During a follow-up audit, an IS auditor concludes that a previously identified issue has not been adequately remediated.
The auditee insists the risk has been addressed.
The auditor should:
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The correct answer in this case would be B. report the disagreement according to established procedures.
Explanation:
During the follow-up audit, the IS auditor found that a previously identified issue has not been adequately remediated. However, the auditee insists that the risk has been addressed. This situation suggests a disagreement between the auditee and the auditor, and it is essential to address it appropriately.
In this case, accepting the auditee's position without any additional investigation could lead to a false sense of security, as the issue may not have been fully resolved. Similarly, deferring the follow-up audit to the next year may prolong the potential risk and expose the organization to unnecessary threats.
Therefore, it is crucial to report the disagreement according to established procedures. The auditor should document the finding and report it to the appropriate management level for further review and action. The management team can then investigate the issue further and decide whether additional measures are necessary to mitigate the risk.
If necessary, the management team may decide to bring in a third-party to conduct an independent assessment of the situation, as recommended in option A. An independent assessment can provide an objective and unbiased view of the issue, helping to resolve the disagreement and identify any additional measures required to address the risk.
In conclusion, when a disagreement arises between the auditee and the auditor regarding the remediation of an issue, the auditor should report the disagreement according to established procedures. This approach allows for an independent review of the situation, ensuring that the organization's security and risk management processes are operating effectively.