Certified Information Systems Auditor (CISA) — Question 720

An IS auditor is executing a risk-based IS audit strategy to ensure that key areas are audited. Which of the following should be of GREATEST concern to the auditor?

Answer options

• A. The risk assessment database does not include a complete audit universe.
• B. The risk assessment methodology does not permit the collection of financial audit data.
• C. The risk assessment methodology relies on subjective audit judgments at certain points of the process.
• D. The risk assessment approach has not been approved by the risk manager.

Correct answer: A

Explanation

The greatest concern for the auditor is that the risk assessment database lacks a complete audit universe, as this could lead to significant areas being overlooked. While the other options present issues, they do not directly compromise the comprehensive coverage of the audit universe, which is critical for a thorough risk assessment.