What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
What would be an IS auditor's BEST course of action when an auditee is unable to close all audit recommendations by the time of the follow-up audit?
When an auditee is unable to close all audit recommendations by the time of the follow-up audit, it is crucial to evaluate the residual risk due to the open issues. This allows the auditor to understand the impact of the unresolved issues on the organization's risk posture and helps in determining the urgency and priority of corrective actions. It ensures that the auditor provides a clear picture of the remaining vulnerabilities and their implications, enabling management to make informed decisions on how to address these risks.
When an auditee is unable to close all audit recommendations by the time of the follow-up audit, the IS auditor's best course of action is to evaluate the residual risk due to open issues. This allows the auditor to understand the remaining risks that the organization faces due to unresolved audit findings and helps management make informed decisions regarding the need for further action or accepting the residual risk.
If its a follow up issue, which was previously raised, whats changes is supposed to be happened to the residual risk ?
I’d pick A
Best course of action in this scenario is to evaluate the residual risk
C for me
C. Evaluate the residual risk due to open issues.
Reaso for thisis that residual risk is the level of risk remaining after controls have been applied. If audit issues remain unresolved, the IS auditor must assess the potential impact of these open issues on business operations, security, and compliance.