What should an IS auditor do upon discovering a major control deficiency during an audit?

When an IS auditor discovers a major control deficiency during an audit, it is crucial to include the deficiency in the final audit report. Documenting the control deficiency ensures that stakeholders are made aware of the risks associated with the control weakness, allowing them to take appropriate remedial action. By reporting the deficiency, the auditor fulfills their responsibility of providing an accurate assessment of the internal controls, which is a vital component of the audit process.

Including the deficiency in the final audit report allows organizations to understand the implications and prioritize the necessary improvements. It also contributes to transparency and accountability within the organization, facilitating better risk management practices. Such reporting adheres to auditing standards that emphasize the importance of communicating significant findings to management and the board of directors or audit committee.

The other options do not align with the expected actions of an auditor once a significant control deficiency is identified. Continuing to test controls without addressing the deficiency misses the opportunity to inform management of the risks. Completing the audit without reporting the issue would compromise the integrity and usefulness of the audit findings. Ceasing all audit activity until the deficiency is resolved would halt the audit process unnecessarily, delaying critical oversight and potentially allowing risks to persist without mitigation.