When developing a risk-based audit strategy, an IS auditor conduct a risk assessment to ensure that:
A . controls needed to mitigate risks are in place.
B . vulnerabilities and threats are identified.
C . audit risks are considered.
D . a gap analysis is appropriate.
Answer: B
Explanation:
In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. Understanding whether appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk analysis of the environment to be audited. A gap analysis would normally be done to compare the actual state to an expected or desirable state.
Leave a Reply