Certified Information Systems Auditor (CISA) — Question 1155

The remediation process related to a high-risk audit finding involves a multi-step action plan by management and may not be completed by the next audit cycle. Which of the following is the BEST way for an IS auditor to follow up on the activities?

Answer options

• A. Perform more substantive testing until the remediation plan is implemented.
• B. Schedule a review of the controls after the projected remediation date.
• C. Continue to audit the failed controls according to the audit schedule.
• D. Review the progress of remediation on a regular basis.

Correct answer: D

Explanation

The correct answer is D because regularly reviewing the progress of remediation allows the auditor to ensure that necessary actions are being taken and to address any delays promptly. Options A and C do not provide timely oversight of the remediation efforts, while B may lead to missed opportunities for intervention before the next audit cycle.