Exam CISA topic 1 question 94 discussion

IS audit management may provide guidance, but executive management has the authority to review and validate the risk acceptance decision. Executive management has the authority and accountability for risk management decisions within the organization. By presenting the issue to executive management, the IS auditor ensures that the concern is properly reviewed at a higher level and that management's decision is transparent and well-informed.

Ask our auditors’ boss first

the question doesn't say it is internal or external auditing. Therefore, I think A is the best answer if I was the external auditor and the management doesn't want to resolve the findings and the residual risk is profound. Communicating with the executive management who has the authority over the management is the wat to go.

why not A?

D. Report the issue to IS audit management. When an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation and has concerns about this decision, the next course of action should be to report the issue to IS audit management (Option D). IS audit management can provide guidance on how to proceed, which may include discussing the concern with executive management or considering further steps to address the issue appropriately. It's important to follow internal reporting procedures and seek guidance from higher levels within the audit function before escalating the matter externally.

I would go with C since the management have a risk appetite.

D is the Answer , the Auditor has to put it in his report first

Why isn’t C?