Mitigating Risks of CEO's Full Access to the Enterprise Resource Planning (ERP) System

D.

The correct answer is D. document the finding as a potential risk.

Explanation:

In any organization, the segregation of duties is a key principle in ensuring that no one person has complete control or access to all parts of the business process. This principle also applies to information systems and access to sensitive data.

The CEO, being the head of the organization, may have legitimate business reasons for needing access to the ERP system. However, granting full access to the CEO could potentially create a risk of unauthorized or inappropriate actions being taken within the system, intentionally or unintentionally.

Therefore, the IS auditor should document the finding as a potential risk in the audit report. This will ensure that the management is aware of the risk and can take appropriate action to mitigate it. The auditor may also conduct further analysis to assess the extent of the risk and the adequacy of controls in place to address it.

Option A is not appropriate because accepting the level of access without proper analysis and documentation can lead to the potential risks being overlooked or ignored.

Option B may be premature without conducting further analysis to determine the need for access and any potential risks associated with it. However, it could be a recommendation once the risks have been properly assessed.

Option C is not appropriate as the observation could potentially be material to the review and should be documented as such.