Certified Information Systems Auditor (CISA) — Question 692

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

Answer options

• A. Outsource low-risk audits to external audit service providers.
• B. Challenge the risk rating and include the low-risk entities in the plan.
• C. Conduct limited-scope audits of low-risk business entities.
• D. Validate the low-risk entity ratings and apply professional judgment.

Correct answer: D

Explanation

The correct answer, D, emphasizes the importance of validating the risk assessments and applying professional judgment, ensuring that all potential risks are appropriately considered. Options A and C may overlook the need for thorough assessment, and B could lead to unnecessary audits without proper justification.