During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties.
Which of the following would be the auditor's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
When an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties, the auditor's BEST course of action would be to escalate the deficiency to audit management. This means that option B is the correct answer.
Here is an explanation for each option:
A. Plan to test these controls in another audit: While it may be possible to test these controls in another audit, it is not the BEST course of action because this approach may delay the audit and result in additional costs.
B. Escalate the deficiency to audit management: Escalating the deficiency to audit management is the BEST course of action because it allows the auditor to report the issue to higher management and obtain their support to address the deficiency.
C. Add testing of third-party access controls to the scope of the audit: While this option may seem feasible, adding testing of third-party access controls to the scope of the audit may delay the audit and result in additional costs. Moreover, the audit plan may not have the necessary resources to accommodate this additional scope.
D. Determine whether the risk has been identified in the planning documents: While determining whether the risk has been identified in the planning documents is important, it does not help address the deficiency in the current audit plan. The auditor should escalate the deficiency to audit management to address the issue.
In summary, when an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties, the BEST course of action would be to escalate the deficiency to audit management.