When an IS auditor finds unapproved IT policies that are being followed, what should they do first?

The most appropriate action when an IS auditor discovers unapproved IT policies being followed is to report the absence of documented approval. This first step is crucial because it ensures that the issue is formally recognized and documented within the audit findings.

Documenting the absence of approval alerts management to a significant risk in governance, compliance, and control frameworks. It allows for a thorough evaluation of the situation, providing management with the necessary information to make informed decisions regarding the policies in use. Proper reporting also establishes a record that can aid in further actions taken to rectify the issue or implement a corrective action plan.

Following this, other actions such as recommending management approval or emphasizing the importance of policy approval can occur, but it is essential to start with a clear, documented report to create awareness and create a pathway for resolution. This method aligns with best practices in audit procedures by focusing on accountability and the importance of adherence to established policies.