Certified Information Systems Auditor (CISA) — Question 1048

During an audit, an IT finding is agreed upon by all IT teams involved, but no team wants to be responsible for remediation or considers the finding within its area of responsibility. Which of the following is the IS auditor's BEST course of action?

Answer options

• A. Determine the most appropriate team and assign accordingly.
• B. Issue the finding without identifying an owner.
• C. Escalate to IT management for resolution.
• D. Assign shared responsibility to all IT teams.

Correct answer: C

Explanation

The best course of action for the IS auditor is to escalate the issue to IT management for resolution, as they have the authority to assign responsibility and ensure remediation occurs. Simply issuing the finding without an owner or assigning shared responsibility does not address the core issue of accountability, and determining a team without management involvement may lead to further disputes.