If an IS auditor is assigned to audit a business continuity plan they helped design, what should they primarily do?

When an IS auditor is assigned to audit a business continuity plan (BCP) that they were involved in designing, it is important to address potential conflicts of interest upfront. The primary responsibility in this situation is to communicate the conflict of interest to audit management. This step ensures that the independence and objectivity of the audit process are maintained.

Informing audit management about the conflict allows for proper decisions to be made regarding how to handle the audit assignment. This could lead to reassignment to another auditor, oversight by a different party, or the establishment of additional safeguards to ensure objectivity. Acknowledging the conflict at the outset is crucial for preserving the integrity of the audit process and fostering trust among stakeholders.

Declining the assignment may also seem like an appropriate response, but it does not facilitate any discussion or resolution of the matter within the organization. Informing management of the conflict after the audit is already conducted would be too late to mitigate any potential biases. Communicating directly with the BCP team is not the most appropriate course of action, as the auditor's primary responsibility is to the audit management and ensuring the audit's integrity rather than managing conflicts with the team they worked alongside.