Learn the best course of action for an IS auditor who discovers paid invoices for IT devices not listed in the organization’s inventory during an asset management audit follow-up.
Table of Contents
Question
While conducting a follow-up on an asset management audit, the IS auditor finds paid invoices for IT devices not recorded in the organization’s inventory. Which of the following is the auditor’s BEST course of action?
A. Alert both audit and operations management about the discrepancy.
B. Ask the asset management staff where the devices are.
C. Make a note of the evidence to include it in the scope of a future audit.
D. Ignore the invoices since they are not part of the follow-up.
Answer
A. Alert both audit and operations management about the discrepancy.
Explanation
The BEST course of action for the IS auditor in this situation is to alert both audit and operations management about the discrepancy between the paid invoices and the organization’s IT device inventory records.
As an IS auditor, it’s critical to investigate and report on any inconsistencies or irregularities discovered during an audit or follow-up. Finding paid invoices for IT devices that are not properly recorded in the inventory indicates a failure in the organization’s asset management processes and internal controls. This discrepancy could be due to various factors such as:
- Assets being purchased without following proper procurement procedures
- Inadequate record-keeping and updating of the inventory management system
- Potential fraud or misappropriation of company resources
By promptly alerting both audit and operations management, the IS auditor ensures that:
- Management becomes aware of the issue and can take appropriate corrective actions
- The discrepancy is investigated thoroughly to determine the root cause and extent of the problem
- Necessary steps are taken to strengthen internal controls and prevent similar issues from recurring in the future
Simply asking the asset management staff about the devices’ whereabouts (Option B) or making a note to include it in a future audit (Option C) does not address the immediate concern or ensure timely resolution. Ignoring the invoices altogether (Option D) would be a failure of the auditor’s responsibility to report significant findings.
In summary, alerting both audit and operations management is the most appropriate and proactive response for the IS auditor to address the discovered discrepancy, ensure a proper investigation, and ultimately strengthen the organization’s asset management processes and internal controls.
ISACA CISA certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the ISACA CISA exam and earn ISACA CISA certification.