What would be an IS auditor's BEST course of action when a critical issue outside the audit scope is discovered on an employee workstation?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
As an IS auditor, the discovery of a critical issue outside the audit scope on an employee workstation can be concerning. In such a situation, it is important to carefully consider the appropriate course of action.
Option A, taking no action, is not the best course of action as it ignores the critical issue that was discovered. As an auditor, it is important to report any issues or concerns that may impact the organization's information systems, regardless of whether they fall within the scope of the audit or not.
Option B, expanding the audit scope to include desktop audits, may be appropriate if the issue is deemed significant enough to warrant additional investigation. However, this may not always be necessary or feasible, particularly if the audit has already been planned and scheduled.
Option D, recording the observation in the workpapers, is a good first step, as it documents the issue and provides a record for future reference. However, it does not address the issue itself or provide any recommendations for remediation.
Therefore, the BEST course of action is Option C, including the findings with recommendations in the final report. This ensures that the issue is documented and reported to management, along with any recommendations for remediation. This can help to ensure that the issue is addressed and resolved, which ultimately benefits the organization as a whole.