When penetration test results are inconclusive before the implementation of a web-based system, what is the best approach for the IS auditor?

Opting to publish a report with the available information and highlight weaknesses serves several important purposes in the context of an inconclusive penetration test for a web-based system.

Firstly, transparency is critical in IT governance and risk management. By documenting and sharing the findings, even if they are not definitive, the auditor provides stakeholders with valuable insights into potential vulnerabilities that could affect the web-based system. This ensures that everyone involved is aware of the risks that may still need to be addressed.

Furthermore, highlighting weaknesses can help guide decision-making. Stakeholders can evaluate whether they are willing to accept the identified risks and implement additional controls, or whether they need to take further action, such as re-evaluating the implementation plan or allocating resources for remediation efforts.

Additionally, this approach encourages a proactive mindset towards security. It sends a message that while the penetration test results may not provide a clear path forward, vigilance in identifying and addressing security concerns is vital.

Delaying implementation until clear results are obtained may lead to unnecessary project delays, and ignoring the tests entirely could expose the organization to significant risks. Conducting additional tests immediately could also be impractical without a thorough assessment of what further tests are actually needed. Thus, documenting and communicating existing weaknesses is the most pragmatic choice