In a follow-up audit, an IS auditor notes that management has addressed the original findings in a different way than originally agreed upon.
The auditor should FIRST:
Click on the arrows to vote for the correct answer
A. B. C. D.D.
When conducting a follow-up audit, an IS auditor may find that management has addressed the original findings in a way that was different from what was agreed upon. In this case, the auditor should follow a specific set of steps to ensure that the findings are still addressed and the organization is still compliant with regulations.
The FIRST step that the auditor should take is to verify if management's action mitigates the identified risk. This step involves evaluating the effectiveness of the control measures implemented by management to address the identified issue. The auditor should review the actions taken by management and determine whether they have addressed the original findings and mitigated the identified risk. If the actions taken are effective, the auditor may recommend marking the recommendation as satisfied and closing the finding.
However, if the auditor determines that management's actions have not adequately mitigated the identified risk, they should escalate the deviation to the audit committee. This will allow the audit committee to review the situation and determine if additional action is required. If necessary, the auditor may need to perform additional testing to assess the changed control environment and identify any new risks that may have emerged.
In summary, the correct answer to the question is B. The IS auditor should first verify if management's action mitigates the identified risk. Only if this step determines that the risk has not been adequately addressed should the auditor consider escalating the deviation to the audit committee or re-performing the audit to assess the changed control environment.