Certified Information Systems Auditor (CISA) — Question 1040

An IS auditor learns that a web application within the audit scope has a vulnerability that could lead to the exposure of sensitive data. Which of the following should the auditor do FIRST?

Answer options

• A. Assess the risk and include all systems using the web application in the audit.
• B. Determine the current version of the application.
• C. Recommend implementing compensating controls.
• D. Notify management and system business owners of the issue.

Correct answer: D

Explanation

The auditor should first notify management and system business owners about the vulnerability to ensure that they are aware of the potential risk to sensitive data. Assessing the risk and including all systems in the audit, determining the application version, or recommending compensating controls are important but should follow the immediate notification to management.