Certified Information Systems Auditor (CISA) — Question 762

Which of the following is an IS auditor's BEST course of action when the auditee indicates that a corrective action plan for a high-risk finding will take longer than expected?

Answer options

• A. Determine if an interim compensating control has been implemented.
• B. Require that remediation is completed in the agreed timeframe.
• C. Accept the longer target date and document it in the audit system.
• D. Escalate the overdue finding to the audit committee.

Correct answer: A

Explanation

The best course of action is to determine if an interim compensating control has been implemented, as this helps mitigate the risk while the full remediation is delayed. Requiring remediation within the original timeframe may not be feasible and could lead to further issues. Accepting a new target date without any safeguards or escalating the issue may ignore the ongoing risk posed by the high-risk finding.