Certified Information Systems Auditor (CISA) — Question 223

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Answer options

• A. Project manager
• B. Information security officer
• C. Project sponsor
• D. Enterprise risk manager

Correct answer: C

Explanation

The project sponsor is ultimately accountable for the project's success, including managing risks that may affect benefits. While the project manager oversees day-to-day operations, it is the project sponsor who has the authority to allocate resources and make key decisions regarding risk management. The information security officer and enterprise risk manager play supportive roles but are not ultimately responsible for managing project-specific risks.