Certified Information Systems Auditor (CISA) — Question 334

During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

Answer options

• A. Ask management why the regulatory changes have not been included.
• B. Report the missing regulatory updates to the chief information officer (CIO).
• C. Discuss potential regulatory issues with the legal department.
• D. Exclude recent regulatory changes from the audit scope.

Correct answer: A

Explanation

The correct answer is A because the auditor first needs to understand why the recent regulatory changes were not included, which will help clarify the situation before taking further actions. Reporting to the CIO (B) or discussing with the legal department (C) may be necessary later, but understanding the management's perspective is the primary step. Excluding the changes from the audit scope (D) is not appropriate as it ignores the compliance requirements.