Exam CISA topic 1 question 594 discussion

Can not be D beacuse first, the auditor must understand the current state.

My thought : Option B - Next course of action. Option D - Best course of action.

Answer B informal unwritten standards are accepted and that's why IS auditor will document them in the report and test the compliance against it

Does it accept IS Auditor makes an operational document by auditor himself? I think this answer is A, the auditor should report the facts first.

The lack of formal written standards raises concerns about consistency, repeatability, and clarity in the quality procedures. The auditor should communicate this finding to IS management and recommend the establishment of appropriate, documented quality standards. This ensures that expectations are clearly defined, understood, and followed, contributing to a more effective and efficient IS environment.

Documenting and testing compliance with the informal standards (option B) would be a possible action but it would not address the issue of the lack of formal quality procedures. The auditor's role is to provide recommendations for improvement, rather than just test compliance. Therefore, the best course of action is to make recommendations to IS management as to appropriate quality standards (option D). The auditor can provide guidance on industry best practices or established standards such as ISO 9001 or ITIL, which the organization can adopt and document in their procedures. This will help ensure that the quality procedures are consistent and followed consistently across the organization.

D is better

D. Make recommendations to IS management as to appropriate quality standards.