What should an IS auditor do first if they find that some IT policies lack management approval?

When an IS auditor discovers that certain IT policies do not have management approval, the appropriate first action is to document and report this absence of approval. Reporting the lack of documented approval is essential for several reasons. First, it highlights a potential governance issue that may undermine the effectiveness and legitimacy of the policies. Policies that lack management backing could result in confusion among staff about their authority and applicability, thus impacting compliance and enforcement.

By documenting and reporting this issue, the auditor ensures that it enters the formal audit trail, which can prompt necessary discussions about policy governance and risk management within the organization. It aids in holding management accountable for recognizing and addressing the gaps in governance that the absence of approval signifies.

Subsequent steps, such as recommending immediate management approval or emphasizing the importance of approval, become more relevant only after reporting the issue. Thus, reporting the absence of documented approval is a critical first step in maintaining the integrity of the organization's auditing processes and policy frameworks.