Certified Information Systems Auditor (CISA) — Question 1161

During a follow-up audit, an IS auditor discovers that a recommendation has not been implemented. However, the auditee has implemented a manual workaround that addresses the identified risk less efficiently than the recommended action would. Which of the following is the auditor's BEST course of action?

Answer options

• A. Notify management that the risk has been addressed and take no further action.
• B. Note that the risk has been addressed and notify management of the inefficiency.
• C. Require management to implement the original recommendation.
• D. Escalate the remaining issue for further discussion and resolution.

Correct answer: D

Explanation

The correct answer is D because escalating the remaining issue allows for a thorough discussion on how to address the inefficiencies of the current workaround. Options A and B do not prompt action to resolve the inefficiency, while option C may not consider the auditee's current workaround and could ignore the need for a more collaborative approach.