During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:

Posted by: Pdfprep Category: CISA Tags: , ,

During a security audit of IT processes, an IS auditor found that there were no documented security procedures. The IS auditor should:
A . create the procedures document.
B . terminate the audit.
C . conduct compliance testing.
D . identify and evaluate existing practices.

Answer: D

Explanation:

One of the main objectives of an audit is to identify potential risks; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization. IS auditors should not prepare documentation, as doing so could jeopardize their independence. Terminating the audit may prevent achieving one of the basic audit objectives, i.e., identification of potential risks. Since there are no documented procedures, there is no basis against which to test compliance.

Leave a Reply

Your email address will not be published.