CISA Certified Information Systems Auditor – Question2095

After assessing risk, the decision to treat the risk should be based PRIMARILY on:

A.
whether the level of risk exceeds risk appetite
B. availability of financial resources
C. whether the level of risk exceeds inherent risk
D. the criticality of the risk

Correct Answer: D