312-50V11 · Question #746
During the security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?
The correct answer is D. Identify and evaluate existing practices. When documented security procedures are absent, an IS auditor must first identify and evaluate existing informal practices to accurately assess the control environment before drawing conclusions.
Question
During the security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?
Options
- ACreate a procedures document
- BTerminate the audit
- CConduct compliance testing
- DIdentify and evaluate existing practices
How the community answered
(55 responses)- A7% (4)
- B15% (8)
- C4% (2)
- D75% (41)
Why each option
When documented security procedures are absent, an IS auditor must first identify and evaluate existing informal practices to accurately assess the control environment before drawing conclusions.
Developing procedures is a management responsibility, not an auditor's role - the auditor assesses and reports rather than implements controls.
Terminating the audit is not warranted by the absence of documentation alone, as the audit scope includes assessing informal or ad hoc practices.
Compliance testing requires existing documented standards to test against, making it inapplicable when no documented procedures exist.
An IS auditor's primary responsibility is to gather evidence about the actual state of controls, which includes identifying undocumented but operational practices that management may rely on. Evaluating these existing practices allows the auditor to assess their effectiveness and determine the true risk exposure, producing accurate findings. Skipping this step would lead to incomplete and potentially misleading audit conclusions.
Concept tested: IS auditor response to missing security documentation
Source: https://www.isaca.org/resources/isaca-journal/past-issues/2011/audit-procedures-and-documentation
Topics
Community Discussion
No community discussion yet for this question.