CISA Certified Information Systems Auditor – Question2389

If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do?

A.
Lack of IT documentation is not usually material to the controls tested in an IT audit.
B. The auditor should at least document the informal standards and policies. Furthermore, the IS auditor should create formal documented policies to be implemented.
C. The auditor should at least document the informal standards and policies, and test for a compliance. Furthermore, the IS auditor should recommend management that formal documented policies be developed and implemented.
D. The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should create formal documented policies to be implemented.

Correct Answer: C

Explanation:

Explanation:
If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.