An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the CIO?
A. Organizational responsibility for IT risk management is not clearly defined.
B. IT risk training records are not properly retained in accordance with established schedules.
C. None of the members of the IT risk management team have risk management-related certifications.
D. Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.
A. Organizational responsibility for IT risk management is not clearly defined.
B. IT risk training records are not properly retained in accordance with established schedules.
C. None of the members of the IT risk management team have risk management-related certifications.
D. Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.