Certified Information Systems Auditor (CISA) — Question 1012

An audit program indicates that a specific number of transactions are to be sampled for testing a particular control. However, it has been determined that the control design is deficient. What should the IS auditor do in response to this information?

Answer options

• A. Recommend a change to the audit program to increase the sample size.
• B. Recommend a change to the audit program and testing methodology used.
• C. Document the observation and the testing methodology used.
• D. Notify audit management and continue to use the sample size.

Correct answer: B

Explanation

The correct answer is B because if the control design is deficient, it is essential to adjust both the audit program and testing methodology to ensure accurate results. Simply increasing the sample size (A) or documenting the finding (C) does not address the root issue of the control's deficiency, and notifying management while continuing with the sample size (D) would not provide a thorough evaluation of the effectiveness of the control.