CISA Certified Information Systems Auditor – Question0419

During the planning stage of a compliance audit, an IS auditor discovers that a bank’s inventory of compliance requirements does not include recent regulatory changes related to managing data risk. What should the auditor do FIRST?

A.
Discuss potential regulatory issues with the legal department.
B. Ask management why the regulatory changes have not been included.
C. Exclude recent regulatory changes from the audit scope.
D. Report the missing regulatory updates to the chief information officer (CIO).

Correct Answer: B