Comprehensive and Detailed Explanation (250–350 words) From Exact Extract from Chief Information Security Officer (CCISO) Documents:
According to the EC-Council CCISO Body of Knowledge, auditors are responsible for identifying and reporting governance, risk, and control weaknesses, not implementing operational fixes. The scenario described represents a segregation of duties (SoD) violation, where a security analyst is also performing senior server administrator duties on a recurring basis.
CCISO documentation emphasizes that segregation of duties is a foundational internal control designed to prevent fraud, abuse, and unauthorized activity. When one individual holds both monitoring and administrative authority, the organization faces an elevated risk of undetected malicious or accidental actions. This is considered a material risk requiring executive awareness.
The CCISO framework states that once such a risk is identified, the auditor’s proper course of action is to formally report the risk to senior management. Executive leadership is accountable for risk acceptance, remediation prioritization, and allocation of resources. Auditors must remain independent and should not direct operational activities such as log reviews or monitoring changes.
Options A, C, and D represent management or operational actions, which fall outside the auditor’s role. CCISO guidance clearly distinguishes between risk identification and risk treatment responsibilities.
Therefore, per CCISO principles, the auditor should inform senior management of the risk, making option B the correct answer.
Submit