Certified Information Systems Auditor (CISA) — Question 133

An IS auditor is following up on prior period items and finds management did not address an audit finding. Which of the following should be the IS auditor's NEXT course of action?

Answer options

• A. Note the exception in a new report as the item was not addressed by management.
• B. Interview management to determine why the finding was not addressed.
• C. Recommend alternative solutions to address the repeat finding.
• D. Conduct a risk assessment of the repeat finding.

Correct answer: B

Explanation

The correct answer, B, is appropriate because it allows the auditor to gather insight into management's rationale for not addressing the finding, which is crucial for understanding the situation. Options A and C do not facilitate communication with management to address the underlying issue, while option D, while important, does not directly address the need for understanding the management's inaction.