An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor`s NEXT course of action? 

Answer options:

A. Obtain a verbal confirmation from IT for this exemption.
B. Review the list of end-users and evaluate for authorization.
C. Verify management`s approval for this exemption.
D. Report this control process weakness to senior management.

C