Certified Information Systems Auditor (CISA) — Question 1216

During a pre-implementation review, an IS auditor notes that some scenarios have not been tested. Management has indicated that the project is critical and cannot be postponed. Which of the following is the auditor's BEST course of action?

Answer options

• A. Recommend project implementation be postponed until all scenarios have been tested.
• B. Perform remaining scenario testing in the production environment post implementation.
• C. Help management complete remaining scenario testing before implementation.
• D. Determine whether the tested scenarios covered the most significant project risks.

Correct answer: D

Explanation

The best course of action is to determine if the tested scenarios address the most significant project risks, as this allows the auditor to evaluate if proceeding with the implementation is still viable. Postponing the project or conducting testing post-implementation may not effectively mitigate risks, and assisting management with testing does not prioritize risk assessment.