During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor's BEST course of action?
If the engagement audit plan does not include the testing of controls that regulate access by third parties, the auditor's best course of action would be to escalate the deficiency to audit management. This allows the issue to be brought to the attention of higher authorities who can then decide how to address it appropriately, ensuring that the audit scope is comprehensive and effectively mitigates potential risks associated with third-party access control.
C. Determine if the risk has been identified in the plan
C. Determine whether the risk has been identified in the planning documents.
C. Determine whether the risk has been identified in the planning documents.
AI says Option A is the most appropriate response because it directly addresses the deficiency by ensuring that testing of third-party access controls is included in the current audit scope. This action is proactive and aims to rectify the identified issue promptly. Therefore, Option A is the correct answer.
Determine whether a risk assessment is in place to plan testing of controls that regulate third-party access.
A. Add testing of third-party access controls to the scope of the audit.
Escalate the deficiency to audit management: Escalating the deficiency to audit management is the BEST course of action because it allows the auditor to report the issue to higher management and obtain their support to address the deficiency.