An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor’s NEXT course of action?
A. Inform senior management of the change in approach.
B. Conduct a risk analysis incorporating the change.
C. Report results of the follow-up to the audit committee.
D. Evaluate the appropriateness of the remedial action taken.