During an ongoing audit, management requests a briefing on the findings to date.
Which of the following is the IS auditor's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
When management requests a briefing on the findings to date during an ongoing audit, the IS auditor's best course of action depends on several factors, such as the audit scope, objectives, methodology, and timeline, as well as the auditee's cooperation, communication, and feedback.
Among the options provided, the IS auditor's best course of action is B. Request the auditee provide management responses. This option involves the following steps:
The IS auditor should gather and organize the audit findings and recommendations based on the audit plan and procedures. The audit findings should be documented in the working papers and summarized in a preliminary report or draft report, depending on the audit cycle and the level of assurance required.
The IS auditor should meet with the auditee to discuss the preliminary findings and recommendations and seek their input, clarification, and agreement. The auditee should have the opportunity to review the working papers, provide additional information or documentation, and respond to the findings and recommendations.
The IS auditor should request the auditee to provide management responses to the preliminary findings and recommendations. The management responses should indicate their agreement or disagreement with the findings and recommendations, the actions taken or planned to address the issues raised, and the timelines for completion. The management responses should be documented and attached to the working papers or preliminary report.
The IS auditor should review the auditee's management responses and assess their adequacy, completeness, and consistency with the audit evidence and criteria. The IS auditor should also consider any additional information or feedback provided by the auditee and update the working papers or preliminary report accordingly.
The IS auditor should prepare a briefing for management based on the preliminary findings, recommendations, and auditee's management responses. The briefing should highlight the key issues, risks, and opportunities identified, the impact on the organization's objectives, and the actions needed to improve the effectiveness, efficiency, and compliance of the audited area. The briefing should be objective, concise, and clear, and should avoid technical jargon or acronyms that may not be familiar to management.
By requesting the auditee to provide management responses, the IS auditor can ensure that management is informed of the audit findings and recommendations in a timely and accurate manner, while also providing the auditee with an opportunity to explain their perspective and proposed actions. This approach can enhance the credibility and transparency of the audit process, promote collaboration and cooperation between the IS auditor and the auditee, and increase the likelihood of effective follow-up and monitoring of the audit recommendations.
The other options provided have some limitations or drawbacks:
A. Review working papers with the auditee: This option may not provide sufficient assurance to management that the audit findings and recommendations are valid, reliable, and objective, as the auditee may have a vested interest in the results. It may also compromise the independence and objectivity of the IS auditor, as the auditee may influence the interpretation or presentation of the findings.
C. Request management wait until a final report is ready for discussion: This option may delay the communication of the audit findings and recommendations to management, which may result in missed opportunities to address the issues identified or to improve the audit process. It may also create uncertainty and anxiety among stakeholders who are awaiting the audit results.
D. Present observations for discussion only: This option may not provide sufficient context, analysis, or recommendations to management, as the observations may lack clarity, relevance, or significance. It may also leave the impression that the audit is incomplete or inconclusive, which may undermine the credibility and usefulness of the audit process.