The IT program manager does not see the value of conducting risk assessments for a new major IT project. The manager is reluctant to cooperate with internal auditors and the newly formed steering committee. Midway through the project, program requirements were changed because the CEO is a friend of a vendor and wants to implement this vendor’s new technology. This decision will cause the current IT program budget to be insufficient and will be shown as overspending, After the requirement change request, the
A. report the matter to internal audit as a program deviation to be reviewed
B. obtain confirmation from the business and a decision by the steering committee
C. align IT with the business and agree to the business request
D. request additional funding from the business owner to cover the additional scope