Certified Information Systems Auditor (CISA) — Question 107

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Answer options

• A. Present the issue to executive management.
• B. Report the disagreement to the board.
• C. Accept management's decision and continue the follow-up.
• D. Report the issue to IS audit management.

Correct answer: D

Explanation

The correct answer is D because the IS auditor should escalate the concern to IS audit management to ensure that the risk acceptance is documented and addressed appropriately. Options A and B involve escalating the issue to higher management rather than the appropriate audit management, which may not be the right channel for this specific concern. Option C is incorrect as it implies acceptance of the decision without further action, which goes against the auditor's responsibility to ensure risk is managed properly.