Certified Information Systems Auditor (CISA) — Question 1145

External audits have identified recurring exceptions in the user termination process, despite similar internal audits having reported no exceptions in the past. Which of the following is the IS auditor’s BEST course of action to improve the internal audit process in the future?

Answer options

• A. Review user termination process changes.
• B. Review the internal audit sampling methodology.
• C. Review control self-assessment (CSA) results.
• D. Include the user termination process in all upcoming audits.

Correct answer: B

Explanation

The best course of action is to evaluate the internal audit sampling methodology (Option B) because it ensures that the audit process is adequately identifying issues. Reviewing the user termination process changes (Option A) may not address the root cause of the discrepancies. Assessing CSA results (Option C) and including the user termination process in all future audits (Option D) are also helpful but do not directly target the improvement of the internal audit methodology.