Certified Information Systems Auditor (CISA) — Question 927

An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor's NEXT course of action?

Answer options

• A. Obtain a verbal confirmation from IT for this exemption
• B. Review the list of end users and evaluate for authorization.
• C. Report this control process weakness to senior management.
• D. Verify management's approval for this exemption.

Correct answer: D

Explanation

The correct answer is D because verifying management's approval for the exemption ensures that there is an official record of the decision and that it aligns with organizational policies. Option A is insufficient as a verbal confirmation lacks documentation. Option B does not address the immediate need to confirm the exemption. Option C, while reporting issues is important, should come after ensuring proper management authorization.