Certified Information Systems Auditor (CISA) — Question 911

When planning a follow-up, the IS auditor is informed by operational management that recent organizational changes have addressed the previously identified risk and implementing the action plan is no longer necessary. What should the auditor do NEXT?

Answer options

• A. Review the changes and determine whether the risks have been addressed.
• B. Accept management's assertion and report that the risks have been addressed.
• C. Report that the changes make it impractical to determine whether the risks have been addressed.
• D. Determine whether the changes have introduced new risks that need to be addressed.

Correct answer: A

Explanation

The correct answer is A because the auditor must review and verify whether the changes have effectively addressed the risks. Simply accepting management's assertion (B) without verification could lead to oversight of lingering risks. Reporting impracticality (C) or focusing only on new risks (D) diverts from the necessary evaluation of the existing risk mitigation.