Certified Information Systems Auditor (CISA) — Question 130

During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?

Answer options

• A. Explain to IT management that the new control will be evaluated during follow-up.
• B. Add comments about the action taken by IT management in the report.
• C. Change the conclusion based on evidence provided by IT management.
• D. Re-perform the audit before changing the conclusion.

Correct answer: B

Explanation

The best action for the auditor is to add comments about the actions taken by IT management in the report, as this documents the change and acknowledges management's efforts. Explaining that the control will be evaluated later is not immediate enough, while changing the conclusion prematurely could undermine the auditor's original assessment. Re-performing the audit is unnecessary at this stage since evidence has already been provided.