Certified Information Systems Auditor (CISA) — Question 315

An IS auditor is assigned to review the IS department's quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards. Which of the following should be the auditor's NEXT action?

Answer options

• A. Finalize the audit and report the finding.
• B. Document and test compliance with the informal standards.
• C. Postpone the audit until IS management implements written standards.
• D. Make recommendations to IS management as to appropriate quality standards.

Correct answer: D

Explanation

The correct answer is D because the auditor should provide recommendations to assist IS management in establishing formal quality standards, enhancing accountability and consistency. Answer A is incorrect because finalizing the audit without addressing the lack of formal standards would miss a critical finding. Answer B is not appropriate as testing against informal standards does not ensure compliance with recognized best practices. Answer C is not a viable option since postponing the audit may delay necessary improvements.