Certified Information Systems Auditor (CISA) — Question 1248

An IS auditor's draft report recommends the development of a procedure for IT server backups. During the closing meeting, the IT manager agrees to implement only part of the recommendations in the report. Which action should the auditor take FIRST to address this situation?

Answer options

• A. Finalize the audit report.
• B. Schedule a follow-up audit.
• C. Provide industry best practice documentation.
• D. Escalate the issue to audit management.

Correct answer: D

Explanation

The auditor should escalate the issue to audit management first because partial implementation of critical recommendations can pose risks to the organization's IT governance. Finalizing the audit report or scheduling a follow-up audit would not address the immediate concern, and providing best practice documentation may not ensure compliance with the full recommendations.