What should an IS auditor do if they find an inadequate outsourced monitoring process and management disagrees?

When an IS auditor finds an inadequate outsourced monitoring process and faces disagreement from management, the appropriate course of action is to document the identified finding in the audit report. This approach maintains the integrity of the audit process and ensures that all relevant issues are clearly communicated, regardless of management's stance.

By documenting the finding, the auditor provides a formal record of the discrepancy between the current monitoring process and the expectations for effective risk management. This documentation serves several key purposes: it allows for accountability, creates a reference for future audits, and helps ensure that the potential risks associated with inadequate monitoring are understood by stakeholders.

Furthermore, documenting the finding does not imply agreement or disagreement with management; rather, it reflects the auditor's responsibility to report objectively on the effectiveness of controls. Thus, the audit report can continue to serve as a valuable tool for governance, providing insights that may influence future decision-making and improvements in the monitoring process. This approach aligns with the principles of transparency and due diligence that underpin effective auditing practices.