Certified Information Systems Auditor (CISA) — Question 900

An IS auditor finds that irregularities have occurred and that auditee management has chosen to ignore them. If reporting to external authorities is required, which of the following is the BEST action for the IS auditor to take?

Answer options

• A. Obtain approval from audit management to submit the report.
• B. Obtain approval from auditee management to release the report.
• C. Obtain approval from both audit and auditee management to release the report.
• D. Submit the report to appropriate regulators immediately.

Correct answer: A

Explanation

The IS auditor should first obtain approval from audit management to submit the report, as this aligns with the internal policies and procedures for reporting such findings. Obtaining approval from auditee management (options B and C) is not advisable since they are the ones ignoring the irregularities. Immediately submitting the report to regulators (option D) may bypass necessary internal protocols.