Well-written risk assessment guidelines for IS auditing should specify which of the following
elements at the least (choose all that apply):
A.
A maximum length for audit cycles.
B.
The timing of risk assessments.
C.
Documentation requirements.
D.
Guidelines for handling special cases.
E.
None of the choices.
Explanation:
A well-written risk assessment guidelines should specify a maximum length for audit cycles based on
the risk scores and the timing of risk assessments for each department or activity. There should be
documentation requirements to support scoring decisions. There should also be guidelines for
overriding risk assessments in special cases and the circumstances under which they can be
overridden.