Well-written risk assessment guidelines for IS auditing should specify which of the following
elements at the least (choose all that apply):

A.
A maximum length for audit cycles.

B.
The timing of risk assessments.

C.
Documentation requirements.

D.
Guidelines for handling special cases.

E.
None of the choices.

Explanation:

A well-written risk assessment guidelines should specify a maximum length for audit cycles based
on the risk scores and the timing of risk assessments for each department or activity. There should
be documentation requirements to
support scoring decisions. There should also be guidelines for overriding risk assessments in
special cases and the circumstances under which they can be overridden.