An IS auditor was involved in the design phase for a new system's security architecture.
For the planned post-implementation audit, which of the following would be the MOST appropriate course of action for the auditor?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
As an IS auditor, it is important to maintain independence and objectivity in performing audits. In this scenario, the IS auditor was involved in the design phase of a new system's security architecture, which can potentially compromise their independence during the post-implementation audit.
Option A, which suggests having another auditor review the security architecture, can be a viable solution to ensure the independence and objectivity of the post-implementation audit. By involving another auditor who was not involved in the design phase, the audit can be performed with greater objectivity and independence.
Option B, which suggests disclosing the independence issues in the audit report, is also an appropriate course of action. By disclosing the independence issues, the stakeholders can be aware of the potential limitations in the audit and can make informed decisions based on the audit results.
Option C, which suggests changing the audit scope to exclude security architecture, is not the best course of action since the security architecture is a crucial aspect of the system's overall security. Excluding it from the audit scope can lead to incomplete and insufficient audit results.
Option D, which suggests postponing the post-implementation audit to a later date, is not ideal since the audit is necessary to ensure the system's security is working as intended. Delaying the audit can expose the system to potential security threats and can cause delays in identifying and addressing any security issues.
Therefore, option A, having another auditor review the security architecture, is the most appropriate course of action to ensure independence and objectivity in the post-implementation audit.