Certified Information Systems Auditor (CISA) — Question 782

Which of the following audit findings should be given the HIGHEST priority?

Answer options

• A. IT key risk indicators (KRIs) are calculated internally by the IT team.
• B. The organization's IT investment exceeds industry benchmarks.
• C. IT key risk indicators (KRIs) are not periodically reviewed.
• D. The board’s agenda does not include the progress of IT projects.

Correct answer: C

Explanation

The correct answer is C because failing to periodically review IT key risk indicators (KRIs) can lead to unaddressed vulnerabilities and risks that may impact the organization significantly. Options A and B, while important, do not directly affect the risk management process as critically as option C. Option D is also relevant, but it pertains more to governance than immediate risk assessment.