During an audit, an IS auditor notices that the IT department of a medium-sized organization has
no separate risk management function, and the organization’s operational risk documentation only
contains a few broadly described IT risks. What is the MOST appropriate recommendation in this
situation?

A.
Create an IT risk management department and establish an IT risk framework with the aid of
external risk management experts.

B.
Use common industry standard aids to divide the existing risk documentation into several
individual risks which will be easier to handle.

C.
No recommendation is necessary since the current approach is appropriate for a medium-sized
organization.

D.
Establish regular IT risk management meetings to identify and assess risks, and create a
mitigation plan as input to the organization’s risk management.

Explanation:

Establishing regular meetings is the best way to identify and assess risks in a medium-sized
organization, to address responsibilities to the respective management and to keep the risk list
and mitigation plans up to date. A medium-sized organizationwould normally not have a separate
IT risk management department. Moreover, the risks are usually manageable enough so that
external help would not be needed. While common risks may be covered by common industry
standards, they cannot address the specific situation of an organization. Individual risks will not be
discovered without a detailed assessment from within the organization. Splitting the one risk
position into several is not sufficient.