IIA Exam IIA-CHAL-QISA Topic 3 Question 19 Discussion

Actual exam question for IIA's IIA-CHAL-QISA exam

Question #: 19
Topic #: 3

Following an IT systems audit, management agreed to implement a specific control in one of the IT systems. After a period, the internal auditor followed up and learned that management had not implemented the agreed management action due to the decision to move to another IT system that has built-in controls, which may address this risks highlighted by the Internal audit Which of the following Is the most appropriate action to address the outstanding audit recommendation?

AThe auditor examines the system documentation of the new system to verify that the risk has been addressed in the new system, then reports to senior management the closure of the issue.

BThe auditor accepts managements explanation that the previously identified issue is adequately addressed by the new IT system, as management understands the concern and is most knowledgeable about the new system, and closes the outstanding issue.

CThe auditor advises management that replacing the IT system does not dismiss the prior obligation to implement the agreed action plan, and escalates the issue to senior management and the board.

DThe auditor requires management to provide details regarding the process for selecting the new IT system and whether other systems were evaluated, and closure of the issue would depend on the new information provided.

Show Suggested Answer

Suggested Answer: A

Verification of Controls: The auditor should verify that the new IT system addresses the previously identified risks. This involves reviewing the system documentation and ensuring that the controls in the new system effectively mitigate the risks.

Reporting: Once the auditor has confirmed that the new system controls address the risks, they can report to senior management and close the outstanding issue, ensuring that all audit recommendations are appropriately resolved.

Other Options:

Accepting Management's Explanation: Without verification (option B) is not appropriate as it may leave risks unmitigated.

Escalating Without Verification: Advising management and escalating (option C) is premature if the new system may already address the issues.

Detailed Process Evaluation: Requiring additional details about the process (option D) may be unnecessary if the auditor can verify the controls directly.

by Adelaide at Dec 06, 2024, 02:21 PM

Limited Time Offer

25%

Off

Get Premium IIA-CHAL-QISA Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

1 months ago

Option B seems reasonable to me. If the new system really does address the risk, then the auditor should trust management's judgment and close the issue.

upvoted 0 times

Alaine

19 days ago

But what if the new system doesn't actually address the risk? Shouldn't the auditor verify that first?

upvoted 0 times

...

Wilbert

24 days ago

I agree with you, option B does seem like a reasonable approach.

upvoted 0 times

...

Gilma

1 months ago

I agree with Carlota, management should not dismiss the prior obligation.

upvoted 0 times

...

2 months ago

I think option C is the most appropriate action.

upvoted 0 times

...