When assessing controls in a newly implemented call center, the first step an IS auditor should take is to understand the operational risks involved. This allows the auditor to:
Identify critical areas where controls are most needed.
Focus the audit on high-risk areas that may impact security, availability, or data integrity.
Develop a risk-based audit plan.
Evaluating operational risks first helps prioritize subsequent audit steps, such as control reviews or testing infrastructure.
Why not the others?
A. Gather information from the customers regarding response times and quality of service
This is more aligned with performance or service quality assessments, not the initial step in a control-focused IS audit.
B. Test the technical infrastructure at the call center
This is too specific and tactical to be a first step. The auditor should first assess risk to guide where testing is most needed.
C. Review the manual and automated controls in the call center
This step is important but comes after identifying the key risk areas to determine which controls matter most.
When assessing a newly implemented call center, the IS auditor’s first step should be to evaluate the operational risks, because:
This sets the foundation for identifying key areas that require control testing.
It helps the auditor prioritize risks related to availability, confidentiality, integrity, and compliance.
Risk evaluation drives a risk-based audit approach, which is the standard recommended by ISACA and professional audit practices.
since question stated the word FIRST, not the MOST IMPORTANT, the answer is C. Auditor will first need to review manuals, documentations and controls implemented then can be evaluating the risk associated https://www.examtopics.com/discussions/isaca/view/126715-exam-cisa-topic-1-question-596-discussion/#with operations or other implemented controls
Option D, "Assess the operational risks associated with the call center," is also important, but risk assessment is usually considered a process that takes place after a control check. By checking controls first, the accuracy and effectiveness of risk assessment will be improved.
Before gathering information from customers or conducting technical tests, it's important for the auditor to have a clear understanding of the internal controls that are in place. This includes both manual and automated controls that govern the operations of the call center. By reviewing these controls first, the auditor can identify potential weaknesses, gaps, or areas of concern that may need further investigation or testing.
upvoted 2 times
...
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Greens
1 month, 3 weeks agomaxson69
1 month, 3 weeks agomaxson69
1 month, 3 weeks agoIFBBPROSALCEDO
1 month, 3 weeks agoMalsaffar
7 months, 2 weeks agoSwallows
1 year, 1 month agoYejide03
1 year, 5 months agotakuanism
1 year, 6 months agoFAGFUR
1 year, 8 months ago