ExamTopics Logo
Mail Us[email protected]
Menu
Isaca Discussions
exam questions

Exam CISA All Questions

View all questions & answers for the CISA exam
Go to Exam

Exam CISA topic 1 question 1763 discussion

Actual exam question from Isaca's CISA
Question #: 1763
Topic #: 1
[All CISA Questions]

During a follow-up audit, an IS auditor discovers that a recommendation has not been implemented. However, the auditee has implemented a manual workaround that addresses the identified risk less efficiently than the recommended action would. Which of the following is the auditor's BEST course of action?

  • A. Notify management that the risk has been addressed and take no further action.
  • B. Note that the risk has been addressed and notify management of the inefficiency.
  • C. Require management to implement the original recommendation.
  • D. Escalate the remaining issue for further discussion and resolution.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by 46080f2 at March 5, 2025, 5:50 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
52cb16c
2 months, 2 weeks ago
Selected Answer: B
Actions that clearly communicate to management that risks have been mitigated but are not as effective as the original recommendation. → Consistent with the auditor's independence and fact-based reporting role.
upvoted 1 times
...
46080f2
5 months, 1 week ago
Selected Answer: B
According to the guidance on audit follow-up activities (Section 1.9.5): Risk mitigation is prioritized over implementation method: While the original recommendation wasn't followed, the manual workaround has addressed the risk (albeit less efficiently). The IS auditor's primary concern is whether the risk has been mitigated. Communication of inefficiencies: The manual explicitly states auditors should "note the deviation in implementation from the plan" and document operational inefficiencies even when risks are addressed1. This aligns with the requirement to report suboptimal controls while acknowledging risk reduction. Escalation criteria: Escalation (Option D) applies only when risks remain unaddressed. Since the workaround mitigates the risk, escalation isn't warranted
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel