Certified Information Systems Auditor (CISA) — Question 10

An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor's NEXT course of action?

Answer options

• A. Inform senior management of the change in approach.
• B. Conduct a risk analysis incorporating the change.
• C. Report results of the follow-up to the audit committee.
• D. Evaluate the appropriateness of the remedial action taken.

Correct answer: D

Explanation

The correct answer is D because the auditor needs to determine if the new approach taken by the auditee is effective and suitable for addressing the findings. Options A and C involve informing others but do not address the immediate evaluation of the actions taken. Option B suggests conducting a risk analysis, which is premature without first evaluating the appropriateness of the remedial action.