During a follow-up audit, an IS auditor finds that the auditee has updated virus scanner definitions without adopting the original audit recommendation to increase the frequency of using the scanner. The MOST appropriate action for the auditor is to:
During a follow-up audit, the auditor's role is to ensure that the original audit recommendations are implemented to mitigate identified risks. Since the auditee has not adopted the recommendation to increase the frequency of using the scanner, it is essential for the auditor to prepare a follow-up audit report reiterating the recommendation. This ensures that the management is formally reminded of the unresolved issue and its potential impact, thereby fulfilling the auditor's duty to promote adherence to best practices and risk mitigation strategies.
A follow-up audit report documents and details any recommendations made during the initial audit that were not implemented. The auditor can clearly state why the recommendations were not implemented and what was done instead, helping management understand the nature of the problem.