Certified Information Systems Auditor (CISA) — Question 490

During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor's BEST course of action?

Answer options

• A. Adjust the annual risk assessment accordingly.
• B. Require the auditee to address the recommendations in full.
• C. Evaluate senior management's acceptance of the risk.
• D. Update the audit program based on management's acceptance of risk.

Correct answer: C

Explanation

The correct answer is C because it is essential for the IS auditor to understand and evaluate the rationale behind senior management's decision to accept the risk, which is critical for future audits. Options A and D do not address the need to assess management's understanding of the risk, while B is not feasible if management has already made a decision to accept it.