CISA Exam Question: Incident Management Audit

C.

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. The IS auditor's most important course of action is to determine the root cause of the incidents. Therefore, the correct answer is B, "Determine if a root cause analysis was conducted."

Here's why:

A. Document the finding and present it to management. While documenting the finding and presenting it to management is important, it is not the most important course of action for the auditor in this situation. The auditor must first determine the root cause of the incidents before presenting it to management, as management will likely want to know what caused the incidents and how to prevent them in the future.

B. Determine if a root cause analysis was conducted. Determining if a root cause analysis was conducted is the most important course of action for the auditor in this situation. A root cause analysis helps to identify the underlying cause of an incident and can help prevent similar incidents from occurring in the future. If a root cause analysis was not conducted, the auditor should recommend that one be performed.

C. Validate whether all incidents have been actioned. Validating whether all incidents have been actioned is important, but it is not the most important course of action for the auditor in this situation. The auditor must first determine the root cause of the incidents before validating if all incidents have been actioned, as fixing the symptoms of the problem without addressing the root cause may result in similar incidents occurring in the future.

D. Confirm the resolution time of the incidents. Confirming the resolution time of the incidents is important, but it is not the most important course of action for the auditor in this situation. The auditor must first determine the root cause of the incidents before confirming the resolution time, as the resolution time may be impacted by the underlying cause of the incidents.