CISA Certified Information Systems Auditor – Question2536
During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should: A. create the procedures document. B. terminate the audit. C. conduct compliance testing. D. identify and evaluate existing practices.
Correct Answer: D
Explanation:
Explanation:
One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.
Please disable your adblocker or whitelist this site!