During a follow-up audit, an IS auditor learns that some key management personnel have been replaced since the original audit, and current management has decided not to implement some previously accepted recommendations. What is the auditor's BEST course of action?
When key management personnel are replaced and previously accepted recommendations are not implemented, the IS auditor should inform the audit manager. The audit manager can then address the situation appropriately, discussing the changes in recommendations with relevant stakeholders to reassess their impact on the organization's risk management and control environment. This helps ensure that the overall governance and risk management processes remain effective.
When management changes and previously accepted recommendations are not being implemented, the IS auditor's best course of action is to notify the audit manager. The audit manager can then discuss the issue with the appropriate personnel to determine the rationale behind the decision and assess the impact on risk
The auditor's BEST course of action is B, Notify the audit manager. In this scenario, the changes in key management personnel and the decision not to implement previously accepted recommendations can impact the overall risk management and control environment of the organization. The IS auditor should inform their audit manager about this change in order to properly assess the impact and determine any further actions that may be necessary.
Similar question before
This ensures that the audit committee is aware of the situation and can address the lack of implementation of critical recommendations by management.Other options will not address the root of the problem or strengthen governance.
The auditor is not intended to retest the controls without management agreement. A new audit strategy must be placed and that is management decision
Notifying the audit manager allows for proper escalation of the situation within the auditing function. The audit manager can reassess the situation, determine the significance of the changes, and decide on the appropriate steps to take, which might involve re-evaluating the recommendations or discussing the matter with higher-level management or the audit committee. While retesting the control (Option A) might be necessary depending on the nature of the recommendations and the changes in management, it's typically more appropriate to notify the audit manager first to ensure a coordinated response.
Notifying the audit manager of this issue is a priority.
i vote for A. As an Auditor, we should be ensure that the new process/procedure is having any kind of risk or limitation first before reporting it. Retest control is required to confirm if it is a finding or not.
I would choose A as you IS Auditor is already conducting a follow up audit on client. It is best to retest and control and present to management the finding and emphasize to them the need to remediate these.