Learn why testing controls for third-party access is crucial in identity and access management audits and how IS auditors should address its exclusion from audit plans.
Table of Contents
Question
During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?
A. Add testing of third-party access controls to the scope of the audit.
B. Plan to test these controls in another audit.
C. Determine whether the risk has been identified in the planning documents.
D. Escalate the deficiency to audit management.
Answer
C. Determine whether the risk has been identified in the planning documents.
Explanation
Before escalating or modifying the audit plan, the IS auditor should first understand why third-party access controls were excluded. The risk associated with third-party access may have already been identified and assessed during the planning phase, with a conscious decision made to exclude it due to factors like low risk or planned coverage in another audit.
Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.