Certified Information Systems Auditor (CISA) — Question 799

Management states that a recommendation made during a prior audit has been implemented, but the IS auditor doubts the effectiveness of the actions taken. Which of the following is the auditor’s MOST appropriate course of action?

Answer options

• A. Report to audit management that the actions taken have not effectively addressed the original risk.
• B. Make an additional recommendation on how to remediate the finding.
• C. Perform testing or other audit procedures to confirm the status of the original risk.
• D. Recommend external verification of management's preferred actions.

Correct answer: C

Explanation

The correct answer is C because performing testing or other audit procedures allows the auditor to gather evidence and assess whether the implemented actions effectively mitigate the original risk. Options A and B do not involve verifying the effectiveness of the actions taken, and option D suggests external verification, which may not be necessary if internal procedures can confirm the status.