Certified Information Systems Auditor (CISA) — Question 1022

During a follow-up audit, an IS auditor finds that the auditee has updated virus scanner definitions without adopting the original audit recommendation to increase the frequency of using the scanner. The MOST appropriate action for the auditor is to:

Answer options

• A. modify the audit opinion based on the new information available.
• B. prepare a follow-up audit report reiterating the recommendation.
• C. escalate the issue to senior management.
• D. conclude that the residual risk is beyond tolerable levels of risk.

Correct answer: B

Explanation

The correct answer is B because preparing a follow-up audit report reinforces the initial recommendation and ensures that it is taken seriously. Modifying the audit opinion or escalating the issue may not directly address the lack of compliance with the recommendation, while concluding that the residual risk is beyond tolerable levels does not provide a constructive path forward.