An organization has agreed to perform remediation related to high risk audit findings.
The remediation process involves a complex reorganization of user roles as well as the implementation of several compensating controls that may not be completed within the next audit cycle.
Which of the following is the BEST way for an IS auditor to follow up on the activities?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is B. Provide management with a remediation timeline and verify adherence.
Explanation: When a high-risk audit finding is identified, remediation is necessary to mitigate the risk. Remediation is the process of addressing the root cause of the issue and implementing controls to prevent a similar issue from occurring in the future. In some cases, the remediation process can be complex and may require a significant amount of time and resources to complete.
As an IS auditor, it is important to follow up on the remediation activities to ensure that they are being completed in a timely and effective manner. There are several ways to do this, including:
A. Review the progress of remediation on a regular basis: This approach involves reviewing the status of remediation activities on a periodic basis to ensure that they are progressing as expected. While this approach can be useful, it may not provide sufficient assurance that the remediation activities will be completed within the desired timeframe.
B. Provide management with a remediation timeline and verify adherence: This approach involves working with management to develop a timeline for completing the remediation activities and verifying that they are adhering to the timeline. This approach is the best option as it ensures that management is accountable for completing the remediation activities within the desired timeframe.
C. Continue to audit the failed controls according to the audit schedule: This approach involves continuing to audit the controls that failed the initial audit even though remediation activities are underway. This approach may be useful in providing additional assurance that the controls are effective but may not be the best use of audit resources if the remediation activities are expected to address the root cause of the issue.
D. Schedule a review of the controls after the projected remediation date: This approach involves scheduling a review of the controls after the projected remediation date to ensure that they are effective. While this approach may be useful in providing assurance that the controls are effective, it may not be timely enough to prevent a similar issue from occurring in the future.
In conclusion, the best way for an IS auditor to follow up on remediation activities is to provide management with a remediation timeline and verify adherence. This approach ensures that management is accountable for completing the remediation activities within the desired timeframe and provides assurance that the remediation activities are effective in mitigating the risk.