A 5-year audit plan provides for general audits every year and application audits on alternating years.
To achieve higher efficiency, the IS audit manager would MOST likely:
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The question is asking about the most efficient way for an IS audit manager to conduct audits in accordance with a 5-year audit plan that calls for general audits every year and application audits on alternating years.
Option A, which suggests integrating all new applications into the existing plan, is not the best choice because it assumes that all new applications will have the same level of risk and impact on the organization. This may not be true, and the risk of overlooking high-risk applications is high. Therefore, this option can lead to inefficiencies and may not result in an appropriate allocation of audit resources.
Option B suggests alternating between control self-assessment (CSA) and general audits every year. CSA is a process in which control owners and management evaluate the design and effectiveness of controls within their area of responsibility. This option may improve efficiency by allowing control owners to evaluate their own controls and only requiring an audit in areas where deficiencies or concerns are identified. However, CSA alone may not provide adequate assurance to management, and it is not suitable for all types of controls. Therefore, it is not the best option.
Option C proposes implementing risk assessment criteria to determine audit priorities. This is the most suitable and effective option because it allows for a risk-based approach to audit planning. By conducting a risk assessment, the IS audit manager can identify high-risk areas and allocate resources accordingly. This approach ensures that audit resources are focused on areas with the highest risks and provides a systematic and objective approach to audit planning.
Option D suggests conducting control self-assessments (CSAs) and formal audits of applications on alternating years. This option is similar to Option B, but it includes formal audits of applications in addition to CSAs. While this approach may provide additional assurance to management, it may also be inefficient because it does not necessarily take into account the relative risks of each application. Therefore, it is not the best option.
In conclusion, the most efficient way for the IS audit manager to conduct audits in accordance with the 5-year audit plan is to implement risk assessment criteria to determine audit priorities (Option C). This approach ensures that audit resources are focused on areas with the highest risks and provides a systematic and objective approach to audit planning.