Are you studying for the Certified Information Systems Auditor or CISA certifications?
Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
Skillset can help you prepare! Sign up for your free Skillset account and take the first steps towards your certification.
Near the end of a project for an important web-based order system, an IT auditor has been assigned to reviewing the systems security controls. The results of penetration test performed are inconclusive and due to the system being scheduled to be deployed to production, additional testing is not possible with the time permitted for the review. What is the most effective option for the IT auditor?
Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
Inform management that audit work is not complete and recommend that the audit be postponed.
Issue a report to management omitting the areas where the evidence obtained from testing was inconclusive.
Request to postpone the go-live date until additional security testing can be completed and evidence of appropriate controls can be obtained.
If the IS auditor cannot gain sufficient assurance for a critical system within the agreed time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed audit time frame. ISACA IT audit and assurance standards would be violated if these areas were omitted from the audit report. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed date. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate audit guidelines concerning due diligence and professional care.
Study thousands of practice questions that organized by skills and ranked by difficulty.
Create a tailored training plan based on the knowledge you already possess.
Know when you’re ready for the high-stakes exam. Have the confidence that you will pass on your first attempt.