Certified Information Systems Auditor (CISA) — Question 988

An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about risk appetite?

Answer options

• A. Prior audit reports
• B. Risk policies
• C. Management assertion
• D. Risk assessments

Correct answer: B

Explanation

The correct answer is B, as risk policies explicitly define the organization's risk appetite and tolerance levels. Prior audit reports (A) may provide historical context but not specific insights into current risk appetite. Management assertions (C) and risk assessments (D) are important, but they do not directly detail the organization's accepted levels of risk.