Identifying Scope Gap in Audit - CISA Exam Question Answer

D.

In this scenario, an IS auditor has found that a cloud-based application was not included in the application inventory that was used to determine the scope of an audit. The business process owner has informed the auditor that a third party will audit the cloud application next year.

The auditor's next step should be to evaluate the impact of the cloud application on the audit scope. This means that the auditor needs to determine how the exclusion of the cloud application affects the overall audit objectives and whether the audit scope needs to be revised to include the cloud application.

Option A is the correct answer as it is essential to understand the potential impact of the missing application on the audit scope. The auditor needs to determine whether the cloud-based application contains sensitive or critical data that could affect the overall audit results. Depending on the audit objectives, it may be necessary to include the cloud application in the scope of the audit.

Option B is incorrect as it assumes that the audit scope should be revised immediately to include the cloud application. However, before making any changes to the audit scope, the auditor needs to understand the impact of the cloud application on the overall audit objectives.

Option C is also incorrect as it assumes that the third-party audit will address the issue of the missing cloud application. However, the third-party audit may not have the same objectives as the current audit and may not address the issue of the missing cloud application.

Option D is also incorrect as it assumes that reporting the control deficiency to senior management is the next step. However, the auditor needs to determine the impact of the missing application on the audit scope before reporting the control deficiency.