During a follow-up audit for a finding related to change management, an IS auditor notes that one of the changes sampled was an emergency change, which follows a different process.
Which of the following is the auditor's BEST course of action?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The IS auditor has noted that one of the changes sampled was an emergency change, which follows a different process, during a follow-up audit for a finding related to change management. In this scenario, the BEST course of action for the auditor would be:
C. Obtain evidence that the change was approved.
Explanation: The IS auditor should obtain evidence that the emergency change was approved in accordance with the emergency change process. This is necessary to ensure that the emergency change was still subject to appropriate controls and that the change process was followed, even in an emergency situation. This evidence should be documented in the workpaper for the audit, as it would serve as a basis for the auditor's conclusion.
Option A, which suggests marking the sample as not applicable and moving on to the next sample, is not appropriate as the emergency change is still subject to controls and should be tested accordingly.
Option B, which suggests selecting a replacement change for testing, is not appropriate as the emergency change is already part of the sample, and replacing it would not address the issue at hand.
Option D, which suggests noting the sample as a deviation and leaving the finding open in the audit tracking log, is not appropriate as the auditor has not yet confirmed whether the emergency change was approved or not. If the emergency change was approved, there would be no deviation to report, and the finding related to change management would be closed.