Certified Information Systems Auditor (CISA) — Question 546

What is the PRIMARY reason to adopt a risk-based IS audit strategy?

Answer options

• A. To achieve synergy between audit and other risk management functions
• B. To reduce the time and effort needed to perform a full audit cycle
• C. To prioritize available resources and focus on areas with significant risk
• D. To identify key threats, risks, and controls for the organization

Correct answer: C

Explanation

The correct answer, C, emphasizes the need to allocate resources effectively by focusing on areas that present the most significant risks. Option A, while important, does not capture the essence of prioritization based on risk. Option B is less relevant as the goal of a risk-based strategy is not merely about efficiency. Option D, although it involves identifying risks, does not directly address the allocation of resources based on risk assessment.