Certified Information Systems Auditor (CISA) — Question 1211

IS audit management reviewed the audit work done for a system implementation and determined that the weaknesses responsible for a major issue were not in the audit scope. Which type of audit risk was MOST likely overlooked when planning the audit?

Answer options

• A. Statistical sampling risk
• B. Detection risk
• C. Control risk
• D. Inherent risk

Correct answer: D

Explanation

Inherent risk refers to the susceptibility of an account balance or class of transactions to misstatement, before considering any related controls. Since the weaknesses were not included in the audit scope, it indicates that the inherent risk associated with those weaknesses was not adequately considered. The other options, such as detection risk and control risk, relate to the effectiveness of the audit process itself, rather than the underlying risks present in the system implementation.