IS Auditor's Best Course of Action for Replaced Preventive Controls

D.

As an IS auditor, the BEST course of action upon learning that preventive controls have been replaced with detective and corrective controls is to evaluate whether the new controls manage the risk at an acceptable level. This would involve a thorough review of the new controls to ensure that they are adequate in mitigating the identified risks.

Option A: Reporting the issue to management as the risk level has increased is a valid action, but it does not provide a complete solution. This action alone does not evaluate whether the new controls are sufficient or not.

Option B: Recommending the implementation of preventive controls in addition to the other controls is also a valid action, but it assumes that the new controls are inadequate. It is possible that the new controls are sufficient, and adding preventive controls would not be necessary.

Option C: Verifying the revised controls enhance the efficiency of related business processes is not the BEST course of action, as the primary concern of an IS auditor is to ensure the effectiveness of controls in managing risks, not their efficiency.

Option D: Evaluating whether new controls manage the risk at an acceptable level is the BEST course of action, as it addresses the core issue of whether the new controls are sufficient in mitigating the identified risks. This action would involve conducting a risk assessment to determine the level of risk associated with the new controls and comparing it to the organization's risk appetite.

In conclusion, the BEST course of action for an IS auditor upon learning that preventive controls have been replaced with detective and corrective controls is to evaluate whether the new controls manage the risk at an acceptable level.