A manager of a project was not able to implement all audit recommendations by the target date.
The IS auditor should:
recommend that the project be halted until the issues are resolved.
recommend that compensating controls be implemented.
evaluate risks associated with the unresolved issues.
recommend that the project manager reallocate test resources to resolve the issues.
It is important to evaluate what the exposure would be when audit recommendations have not been
completed by the target date. Based on the evaluation, management can accordingly consider
compensating controls, risk acceptance, etc. All other choicesmight be appropriate only after the
risks have been assessed.