During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?
During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor's BEST action?
The auditor's best action is to re-perform the audit before changing the conclusion. This ensures that the new control implemented can be independently verified to be effective. By re-performing the audit, the auditor can ensure the accuracy and reliability of the audit findings. This maintains the integrity and objectivity of the audit process, as changing the conclusion solely based on new evidence provided without independent verification might lead to incorrect conclusions.
should be B
D should be the answer. By re-performing the audit, the auditor ensures that their conclusion is based on the most up-to-date and accurate information. It allows for a more comprehensive evaluation of the control's effectiveness and provides a more reliable basis for reporting and decision-making. adding comments about the action taken by IT management in the report (option B) may be appropriate actions, they should be accompanied by a thorough REASSESSMENT of the control's effectiveness.
C. Change the conclusion based on evidence provided by IT management.
During the audit, finding has been fixed. So auditors cannot remove the finding from the report but can add the comments about the action taken by auditees.
somehow mor ecomfort with option D, we need further verify the new evidence and comment is not necessary to put on the drat report, since its just a draft and the final report should reflect the real conditions
The best action is to re-perform the audit (Option D) before changing the conclusion. This allows the auditor to independently confirm that the new or revised control is effective and addresses the previously identified issues. Only after this verification can the auditor update the audit report to reflect the current state of the control environment accurately. In summary, while Option C might seem efficient, it does not provide the necessary level of assurance that the control is effective. The auditor's responsibility is to maintain independence and objectivity, and this is best achieved by re-performing the audit (Option D) to verify the effectiveness of the new control before changing any conclusions in the report
Since suitable evidence has been presented, the audit opinion will be modified accordingly.