CISA Certified Information Systems Auditor – Question0311

During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor’s BEST course of action?

A.
Adjust the annual risk assessment accordingly.
B. Require the auditee to address the recommendations in full.
C. Evaluate senior management’s acceptance of the risk.
D. Update the audit program based on management’s acceptance of risk.

Correct Answer: C