December 9, 2021 by Admin
An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the CIO?
- Organizational responsibility for IT risk management is not clearly defined.
- IT risk training records are not properly retained in accordance with established schedules.
- None of the members of the IT risk management team have risk management-related certifications.
- Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.