When planning a follow-up, the IS auditor is informed by operational management that recent organizational...

When operational management informs the IS auditor that recent organizational changes have addressed previously identified risks and implementing the action plan is no longer necessary, the IS auditor should accept management’s assertion and report that the risks have been addressed. However, it is essential to document this communication and ensure that there is evidence supporting management’s claim. If there are any doubts or concerns, further investigation may be necessary. The auditor should not assume new risks without proper assessment or evidence1. References: 1(https://www.isaca.org/resources/isaca-journal/issues/2016/volume-6/enhancing-the-audit-follow-up-process-using-cobit-5)