An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited. Which of the following should be of GREATEST concern to the auditor?
An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited. Which of the following should be of GREATEST concern to the auditor?
A risk-based IS audit strategy aims to focus audit efforts on the most significant and high-risk areas. The absence of a complete audit universe in the risk assessment database can lead to significant gaps in the audit coverage, potentially missing critical areas of risk. This would undermine the effectiveness of the risk-based audit strategy, making it the greatest concern for the IS auditor. The completeness and accuracy of the audit universe are fundamental to ensuring all relevant areas are considered and assessed for risk.
I think is A. Let me mark some word from CRM: "Evaluation of the risk factors should be based on objective criteria, although subjectivity cannot be completely avoided."
This is because subjective judgments can lead to inconsistencies and inaccuracies in the risk assessment process, which can result in the auditor overlooking key areas that need to be audited
Subjective risk judgment is part of the risk assessment, it's the perceived chance of something bad based on a person's opinion, emotions, gut feeling, or intuition. It is not a mathematical review of the situation, but rather a quick assessment based on a person's feelings at the time.
Answer A
C. The risk assessment methodology relies on subjective audit judgments at certain points of the process.