Certified Information Systems Auditor (CISA) — Question 236

What would be the PRIMARY reason for an IS auditor to recommend using key risk indicators (KRIs)?

Answer options

• A. To keep the risk register updated
• B. To eliminate unnecessary risk
• C. To determine whether risk is changing
• D. To align resources with the greatest risk

Correct answer: C

Explanation

The correct answer is C because key risk indicators are specifically used to monitor and assess changes in risk levels. Options A and D, while related to risk management, do not directly reflect the purpose of KRIs. Option B is misleading as KRIs do not aim to eliminate risk but rather to understand and manage it effectively.