The CISA Review Manual emphasizes that exceeding an organization's risk appetite is a critical governance issue. If a project's risk surpasses the defined tolerance, it indicates a failure to adhere to the enterprise's risk management framework, exposing the organization to unacceptable exposures. While qualitative business value (Option B) may lack quantification, it is not inherently a control failure. However, risk exceeding appetite directly violates governance principles, as highlighted in the study guide: "Projects must align with the organization’s risk appetite. Exceeding it creates strategic and operational vulnerabilities"
If the risk level of the project surpasses the organization's defined risk appetite, it indicates a potential misalignment with the organization's ability to tolerate and manage risk effectively. This could lead to significant financial, operational, reputational, or compliance-related consequences. IS auditors prioritize ensuring that risks are managed within acceptable levels.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.CISA Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
46080f2
1 month, 1 week agoCisagroup
1 month, 3 weeks ago