The auditor's next action after finding that there is an informal unwritten set of standards in the IS department is to document and test compliance with the informal standards. This is because the auditor's role is to evaluate the adequacy and effectiveness of the existing controls, regardless of whether they are formal or informal, written or unwritten. The auditor should also assess the risks and implications of having informal standards, such as lack of consistency, accountability, or traceability. The auditor should not make recommendations, postpone the audit, or finalize the audit without performing the audit procedures.
References:
* CISA Review Manual (Digital Version), Chapter 2, Section 2.21
* CISA Online Review Course, Domain 1, Module 1, Lesson 12

The answer D is correct because the greatest concern for an IS auditor with the situation of business owners being removed from the project initiation phase is that the requirements may be incomplete. The project initiation phase is the first step in starting a new project, where the project's purpose, scope, objectives, and deliverables are defined and documented. The project initiation phase also involves identifying and engaging the key stakeholders who have an interest or influence in the project, such as sponsors, customers, users, or business owners.
Business owners are the individuals or entities who have the authority and responsibility to define the business needs and expectations for the project. They are also the primary beneficiaries of the project outcomes and benefits. Business owners play a crucial role in the project initiation phase, as they provide valuable input and feedback on the requirements and specifications of the project. Requirements are the statements that describe what the project should accomplish or deliver to meet the business needs and expectations. Requirements are essential for guiding the project planning, execution, monitoring, and closure phases.
If business owners are removed from the project initiation phase, it can result in incomplete or inaccurate requirements, which can have negative impacts on the project's quality, scope, time, cost, and risk. Some of the possible consequences of incomplete requirements are:
* Misalignment: The project may not align with the business strategy, vision, or goals, which can reduce its value or relevance.
* Confusion: The project team may not have a clear understanding of what the project should achieve or deliver, which can affect their performance or productivity.
* Rework: The project may need to undergo frequent changes or revisions to accommodate new or modified requirements, which can increase the time and cost of the project.
* Dissatisfaction: The project may not meet the expectations or satisfaction of the business owners or other stakeholders, which can affect their acceptance or support of the project.
* Failure: The project may not deliver the expected outcomes or benefits, which can affect its success or viability.
Therefore, an IS auditor should be concerned about the involvement and participation of business owners in the project initiation phase, as it affects the completeness and quality of requirements. An IS auditor should review the policies and procedures for stakeholder identification and engagement, verify that the business owners have adequate knowledge and skills to define their requirements, and test that the requirements are well-defined, documented, approved, and communicated.
References:
* Project Initiation: The First Step to Project Management [2023] * Asana
* Everything you need to know about the project initiation phase
* Project Initiation Phase - The Business Professor
* Project Initiation: A Guide to Starting a Project Right Way - Kissflow