Following an acquisition, it was decided that legacy applications subject to compliance requirements will continue to be used until they can be phased out.
The IS auditor needs to determine where there are control redundancies and where gaps may exist.
Which of the following activities would be MOST helpful in making this determination?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The most helpful activity for an IS auditor to determine control redundancies and gaps would be Control Mapping (Option D).
Control Mapping is the process of identifying and mapping the existing controls in an organization's IT environment to a particular control framework or standard. It helps in understanding the effectiveness and coverage of existing controls, identifying control redundancies, and determining the control gaps.
In this scenario, the legacy applications subject to compliance requirements are already in use and need to be assessed for control redundancies and gaps. Control Mapping will help in identifying the controls that are already in place and mapping them to the relevant control framework or standard. This mapping will help to determine if there are any redundant controls or gaps in the existing control environment.
Control Self-Assessments (Option A) are an internal assessment by management or control owners to evaluate the effectiveness of controls. It may not provide an independent and objective view of the control environment, and may not identify all control gaps or redundancies.
Risk Assessment (Option B) is a process of identifying, analyzing, and evaluating the risks associated with an organization's operations. While it may help identify potential risks that may impact the control environment, it may not provide a complete picture of the existing control environment or identify all control redundancies and gaps.
Control Testing (Option C) involves testing the effectiveness of controls through various testing procedures. While control testing may help in identifying gaps in the control environment, it may not provide a comprehensive view of the control redundancies and gaps.
Therefore, Control Mapping is the most appropriate activity for an IS auditor to determine control redundancies and gaps in the context of this scenario.