Certified Information Systems Auditor (CISA) — Question 531

As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the IS auditor?

Answer options

• A. Suggest hiring a third-party consultant to perform a current state assessment.
• B. Issue a final report without including the opinion of the auditee.
• C. Conduct further discussions with the auditee to develop a mitigation plan.
• D. Accept the auditee's response and perform additional testing.

Correct answer: C

Explanation

The correct answer is C because further discussions can help clarify the auditee's concerns and collaboratively develop a mitigation strategy that addresses the recommendations. Option A, while potentially beneficial, does not directly engage with the auditee's hesitations. Option B disregards the auditee's input, which could lead to further issues. Option D does not address the root cause of the auditee's reluctance and may not lead to effective improvements.