Certified Information Systems Auditor (CISA) — Question 509

After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor's BEST course of action would be to:

Answer options

• A. review the results of compliance testing.
• B. perform a gap analysis against the benefits defined in the business case.
• C. quantify improvements in client satisfaction.
• D. confirm that risk has declined since the application system release.

Correct answer: B

Explanation

The best approach for the auditor is to perform a gap analysis against the benefits defined in the business case (Option B), as this directly assesses whether the system is meeting its intended goals. Reviewing compliance testing results (Option A) does not measure value delivery, while quantifying client satisfaction improvements (Option C) is useful but may not fully reflect the system's overall value. Confirming risk reduction (Option D) is also important but does not directly address the benefits outlined in the business case.