What should an IS auditor do if penetration test results are inconclusive prior to implementation of a critical system?

When faced with inconclusive results from a penetration test prior to the implementation of a critical system, the most appropriate action for an IS auditor is to report the existing weaknesses and suggest follow-up testing. This choice emphasizes the importance of transparency and thoroughness in the audit process.

Reporting the existing weaknesses allows stakeholders to be aware of potential vulnerabilities and risks associated with the critical system, ensuring that they make informed decisions regarding its implementation. Highlighting these findings promotes accountability and encourages risk mitigation measures before the system goes live. Furthermore, recommending follow-up testing demonstrates a commitment to ongoing assessment and improvement of security practices, which is vital for maintaining the integrity of the system.

Given the serious implications of implementing a critical system without fully understanding its security posture, this approach not only prioritizes security but also aligns with best practices in risk management and governance.