequent enough, they might miss ongoing risks.
A/C? Audits are solid for catching problems, but having access to source code and docs means you can verify stuff yourself anytime, not just during audits. So direct oversight feels stronger with C.
I think relying solely on vendors to self-monitor (B) seems weak since there's little external check. So, option B feels less reliable for strong compliance oversight.
Makes sense that audits (A) are thorough, but I think sharing source code and documentation (C) gives the company direct insight into what’s actually being built. Without access, it’s hard to verify compliance independently. Just trusting vendors to self-monitor or attest seems risky. So, C feels like the best way to keep things transparent and enforce standards properly.
A - audits catch issues outsiders might miss, better than just vendor reports.
Totally get the audit angle, but relying on vendors themselves to continuously track their ethics and security (B) feels more proactive and less resource-heavy for the company. B
D imo, self-attestation plus benchmark monitoring keeps control with vendors but adds accountability.
A makes sure the company stays hands-on with vendor compliance, not just trusting them.
B tbh also makes sense here since it puts responsibility on the vendors themselves to keep a constant eye on ethics and security, which might be more scalable and continuous than periodic audits. Audits (A) are good but can be sporadic and resource-heavy. Also, just getting source code (C) doesn’t automatically mean you can assess compliance effectively without specialized skills or tools, so it might not be the most practical for ongoing monitoring. D seems weak since self-attestation alone risks bias and doesn’t provide solid verification. So B offers a way to embed ongoing checks directly w
A, because regular audits give the organization direct oversight beyond just code access.
Maybe C works better since having access to source code means the organization can directly check for issues, rather than depending on vendor reports or audits that might be incomplete or biased.
A imo is the strongest choice because regular audits keep vendors accountable from the organization’s side, not just relying on whatever vendors say or provide. C could be good, but sharing source code doesn’t guarantee ongoing compliance or that the code actually meets ethical and security standards in practice. Audits provide a more comprehensive check on processes and real behavior over time.
C imo makes sense too because having access to source code and documentation lets the organization verify what’s actually being built, not just rely on vendor claims or audits that might miss details.
I think A makes the most sense here. Regular audits give the organization direct oversight and ensure vendors actually follow the rules, instead of just trusting them to self-monitor or self-attest. It’s more proactive and measurable. What do you guys think?