When performing follow-up work, the first step for an auditor-especially one not previously involved in the engagement-is to review the prior audit report, findings, and management's agreed response/action plan.
This provides context on what needs to be validated before collecting new evidence.
Interviewing management (Option A), requesting documentation (Option B), or performing walkthroughs (Option D) are important steps, but they come only after the auditor has reviewed the original findings and corrective commitments.
Reference:
IIA Standards - Standard 2500: Monitoring Progress.

According to IIA Standards, if senior management accepts a risk that the CAE believes may be unacceptable, the CAE must judge whether the risk is indeed acceptable and, if not, escalate the matter to the board. This ensures that governance bodies are aware of significant exposures. Reporting directly to external stakeholders (Option A) is not internal audit's role. Option B alone is insufficient if the risk is significant. Option D applies only when management's acceptance aligns with tolerance.
Reference:
IIA Standards - Standard 2600: Communicating the Acceptance of Risks.

Preventing security breaches requires proactive security controls, and the approval of identity requests ensures that only authorized individuals gain access to systems and data.
* Types of Security Controls:
* Preventive Controls (Stop security incidents before they happen)
* Detective Controls (Identify security breaches after they occur)
* Corrective Controls (Address security issues after detection)
* Why Identity Request Approval is the Most Effective Preventive Control?
* User access approval ensures that only verified personnel receive credentials.
* According to IIA GTAG on Identity and Access Management, user provisioning must follow strict approval workflows to prevent unauthorized access.
* By restricting access before a breach occurs, organizations reduce risks related to insider threats, phishing attacks, and credential misuse.
* Why Not Other Options?
* B. Access Logging:
* Access logs record activity but do not prevent security breaches.
* C. Monitoring Privileged Accounts:
* Monitoring privileged accounts helps detect suspicious activity but does not stop unauthorized access beforehand.
* D. Audit of Access Rights:
* Regular audits ensure compliance but do not actively prevent unauthorized access in real- time.
* IIA GTAG - Identity and Access Management
* IIA Standard 2120 - Risk Management and IT Controls
* COBIT 2019 - Access Control and Security Management
Step-by-Step Justification:IIA References:Thus, the correct and verified answer is A. Approval of identity request.

Reliance on external auditors' work is possible if the CAE has sufficient access to review their programs and workpapers to evaluate the scope, quality, and results. This ensures internal audit can confirm the appropriateness of relying on their work.
Option B is not required-external and internal audit can use different methodologies. Options C and D represent governance involvement but do not substitute for CAE's independent evaluation of audit work.
Reference:
IIA Standards - Standard 2050: Coordination and Reliance.

Malware Defense as a Cybersecurity Monitoring Activity:
Malware defense refers to the use of antivirus software, endpoint detection and response (EDR), behavior analysis, and real-time monitoring to detect and block malicious code before it can be installed on an organization's systems.
It helps prevent infections from viruses, ransomware, spyware, trojans, and worms that can disrupt business operations.
IIA GTAG (Global Technology Audit Guide) on Cybersecurity states that monitoring tools should proactively detect and neutralize threats before they can execute malicious actions.
A). Boundary defense (Incorrect)
Boundary defense includes firewalls, intrusion detection/prevention systems (IDS/IPS), and network segmentation, which control external access but do not directly monitor and remove malware.
Malware can still enter through phishing emails, infected USB drives, or compromised internal systems.
C). Penetration tests (Incorrect)
Penetration tests simulate attacks to identify vulnerabilities, but they do not actively monitor and prevent malware from being installed.
They help improve security but are not a continuous monitoring activity.
D). Wireless access controls (Incorrect)
Wireless security helps prevent unauthorized network access, but it does not specifically monitor and block malware installation.
Malware can still spread via legitimate access points, infected devices, or phishing attacks.
Explanation of Answer Choice B (Correct Answer):Explanation of Incorrect Answers:Conclusion:To deter disruptive codes (malware) from being installed, organizations should implement continuous malware defense (Option B), including antivirus software, endpoint security, and behavioral analytics.
IIA References:
IIA GTAG - Cybersecurity
IIA Standard 2120 - Risk Management