Certified Information Systems Auditor (CISA) — Question 788

information officer (CIO) has requested there be no IS audits in the upcoming year, as more time is needed to address a large number of recommendations from the previous year. Which of the following should the auditor do FIRST?

Answer options

• A. Notify the chief operating officer (COO) and discuss the audit plan risks.
• B. Escalate to audit management to discuss the audit plan.
• C. Increase the number of IS audits in the plan.
• D. Exclude IS audits from the upcoming year’s plan.

Correct answer: B

Explanation

The auditor should first escalate to audit management to discuss the audit plan because this ensures that the concerns of the CIO are addressed at the appropriate level, while also considering the implications for audit effectiveness. Simply notifying the COO or increasing the number of audits does not address the CIO's request adequately, and excluding the audits would not be a responsible action without proper discussion.