Certified Information Systems Auditor (CISA) — Question 1164
IT management has accepted the risk associated with an IS auditor's finding due to the cost and complexity of the corrective actions. Which of the following should be the auditor's NEXT course of action?
Answer options
- A. Perform a cost-benefit analysis.
- B. Document and inform the audit committee.
- C. Report the finding to external regulators.
- D. Notify senior management.
Correct answer: B
Explanation
The correct answer is B because the auditor must document the finding and inform the audit committee to ensure that the risk is recognized at a higher level of governance. Performing a cost-benefit analysis (A) is not the immediate next step, while reporting to external regulators (C) and notifying senior management (D) may not be necessary unless the issue escalates.