CISA Certified Information Systems Auditor – Question1930

When conducting a follow-up of previous audit findings, an IS auditor is told by management that a recommendation to make security changes to an application has not been implemented. The IS auditor should FIRST determine whether:

A.
additional time to implement changes is needed.
B. the associated risk is still relevant.
C. the recommendation should be re-issued.
D. the issue should be escalated.

Correct Answer: A