Certified Information Systems Auditor (CISA) — Question 1445

What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?

Answer options

• A. Validate the overall effectiveness of the internal control.
• B. Determine the resources required to make the control effective.
• C. Verify the impact of the control no longer being effective.
• D. Ascertain the existence of other compensating controls.

Correct answer: C

Explanation

The correct answer is C because understanding the impact of the ineffective control is crucial for assessing risks and determining the necessary corrective actions. Options A and B are premature steps that should come after the impact has been evaluated, while D, although important, focuses on compensating controls rather than directly assessing the primary issue.