During the planning stage of a compliance audit, an IS auditor discovers that a bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk.
What should the auditor do FIRST?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is D. Report the missing regulatory updates to the chief information officer (CIO).
Explanation:
The planning stage of a compliance audit is crucial as it helps the auditor to identify the scope of the audit and ensure that all relevant regulatory requirements are considered. In this scenario, the IS auditor has discovered that the bank's inventory of compliance requirements does not include recent regulatory changes related to managing data risk. This means that the bank is not complying with the latest regulatory requirements and may be at risk of non-compliance.
In such a situation, the auditor's first step should be to report the missing regulatory updates to the CIO. The CIO is responsible for managing the bank's information technology (IT) systems and ensuring compliance with regulatory requirements. Reporting the missing regulatory updates to the CIO will ensure that the bank's management is aware of the compliance gap and can take corrective action.
Option A, discussing potential regulatory issues with the legal department, may not be the most appropriate first step. The legal department may not have the necessary expertise to evaluate the impact of the regulatory changes on the bank's IT systems. Therefore, it would be more appropriate to report the missing regulatory updates to the CIO, who is responsible for managing the bank's IT systems.
Option B, asking management why the regulatory changes have not been included, may not be the most appropriate first step. It is possible that management may not have been aware of the regulatory changes or may have considered them to be insignificant. Therefore, it would be more appropriate to report the missing regulatory updates to the CIO, who is responsible for managing the bank's IT systems.
Option C, excluding recent regulatory changes from the audit scope, is not a valid option as it would result in an incomplete audit and would not address the compliance gap identified by the IS auditor. Therefore, it would be more appropriate to report the missing regulatory updates to the CIO, who is responsible for managing the bank's IT systems.