After identifying audit findings, what should the IS auditor do FIRST?

The first step an IS auditor should take after identifying audit findings is to gain agreement on the findings. Ensuring that all relevant stakeholders acknowledge and understand the findings is critical to facilitate meaningful discussions about the next steps. This step ensures that there is a shared understanding of the issues raised and fosters an environment where constructive solutions can be developed.

Agreement on the findings serves as the foundation for the subsequent actions, such as determining mitigation measures, communicating with senior management, and establishing remediation deadlines. Without this consensus, any efforts to address the identified issues may be met with resistance or lack of commitment, which could diminish the effectiveness of the auditing process. Thus, gaining agreement is essential for ensuring that everyone involved is on the same page and ready to work collaboratively towards resolving the audit findings.