Certified Information Systems Auditor (CISA) — Question 491

Management has asked internal audit to prioritize and perform a specialized cybersecurity audit, but the IS audit team has no experience in this area. Which of the following is the BEST course of action?

Answer options

• A. Delay the audit until the IS auditors are sufficiently trained.
• B. Delay the audit until an experienced IS auditor has been hired.
• C. Perform the audit as requested using third-party support.
• D. Perform the audit with the most experienced IS auditors.

Correct answer: C

Explanation

The best course of action is to perform the audit using third-party support because it allows the audit to proceed with the necessary expertise. Delaying the audit for training or hiring could lead to missed deadlines and increased risk exposure. Relying solely on the most experienced IS auditors may still not provide the specialized skills required for a cybersecurity audit.