Certified Information Systems Auditor (CISA) — Question 388

During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?

Answer options

• A. Add testing of third-party access controls to the scope of the audit.
• B. Plan to test these controls in another audit.
• C. Determine whether the risk has been identified in the planning documents.
• D. Escalate the deficiency to audit management.

Correct answer: C

Explanation

The best initial step for the auditor is to verify if the risk associated with third-party access is acknowledged in the planning documents. If it is not identified, it may indicate a gap in the risk assessment process. The other options suggest additional actions that could be taken but do not address the immediate need to understand the planning context.