An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have not been taken and that the associated risk has been accepted by senior management. If the auditor disagrees with management’s decision, what is the BEST way to address the situation?
A. Repeat the audit with audit scope only covering areas with accepted risks
B. Report the issue to the chief audit executive for resolution
C. Recommend new corrective actions to mitigate the accepted risk
D. Take no action since management’s decision has been made
A. Repeat the audit with audit scope only covering areas with accepted risks
B. Report the issue to the chief audit executive for resolution
C. Recommend new corrective actions to mitigate the accepted risk
D. Take no action since management’s decision has been made