Certified Information Systems Auditor (CISA) — Question 676

An IS auditor was involved in the design phase for a new system's security architecture. For the planned post-implementation audit, which of the following would be the MOST appropriate course of action for the auditor?

Answer options

• A. Have another auditor review the security architecture.
• B. Disclose the independence issues in the audit report.
• C. Change the audit scope to exclude security architecture.
• D. Postpone the post-implementation audit to a later date.

Correct answer: A

Explanation

The most suitable action is to have another auditor review the security architecture to ensure an unbiased evaluation. Disclosing independence issues in the audit report would not address the need for an objective audit. Changing the audit scope to exclude security architecture would undermine the audit's effectiveness, and postponing the audit would delay necessary oversight.