Question 33
UnclassifiedDue to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report, which course of action is MOST relevant?
Correct answer: A
Explanation
When an approved audit plan cannot be fully completed because of resource constraints, the auditor should prioritize the areas with the greatest risk. This follows the audit principle of focusing limited effort on “high-risk areas” so the report still addresses the most significant exposures and limitations are clearly communicated.
Why each option is right or wrong
A. Focusing on auditing high-risk areas
Under IIA Standard 2010.A1, the internal audit activity’s plan must be based on a documented risk assessment, and Standard 1220.A1 requires due professional care by applying the care and skill expected of a reasonably prudent auditor. With the approved plan no longer fully achievable because of resource limits, the defensible response is to reallocate the remaining audit effort to the areas with the highest inherent and residual risk so the most significant exposures are still covered and the scope limitation is transparently disclosed in the report.
B. Testing the adequacy of cloud controls design
C. Relying on management testing of cloud controls
D. Testing the operational effectiveness of cloud controls