Certified Information Systems Auditor (CISA) — Question 1183

Management has decided to accept a risk in response to a draft audit recommendation. Which of the following should be the IS auditor's NEXT course of action?

Answer options

• A. Perform additional test procedures.
• B. Escalate acceptance to the audit committee.
• C. Document management's acceptance in the audit report.
• D. Ensure a follow-up audit is on next year’s plan.

Correct answer: C

Explanation

The correct answer is C because it is essential for the IS auditor to document management's acceptance of the risk in the audit report for transparency and future reference. Performing additional tests (A) or escalating to the audit committee (B) is unnecessary since the risk is already accepted. Ensuring a follow-up audit (D) is important, but it is not the immediate next step after acceptance.