CISA Certified Information Systems Auditor – Question2591

Establishing the level of acceptable risk is the responsibility of:

A.
quality assurance management.
B. senior business management.
C. the chief information officer.
D. the chief security officer.

Correct Answer: B

Explanation:

Explanation:
Senior management should establish the acceptable risk level, since they have the ultimate or final responsibility for the effective and efficient operation of the organization. Choices A, C and D should act as advisors to senior management in determining an acceptable risk level.