Certified Information Systems Auditor (CISA) — Question 281

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?

Answer options

• A. Report the deviation by the control owner in the audit report.
• B. Cancel the follow-up audit and reschedule for the next audit period.
• C. Evaluate the implemented control to ensure it mitigates the risk to an acceptable level.
• D. Request justification from management for not implementing the recommended control.

Correct answer: C

Explanation

The best course of action for the auditor is to evaluate the implemented control to ensure it mitigates the risk to an acceptable level. This allows the auditor to determine if the alternative plan is effective, while the other options either do not address the effectiveness of the new plan or unnecessarily delay the audit process.