When conducting a follow-up of previous audit findings, an IS auditor is told by management that a recommendation to make security changes to an application has not been implemented. The IS auditor should FIRST determine whether:
A. additional time to implement changes is needed.
B. the associated risk is still relevant.
C. the recommendation should be re-issued.
D. the issue should be escalated.
A. additional time to implement changes is needed.
B. the associated risk is still relevant.
C. the recommendation should be re-issued.
D. the issue should be escalated.