Certified Information Systems Auditor (CISA) — Question 853

During a security access review, an IS auditor identifies a segregation of duties issue involving financial reporting for which there are no mitigating controls. Which of the following stakeholders should be notified of this finding FIRST?

Answer options

• A. The audit committee
• B. External auditors
• C. Operational management
• D. The board of directors

Correct answer: C

Explanation

The correct answer is C: Operational management should be notified first because they are responsible for addressing the segregation of duties issue and implementing necessary controls. The audit committee, external auditors, and the board of directors are important stakeholders, but they are typically informed after operational management has been made aware and can take action to mitigate the risk.