The IS auditor's conclusions must be based on sufficient, reliable, and relevant evidence gathered through independent testing. When management provides new evidence after the initial fieldwork but before the final report is issued, the auditor has a professional responsibility to validate this new information. Simply accepting management's assertion or evidence without verification would compromise the auditor's objectivity and due professional care. Therefore, the best course of action is to re-perform the specific audit tests related to the control in question. This allows the auditor to independently verify that the control has been implemented and is operating effectively, ensuring the final audit report is accurate and based on verified facts.

A. Explaining that the control will be evaluated during follow-up is a viable option, but not the best, as it results in a report that does not reflect the most current, verifiable state of the control environment.

C. Changing the conclusion based solely on evidence provided by management, without independent verification, is a violation of professional standards for objectivity and due care.

D. Adding comments about management's action is a good reporting practice, but it is insufficient. The auditor must first validate the claim before modifying the report's primary conclusion on the control's effectiveness.

---

1. ISACA

ITAF: A Professional Practices Framework for IS Audit/Assurance

4th Edition

2020.

Guideline 2204 Evidence

Section 2204.3 Evaluation of Evidence: States

"IS auditors should evaluate the evidence gathered to determine whether it is sufficient and appropriate to support the conclusions to be drawn." This implies that evidence from management must be evaluated by the auditor

which is best done through re-performance of tests.

Guideline 2401 Reporting

Section 2401.8 Subsequent Events: Notes that the IS auditor should consider the effect of events occurring between the end of fieldwork and the date of the report. If management implements a control in this period

the auditor should perform procedures to determine the effect of this event on the findings and report. Re-testing (re-performing the audit) is the appropriate procedure.

2. ISACA

CISA Review Manual

27th Edition

2019.

Chapter 1: The Process of Auditing Information Systems

Section 1.4.4

"Reporting/Communication of Results": This section emphasizes that all audit findings must be supported by sufficient and appropriate evidence. If new evidence is presented that contradicts a finding

the auditor must re-evaluate. The most rigorous method of re-evaluation is to re-test the control. The manual states

"The IS auditor should obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the audit results." Accepting management's evidence without re-performance would not meet this standard.