The greatest concern to an IS auditor reviewing an organization's method to transport sensitive data between offices is that the method relies exclusively on the use of asymmetric encryption algorithms. Asymmetric encryption algorithms, also known as public key encryption, use two different keys for encryption and decryption: a public key that is shared with anyone who wants to communicate with the sender, and a private key that is kept secret by the sender. Asymmetric encryption algorithms are more secure than symmetric encryption algorithms, which use the same key for both encryption and decryption, but they are also slower and more computationally intensive. Therefore, relying exclusively on asymmetric encryption algorithms may not be efficient or practical for transporting large amounts of sensitive data between offices. A better method would be to use a combination of symmetric and asymmetric encryption algorithms, such as using asymmetric encryption to exchange a symmetric key and then using symmetric encryption to encrypt and decrypt the data.
The other options are not as concerning as option C. The method relying exclusively on the use of public key infrastructure (PKI) is not a concern, because PKI is a system that provides the services and mechanisms for creating, managing, distributing, using, storing, and revoking digital certificates that are based on asymmetric encryption algorithms. PKI enables secure and authenticated communication between parties who do not have a prior trust relationship. The method relying exclusively on the use of digital signatures is not a concern, because digital signatures are a way of verifying the authenticity and integrity of a message or document by using asymmetric encryption algorithms. Digital signatures ensure that the sender cannot deny sending the message or document, and that the receiver can detect any tampering or alteration of the message or document. The method relying exclusively on the use of 128-bit encryption is not a concern, because 128- bit encryption is a level of encryption that uses a 128-bit key to encrypt and decrypt data. 128-bit encryption is considered to be strong enough to resist brute-force attacks by modern computers. References: Asymmetric vs Symmetric Encryption: What are differences?, Public Key Infrastructure (PKI), Digital Signature, What is
128-bit Encryption?

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone. This is a social engineering attack method that exploits the trust or curiosity of the employee to obtain sensitive information that can be used to access or compromise the network. According to the web search results, social engineering is a technique that uses psychological manipulation to trick users into making security mistakes or giving away sensitive information1. Phishing, whaling, baiting, and pretexting are some of the common forms of social engineering attacks2. Social engineering attacks are often more effective and profitable than purely technical attacks, as they rely on human error rather than system vulnerabilities

A key performance indicator (KPI) is a quantifiable measure of performance over time for a specific objective1. KPIs help organizations and teams track their progress and achievements towards their strategic goals. To be useful, a KPI must have a target value, which is the desired level of performance or outcome that the organization or team aims to achieve. A target value provides a clear direction and a benchmark for measuring success or failure. Without a target value, a KPI is meaningless, as it does not indicate whether the performance is good or bad, or how far or close the organization or team is from reaching their objective.

The main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B). This is because:
A project change management process is a set of procedures that defines how changes to the project scope, schedule, budget, quality, or resources are requested, evaluated, approved, implemented, and controlled12.
A project change management process helps to ensure that the changes are aligned with the project objectives, stakeholders' expectations, and business needs12.
Adding a new system functionality during the development phase without following a project change management process can introduce risks such as:
The added functionality has not been documented (option A), which can lead to confusion, inconsistency, errors, and rework3.
The project may fail to meet the established deadline (option C), which can result in delays, penalties, and customer dissatisfaction3.
The project may go over budget (option D), which can cause cost overruns, financial losses, and reduced profitability3.
However, the main risk is that the new functionality may not meet requirements (option B), which can have serious consequences such as:
The new functionality may not be compatible with the existing system or other components3.
The new functionality may not be tested or verified for quality, performance, security, or usability3.
The new functionality may not deliver the expected value or benefits to the users or customers3.
The new functionality may not comply with the regulatory or contractual obligations3.
The new functionality may cause dissatisfaction, complaints, or litigation from the stakeholders3.
Therefore, the main risk associated with adding a new system functionality during the development phase without following a project change management process is that the new functionality may not meet requirements (option B), as this can jeopardize the success and acceptance of the project.
References: 1: How to Make a Change Management Plan (Templates Included) - ProjectManager 2: What Is Change Management? Process & Models Explained - ProjectManager 3: 8 Steps for an Effective Change Management Process - Smartsheet

When verifying the accuracy and completeness of migrated data for a new application system replacing a legacy system, it is most effective for an IS auditor to review data analytics findings. Data analytics is a technique that uses software tools and statistical methods to analyze large volumes of data and identify patterns, anomalies, errors or inconsistencies. Data analytics can help to compare the source and target data sets, validate the data quality and integrity, and detect any data loss or corruption during the migration process. The other options are not as effective, because audit trails only record the actions performed on the data, acceptance testing results only verify the functionality of the new system, and rollback plans only provide contingency measures in case of migration failure. References: CISA Review Manual (Digital Version)1, Chapter 5, Section 5.2.6