What action is inappropriate for an IS auditor when a control deficiency is identified?

When a control deficiency is identified, it is inappropriate for an IS auditor to assume that the IT manager will resolve the deficiency without further action. It is the responsibility of the IS auditor to ensure that the deficiency is adequately addressed. This includes documenting the issue, assessing its potential impact, and ensuring that it is reported to management. By merely assuming that an IT manager will take the necessary steps, the auditor is not fulfilling their duty to provide a thorough evaluation of the controls in place.

The role of the IS auditor involves not just identifying deficiencies but actively communicating them to the relevant stakeholders. This ensures accountability and encourages timely remediation. Including the deficiency in the final report highlights the issue formally and makes it clear to management that action is needed. Continuously testing application controls can help assess the effectiveness of remediation efforts, and recommending solutions offers further guidance to the IT manager on how to address the identified issues. Thus, proactive engagement is essential in the auditing process for effective risk management.