Certified Information Systems Auditor Practice Exam 2025 - Free CISA Practice Questions and Study Guide

When an auditor suspects that data has been tampered with, the most appropriate action is to preserve evidence and conduct a thorough investigation. This course of action is critical for several reasons.

First, preserving evidence is essential because it maintains the integrity of the data in question. Tampering can compromise the reliability of the information, and without a proper preservation process, it could be lost or altered further. This integrity is vital for any future analysis or investigation.

Second, conducting a thorough investigation allows the auditor to gather all relevant facts and assess the situation in detail. This includes understanding how the tampering occurred, identifying the potential impact on the organization's operations, and determining whether any policies or controls failed. An investigation should involve examining logs, checking access controls, and interviewing personnel as appropriate to obtain a clear picture of the situation.

While reporting the suspicion to management could be important later, doing so without an initial investigation may lead to a rush to conclusions without fully understanding the extent and nature of the tampering. Analyzing the data without any inquiries could result in drawing wrong conclusions based on potentially corrupt or unreliable data. Ignoring the issue entirely would halt any chance of addressing potential threats to data integrity and security, which is contrary to the auditor's responsibilities.

In summary