CISA Certified Information Systems Auditor – Question0637

When the inherent risk of a business activity is lower than the acceptable risk level, the BEST course of action would be to:

A.
implement controls to mitigate the risk.
B. report compliance to management.
C. review the residual risk level.
D. monitor for business changes.

Correct Answer: C