Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management’s decision.
Which of the following should be the IS auditor’s NEXT course of action?
A . Accept management’s decision and continue the follow-up.
B . Report the issue to IS audit management.
C . Report the disagreement to the board.
D . Present the issue to executive management.
Answer: B
Explanation:
Prior to a follow-up engagement, if an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation, the IS auditor should report the issue to IS audit management. This is because IS audit management is responsible for ensuring that audit findings are properly communicated and resolved. Accepting management’s decision and continuing the follow-up would not address the IS auditor’s concern. Reporting the disagreement to the board or executive management would be premature and inappropriate without consulting IS audit management first.
References: CISA Review Manual (Digital Version), Chapter 1, Section 1.6
Latest CISA Dumps Valid Version with 2694 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund