nerdexam
EC-Council

312-50V11 · Question #746

During the security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?

The correct answer is D. Identify and evaluate existing practices. When documented security procedures are absent, an IS auditor must first identify and evaluate existing informal practices to accurately assess the control environment before drawing conclusions.

Information Security and Ethical Hacking Fundamentals

Question

During the security audit of IT processes, an IS auditor found that there were no documented security procedures. What should the IS auditor do?

Options

  • ACreate a procedures document
  • BTerminate the audit
  • CConduct compliance testing
  • DIdentify and evaluate existing practices

How the community answered

(55 responses)
  • A
    7% (4)
  • B
    15% (8)
  • C
    4% (2)
  • D
    75% (41)

Why each option

When documented security procedures are absent, an IS auditor must first identify and evaluate existing informal practices to accurately assess the control environment before drawing conclusions.

ACreate a procedures document

Developing procedures is a management responsibility, not an auditor's role - the auditor assesses and reports rather than implements controls.

BTerminate the audit

Terminating the audit is not warranted by the absence of documentation alone, as the audit scope includes assessing informal or ad hoc practices.

CConduct compliance testing

Compliance testing requires existing documented standards to test against, making it inapplicable when no documented procedures exist.

DIdentify and evaluate existing practicesCorrect

An IS auditor's primary responsibility is to gather evidence about the actual state of controls, which includes identifying undocumented but operational practices that management may rely on. Evaluating these existing practices allows the auditor to assess their effectiveness and determine the true risk exposure, producing accurate findings. Skipping this step would lead to incomplete and potentially misleading audit conclusions.

Concept tested: IS auditor response to missing security documentation

Source: https://www.isaca.org/resources/isaca-journal/past-issues/2011/audit-procedures-and-documentation

Topics

#IS auditing#security procedures#compliance#risk assessment

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice