Certified Information Systems Auditor (CISA) — Question 644

An IS auditor identifies that a legacy application to be decommissioned in three months cannot meet the security requirements established by the current policy.
What is the BEST way for the auditor to address this issue?

Answer options

• A. Inform the IT director of the policy noncompliance.
• B. Verify management has approved a policy exception to accept the risk.
• C. Recommend the application be patched to meet requirements.
• D. Take no action since the application will be decommissioned in three months.

Correct answer: B

Explanation

The best action is to verify that management has approved a policy exception (Option B), as this acknowledges the risk associated with the application's noncompliance. Simply informing the IT director (Option A) does not resolve the issue, while recommending patches (Option C) may be unnecessary given the impending decommissioning. Taking no action (Option D) disregards the importance of compliance until the application is retired.