Which security activity involves formal, wide-scope auditing of systems that includes governance, configurations, monitoring, and cybersecurity controls?

• A. Compliance audit
• B. Risk assessment
• C. Operational audit
• D. System/process audit

Answer: (D)

This item tests the idea of a system/process audit, which is a formal, wide-scope examination of IT systems and the processes that support them. It is designed to assess how governance is applied, how configurations are managed, how monitoring is implemented, and the cybersecurity controls in place, and to determine whether those controls are properly designed and operating effectively across the environment. This broad, integrative focus distinguishes it from narrower audits. A compliance audit checks adherence to external rules, but not necessarily the overall effectiveness of security controls across systems. A risk assessment identifies threats and vulnerabilities but doesn’t evaluate the operating controls themselves. An operational audit looks at efficiency and effectiveness of day-to-day operations and may not fully address governance and security controls across the whole system.