Certified Information Systems Auditor (CISA) — Question 1227

IT management has not implemented action plans for a previous audit report finding and has decided to accept the associated risk. Which of the following is the auditor's BEST course of action?

Answer options

• A. Document noncompliance with the agreed-upon plan.
• B. Validate compliance with the risk acceptance process.
• C. Update the enterprise risk register to reflect the observation.
• D. Check for implementation of compensating controls.

Correct answer: B

Explanation

The auditor's best course of action is to validate compliance with the risk acceptance process, ensuring that the management's decision aligns with established protocols. Documenting noncompliance does not address the acceptance of risk, and updating the risk register or checking for compensating controls are not the immediate priority when management has accepted the risk.