An audit program indicates that a specific number of transactions are to be sampled for testing a particular control. However, it has been determined that the control design is deficient. What should the IS auditor do in response to this information?
When a control design is found to be deficient, the IS auditor should recommend a change to the audit program and testing methodology used. Continuing with the originally planned sample size would not address the deficiency in the control design. By altering both the audit program and methodology, the auditor can better assess the impact of the deficient control and determine the necessary corrective actions.
B I think is right. So it means that Compliance Testing result in not efficient. So another sampling should be used. In this case Substantive Testing