An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST: 

Answer options:

A. accept the level of access provided as appropriate
B. recommend that the privilege be removed
C. ignore the observation as not being material to the review
D. document the finding as a potential risk

D