Assessing IT risks is BEST achieved by:

A.
evaluating threats associated with existing IT assets and IT projects.

B.
using the firm’s past actual loss experience to determine current exposure.

C.
reviewing published loss statistics from comparable organizations.

D.
reviewing IT control weaknesses identified in audit reports.

Explanation:
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative
risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk
assessment process, but by themselves are not sufficient.Basing an assessment on past losses
will not adequately reflect inevitable changes to the firm’s IT assets, projects, controls and strategic
environment. There are also likely to be problems with the scope and quality of the loss data
available to beassessed. Comparable organizations will have differences in their IT assets, control
environment and strategic circumstances. Therefore, their loss experience cannot be used to
directly assess organizational IT risk. Control weaknesses identified during audits will be relevant
in assessing threat exposure and further analysis may be needed to assess threat probability.
Depending on the scope of the audit coverage, it is possible that not all of the critical IT assets and
projects will have recently been audited, and there may not be a sufficient assessment of strategic
IT risks.