What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?
What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?
When management responses indicate that a key internal control is no longer effective, the IS auditor's primary concern should be to understand the consequences of this deficiency. Therefore, the first step should be to verify the impact of the control no longer being effective. This helps in assessing the potential risks and determining the urgency and extent of further actions needed to address the issue.
correct answer is C
at first anyone will chek if there are any compensating controls.. in absence of these, then only they will go and check for the impact of not having such control
why not A
The auditor should first comprehensively verify the overall effectiveness of internal controls. This includes the following steps: Reassessment and testing Scope of reassessment Understand the impact Therefore, verifying the overall effectiveness of internal controls is the first step for the IS auditor.
According to GPT4: "In general, understanding the risk (impact) first and then assessing mitigating factors (compensating controls) is a common approach in risk management and auditing processes."
I think answer should be C because Impact analysis will be done first