Certified Information Systems Auditor (CISA) — Question 197

During a post-implementation review, an IS auditor learns that while benefits were realized according to the business case, complications during implementation added to the cost of the solution. Which of the following is the auditor's BEST course of action?

Answer options

• A. Design controls that will prevent future added costs.
• B. Verify that lessons learned were documented for future projects.
• C. Determine if project deliverables were provided on time
• D. Ensure costs related to the complications were subtracted from realized benefits.

Correct answer: B

Explanation

The best action for the auditor is to verify that lessons learned were documented for future projects, as this helps prevent similar issues in the future. While designing controls or checking deliverable timelines may be useful, they do not address the immediate need for learning from the current project's challenges. Ensuring costs are subtracted from benefits is not a priority in this scenario since the focus should be on improving future implementations.