Certified Information Systems Auditor (CISA) — Question 1182

During the course of fieldwork, an internal IS auditor observes a critical vulnerability within a newly deployed application. What is the auditor's BEST course of action?

Answer options

• A. Document the finding in the report.
• B. Identify other potential vulnerabilities.
• C. Notify IT management.
• D. Report the finding to the external auditors.

Correct answer: C

Explanation

The best action for the auditor is to notify IT management (Option C) as they are responsible for addressing security issues. Documenting the finding (Option A) is important but does not prompt immediate action. Identifying other vulnerabilities (Option B) can be useful but is not a priority when a critical issue has been found. Reporting to external auditors (Option D) is not appropriate as the internal auditor should first escalate the issue internally.