An IS auditor is assigned to review the IS department's quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards. Which of the following should be the auditor's NEXT action?
An IS auditor is assigned to review the IS department's quality procedures. Upon contacting the IS manager, the auditor finds that there is an informal unwritten set of standards. Which of the following should be the auditor's NEXT action?
When an IS auditor finds that the IS department has only informal, unwritten standards, the appropriate next action is to make recommendations to IS management as to appropriate quality standards. This action ensures that the department establishes formal, documented standards, which contribute to consistency, repeatability, and clarity in quality procedures. By providing guidance on best practices or established standards, the auditor helps the organization improve its processes, thus aligning with the auditor's role to enhance effectiveness and efficiency within the organization.
D. Make recommendations to IS management as to appropriate quality standards.
Documenting and testing compliance with the informal standards (option B) would be a possible action but it would not address the issue of the lack of formal quality procedures. The auditor's role is to provide recommendations for improvement, rather than just test compliance. Therefore, the best course of action is to make recommendations to IS management as to appropriate quality standards (option D). The auditor can provide guidance on industry best practices or established standards such as ISO 9001 or ITIL, which the organization can adopt and document in their procedures. This will help ensure that the quality procedures are consistent and followed consistently across the organization.
The lack of formal written standards raises concerns about consistency, repeatability, and clarity in the quality procedures. The auditor should communicate this finding to IS management and recommend the establishment of appropriate, documented quality standards. This ensures that expectations are clearly defined, understood, and followed, contributing to a more effective and efficient IS environment.
Answer B informal unwritten standards are accepted and that's why IS auditor will document them in the report and test the compliance against it
D is better
Not sure, please delete
Does it accept IS Auditor makes an operational document by auditor himself? I think this answer is A, the auditor should report the facts first.
My thought : Option B - Next course of action. Option D - Best course of action.