Certified Information Systems Auditor (CISA) — Question 246

What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?

Answer options

• A. Ensure the open issues are retained in the audit results.
• B. Recommend compensating controls for open issues.
• C. Evaluate the residual risk due to open issues.
• D. Terminate the follow-up because open issues are not resolved.

Correct answer: C

Explanation

Evaluating the residual risk due to open issues is crucial for understanding the potential impact these unresolved matters may have on the organization. Retaining open issues in the audit results, recommending compensating controls, or terminating the follow-up do not provide a clear assessment of the risk and may overlook important aspects of the audit process.