What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?
A . Senior management’s request
B . Prior year’s audit findings
C . Organizational risk assessment
D . Previous audit coverage and scope

View Answer

Answer: C

Explanation:

The primary basis for selecting which IS audits to perform in the coming year is the organizational risk assessment. An organizational risk assessment is a formal process for identifying, evaluating, and controlling risks that may affect the achievement of the organization’s goals and objectives3. An organizational risk assessment can help IS auditors prioritize and plan their audit activities based on the level of risk exposure and impact of each area or process within the organization. An organizational risk assessment can also help IS auditors align their audit objectives and criteria with the organization’s strategy and performance indicators. Senior management’s request, prior year’s audit findings, and previous audit coverage and scope are also possible bases for selecting which IS audits to perform in the coming year, but not as primary as the organizational risk assessment. These factors are more secondary or supplementary sources of information that can help IS auditors refine or adjust their audit plan based on specific needs or issues identified by management or previous audits. However, these factors may not reflect the current or emerging risks that may affect the organization’s operations or performance.

References: ISACA CISA Review Manual 27th Edition, page 295