Certified Information Systems Auditor (CISA) — Question 49

During a project meeting for the implementation of an enterprise resource planning (ERP). a new requirement is requested by the finance department. Which of the following would BEST indicate to an IS auditor that the resulting risk to the project has been assessed?

Answer options

• A. The project status as reported in the meeting minutes
• B. The analysis of the cost and time impact of the requirement
• C. The updated business requirements
• D. The approval of the change by the finance department

Correct answer: B

Explanation

The correct answer is B because analyzing the cost and time impact of a new requirement helps assess potential risks associated with the project. The other options do not directly indicate a risk assessment; for instance, meeting minutes (A) only capture discussions, updated business requirements (C) reflect changes, and approval (D) does not imply risk evaluation.