Certified Information Systems Auditor (CISA) — Question 1052

As part of control self-assessment (CSA) activities in the finance department, an IS auditor identified that some of the controls were not tested and documented properly. Which of the following should the auditor do NEXT?

Answer options

• A. Provide guidance regarding control objectives to staff involved in the CSA.
• B. Expand the scope of the next internal audit planned for the finance department.
• C. Issue an audit report to the finance manager regarding the inadequate testing of controls.
• D. Perform additional testing to complement CSA activities in the finance department.

Correct answer: D

Explanation

The correct answer is D because performing additional testing will help ensure that the controls are adequately assessed and documented. Options A, B, and C do not address the immediate need for thorough testing, which is crucial for validating the effectiveness of the controls.