An IS auditor identifies key controls that have been overridden by management.
The NEXT step the IS auditor should take is to:
Click on the arrows to vote for the correct answer
A. B. C. D.B.
The correct answer is C. recommend compensating controls.
Explanation:
When an IS auditor identifies that key controls have been overridden by management, it means that the management has intentionally bypassed or ignored established controls to achieve certain objectives. This situation is a cause for concern as it may lead to increased risks and potential negative consequences for the organization.
The next step the IS auditor should take is to recommend compensating controls. Compensating controls are alternative measures put in place to mitigate risks that arise when key controls are not effective or available. These controls are designed to substitute the missing or weakened controls and to ensure that the organization's risks are within acceptable levels.
Before recommending compensating controls, the IS auditor should analyze the situation carefully, determine the extent of the problem, and assess the impact on the organization's objectives. This analysis should consider the nature of the key controls that have been overridden, the reasons why management has chosen to do so, and the potential consequences of the override.
Once the analysis is completed, the IS auditor should recommend specific compensating controls that can address the risks associated with the override. These controls should be practical, effective, and commensurate with the risks involved. The IS auditor should also ensure that the compensating controls are properly implemented and tested to verify their effectiveness.
Performing procedures to quantify the irregularities (Option A) may be necessary to understand the extent of the problem and the impact on the organization, but it is not the next step that should be taken. The IS auditor should first recommend compensating controls to address the risks associated with the override.
Reporting the absence of key controls to regulators (Option B) may be required in some cases, but it is not the next step that should be taken. The IS auditor should first recommend compensating controls to address the risks associated with the override.
Withdrawing from the engagement (Option D) may be necessary if the situation is severe or if the auditor's independence or objectivity is compromised. However, it is not the next step that should be taken. The IS auditor should first recommend compensating controls to address the risks associated with the override.