Certified Information Systems Auditor (CISA) — Question 248

Which of the following provides the MOST comprehensive information about inherent risk within an organization?

Answer options

• A. Vulnerability analysis
• B. Risk assessments
• C. Risk-based audit findings
• D. Business impact analysis (BIA)

Correct answer: B

Explanation

Risk assessments are designed to systematically identify and evaluate risks, providing a detailed understanding of inherent risks in an organization. In contrast, vulnerability analysis focuses on weaknesses, risk-based audit findings pertain to past audits, and business impact analysis assesses potential impacts but does not directly measure inherent risk.