Certified Information Systems Auditor (CISA) — Question 1071

When auditing an organization's procurement process, which of the following observations should be of MOST concern to an IS auditor?

Answer options

• A. Purchasing procedures and processes have not been updated during the past two years.
• B. Contracts can be approved after expenses have been incurred.
• C. The procurement manager is new to the organization.
• D. Thresholds for requesting and approving payments for purchase requests have not been established.

Correct answer: B

Explanation

The correct answer, B, is concerning because approving contracts after expenses are incurred can lead to financial mismanagement and lack of accountability. While option A indicates outdated procedures, it doesn't directly impact compliance as severely. Option C might indicate a learning curve but is not inherently risky, and option D suggests a lack of structure, which is a concern, but does not pose an immediate risk like approving contracts post-expense.