Certified Information Systems Auditor (CISA) — Question 1358

An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor's BEST course of action is to:

Answer options

• A. document management's reasons for not addressing deficiencies.
• B. postpone the audit until the deficiencies are addressed.
• C. provide new recommendations.
• D. assess the impact of not addressing deficiencies.

Correct answer: D

Explanation

The correct answer is D because assessing the impact of unresolved deficiencies helps to understand the potential risks and consequences for the organization. Option A, while important, does not directly address the deficiencies. Option B is impractical as audits should continue regardless of unresolved issues, and Option C does not prioritize understanding the implications of the deficiencies.