Q: 2
During a follow-up audit, an IS auditor learns that some key management personnel have
been replaced since the original audit, and current management has decided not to implement
some previously accepted recommendations. What is the auditor's BEST course of action?
Options
Discussion
Option B, That's the normal escalation, audit manager before going higher. ISACA wants the chain followed. Agree?
Hard to say, B. Reporting up to the audit manager matches the escalation path you see in the official ISACA guide and practice tests. Other options skip steps or don't address change in risk acceptance. Check official resources to drill this process, but I'm pretty sure that's what they want here. Agree?
Don't think it's A since that's skipping protocol, and C/D miss the reporting piece. B is the best call here.
Don't think it's A-standard process is to inform the audit manager first. B is what I've seen in similar questions.
B vs A. If "best" means stick to process, then B is right since you always report up the audit chain before escalating. But if it was an urgent risk or management was actively creating exposure, some exam questions flip to A. Here, pretty sure ISACA wants B due to standard escalation. Agree?
I don't think you'd go straight to the audit committee for this. Option A is tempting since it's a serious change, but chain of command matters. B
If management changed and isn't implementing old recommendations, is there any hint the risk level changed too? I'm not sure if that's enough to go to A or if B is just the usual reporting chain. What's the typical ISACA expectation here?
B , audit manager is the proper escalation. A is tempting but that's skipping protocol.
Guessing A here-feels like if management isn't following through, you tell the audit committee chair directly. Retesting or closing seems off for unaddressed recs. Not totally sure, but that's what I'd pick.
A is wrong, B. Reporting to the audit manager keeps it in the right escalation path per ISACA.
Be respectful. No spam.
