Certified Information Systems Auditor (CISA) — Question 1347

Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?

Answer options

• A. Control
• B. Inherent
• C. Audit
• D. Residual

Correct answer: D

Explanation

Residual risk is what remains after controls have been applied, making it vital for stakeholders to be aware of any potential vulnerabilities. Control risk pertains to the effectiveness of existing controls, inherent risk relates to risks present without any controls, and audit risk refers to the risk that an audit will fail to detect issues, all of which are secondary to the remaining risk that stakeholders must manage.