During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?
A. Plan to test these controls in another audit.
B. Escalate the deficiency to audit management.
C. Add testing of third-party access controls to the scope of the audit.
D. Determine whether the risk has been identified in the planning documents.
A. Plan to test these controls in another audit.
B. Escalate the deficiency to audit management.
C. Add testing of third-party access controls to the scope of the audit.
D. Determine whether the risk has been identified in the planning documents.