Certified Information Systems Auditor (CISA) — Question 170

During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date. When assessing the severity of this finding, which mitigating factor would MOST significantly minimize the associated impact?

Answer options

• A. There are documented compensating controls over the business processes.
• B. The risk acceptances with issues reflect a small percentage of the total population.
• C. The business environment has not significantly changed since the risk acceptances were approved.
• D. The risk acceptances were previously reviewed and approved by appropriate senior management.

Correct answer: C

Explanation

The correct answer is C because if the business environment remains stable, the risks associated with outdated acceptances are likely still manageable. Options A and D may indicate controls or oversight but do not address the relevance of the risks in a changed environment. Option B, while it suggests a smaller impact, does not provide assurance regarding the adequacy of the controls in place.