Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?
A. Established criteria exist for accepting and approving risk.
B. Identified risk is reported into the organization’s risk committee.
C. Potential impact and likelihood is adequately documented.
D. A communication plan exists for informing parties impacted by the risk.
A. Established criteria exist for accepting and approving risk.
B. Identified risk is reported into the organization’s risk committee.
C. Potential impact and likelihood is adequately documented.
D. A communication plan exists for informing parties impacted by the risk.