Who should accept the risk for an unsupported critical application?
IT says a legacy application cannot be replaced quickly. Can the system administrator simply accept the risk and move on?
Risk acceptance should be made by the appropriate management level, not by internal audit and usually not by the lowest-level technical owner alone. The right approver depends on business criticality, risk appetite, policy, regulatory exposure, and potential impact.
For a critical production application, a sound acceptance record usually identifies:
- business owner,
- IT or security owner,
- risk description,
- affected asset and process,
- compensating controls,
- residual risk rating,
- exception expiry date,
- monitoring requirements,
- remediation owner, and
- escalation path to senior management or the board when material.
Internal audit's role is to evaluate whether that process exists and whether the acceptance is supported by evidence. The auditor should not approve the risk on management's behalf.
If the system is critical and unsupported, and no formal owner accepts residual risk, the finding can be framed as a governance gap: management has not made an explicit, authorized decision about a known cybersecurity and operational exposure.
Master Governance and Risk Management with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Where should an auditor begin a full-company internal control audit?
Join the Discussion
Ask questions and get expert answers.