During an audit of an organization's risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date. When assessing the severity of this finding, which mitigating factor would MOST significantly minimize the associated impact?
If the business environment has not significantly changed since the risk acceptances were approved, the risks identified and assessed previously are likely still valid and relevant. This minimizes the associated impact of not renewing the risk acceptances in a timely manner, as the original risk context would still apply.
You should check whether there are changes to the business environment then check whether the compensating controls are still effective.
C. The business environment has not significantly changed since the risk acceptances were approved.
Answer D Option D emphasizes that the risk acceptances were previously reviewed and approved by appropriate senior management. This suggests that the risks were assessed and accepted at a higher level of authority, providing a level of assurance that the risks were understood and acknowledged by the organization's leadership. Therefore, in this context, Option D represents a more significant mitigating factor.