CISA Certified Information Systems Auditor – Question0062

An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:

A.
accept the level of access provided as appropriate
B. recommend that the privilege be removed
C. ignore the observation as not being material to the review
D. document the finding as a potential risk

Correct Answer: D