CISA Certified Information Systems Auditor – Question0562

An internal IS auditor discovers that a service organization did not notify its customers following a data breach. Which of the following should the auditor do FIRST?

A.
Notify audit management of the finding.
B. Report the finding to regulatory authorities.
C. Notify the service organization’s customers.
D. Require the service organization to notify its customers.

Correct Answer: A