Q: 2
During a follow-up audit, an IS auditor learns that some key management personnel have
been replaced since the original audit, and current management has decided not to implement
some previously accepted recommendations. What is the auditor's BEST course of action?
Options
Discussion
Don't think it's A since that's skipping protocol, and C/D miss the reporting piece. B is the best call here.
Don't think it's A-standard process is to inform the audit manager first. B is what I've seen in similar questions.
B vs A. If "best" means stick to process, then B is right since you always report up the audit chain before escalating. But if it was an urgent risk or management was actively creating exposure, some exam questions flip to A. Here, pretty sure ISACA wants B due to standard escalation. Agree?
I don't think you'd go straight to the audit committee for this. Option A is tempting since it's a serious change, but chain of command matters. B
Its B here because the auditor has to respect the reporting line and let the audit manager decide on next steps. Jumping straight to A would skip proper protocol unless it's an immediate/critical issue, which isn't stated. Pretty sure that's what ISACA expects, but open if anyone's seen this handled differently.
Makes sense why it's B, audit manager is always the first escalation point in the process for stuff like this.
Would official ISACA review materials or practice exams cover nuances like this management change scenario in audit follow-up?
Seriously, ISACA loves the reporting line stuff. B
Guessing A here. Escalating straight to the audit committee seems right if management ignores agreed recommendations, since it's a governance issue. Almost picked B but I think bypassing that step is justified in this scenario. Could be wrong though.
Be respectful. No spam.
