When reviewing management’s IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?
A. Propose mitigating controls
B. Assess management’s risk tolerance
C. Recommend management accept the low risk scenarios
D. Re-evaluate the risk scenarios associated with the control
A. Propose mitigating controls
B. Assess management’s risk tolerance
C. Recommend management accept the low risk scenarios
D. Re-evaluate the risk scenarios associated with the control