Certified Information Systems Auditor (CISA) — Question 1234

Which of the following should be an IS auditor's PRIMARY focus when developing a risk-based IS audit program?

Answer options

• A. Business processes
• B. Business plans
• C. Portfolio management
• D. IT strategic plans

Correct answer: A

Explanation

The primary focus of an IS auditor should be on business processes because they are integral to understanding the risks associated with information systems. While business plans, portfolio management, and IT strategic plans are important, they do not directly address the operational risks that may arise within the business processes themselves.