Certified Information Systems Auditor (CISA) — Question 77

An IS auditor previously worked in an organization’s IT department and was involved with the design of the business continuity plan (BCP). The IS auditor has now been asked to review this same BCP. What should the auditor do FIRST?

Answer options

• A. Document the conflict in the audit report.
• B. Report the conflict of interest to the chief compliance officer.
• C. Communicate the conflict of interest to the audit manager.
• D. Decline the audit assignment.

Correct answer: C

Explanation

The auditor should communicate the conflict of interest to the audit manager first to ensure transparency and proper handling of the situation. Documenting the conflict or reporting it to others may be necessary later, but the immediate action is to inform the audit manager. Declining the audit assignment is not the best first step since addressing the conflict with management is more appropriate.