Certified Information Systems Auditor (CISA) — Question 560

Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

Answer options

• A. Audit cycle defined in the audit plan
• B. Recommendation from executive management
• C. Residual risk from the findings of previous audits
• D. Complexity of management's action plans

Correct answer: C

Explanation

The correct answer, C, emphasizes the importance of addressing residual risk from prior audits, ensuring that the most significant issues are managed first. Options A and B may influence audit schedules but do not directly relate to risk prioritization. Option D, while relevant, does not address the inherent risks that necessitate follow-up audits.