Ensuring Reliable Internal Controls

C.

Before concluding that internal controls can be relied upon, the IS auditor should perform a series of activities to ensure that the internal controls are effective and operating as intended. These activities include the following:

A. Discuss the internal control weaknesses with the auditee: The IS auditor should discuss any weaknesses found in the internal control system with the auditee. This is important as the auditee is responsible for implementing and maintaining the internal control system. During the discussion, the IS auditor should explain the weaknesses and their potential impact on the organization. The auditee should be given an opportunity to provide additional information or clarify any misunderstandings. The discussion should be documented for future reference.

B. Document application controls: The IS auditor should document the application controls to understand how the system is being controlled and to identify any areas of weakness. Application controls are specific to each system and are designed to ensure the accuracy, completeness, and validity of data processed by the system. Examples of application controls include input controls, processing controls, and output controls. Documenting the application controls will help the IS auditor to identify areas of weakness that need to be addressed.

C. Conduct tests of compliance: The IS auditor should conduct tests of compliance to ensure that the internal control system is operating as intended. Tests of compliance are designed to determine whether policies and procedures are being followed and whether internal controls are working as expected. Compliance testing may include reviewing documentation, observing processes, and testing controls. The results of the compliance tests should be documented for future reference.

D. Document the system of internal control: The IS auditor should document the system of internal control to understand how the system is being controlled and to identify any areas of weakness. The documentation should include policies and procedures, flowcharts, and other relevant information. Documenting the system of internal control will help the IS auditor to identify areas of weakness that need to be addressed.

Therefore, option A is correct as discussing internal control weaknesses with the auditee is a critical step in determining the effectiveness of the internal control system. The other options, B, C, and D, are important steps but are not sufficient on their own to ensure that internal controls can be relied upon.