Certified Information Systems Auditor (CISA) — Question 1316

An IS audit reveals an organization has decided not to implement a new regulation by the required deadline because the cost of rapid implementation is higher than the penalty for noncompliance. Which of the following is the auditor’s BEST course of action?

Answer options

• A. Ensure a gap analysis is conducted
• B. Ensure regulatory reporting is completed
• C. Ensure the risk register is updated
• D. Ensure risk acceptance is documented

Correct answer: D

Explanation

The correct answer is D because documenting risk acceptance is crucial when an organization decides to accept the risks associated with noncompliance. This ensures that the decision is formally acknowledged and that the organization is aware of the potential consequences. The other options focus on compliance activities rather than addressing the organization's choice to accept the risk.