Certified Information Systems Auditor (CISA) — Question 1080

While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization's inventory. Which of the following is the auditor's BEST course of action?

Answer options

• A. Alert both audit and operations management about the discrepancy.
• B. Ask the asset management staff where the devices are.
• C. Make a note of the evidence to include it in the scope of a future audit.
• D. Ignore the invoices since they are not part of the follow-up.

Correct answer: A

Explanation

The best action is to alert both audit and operations management about the discrepancy, as this ensures that the issue is addressed at the appropriate level. Asking the asset management staff or making a note for future audits does not immediately resolve the issue, and ignoring the invoices could lead to further complications in asset tracking.