Well-written risk assessment guidelines for IS auditing should specify which of the following elements at the
least (choose all that apply):

A.
A maximum length for audit cycles.

B.
The timing of risk assessments.

C.
Documentation requirements.

D.
Guidelines for handling special cases.

E.
None of the choices.

Explanation:
A well-written risk assessment guidelines should specify a maximum length for audit cycles based on the risk
scores and the timing of risk assessments for each department or activity. There should be documentation
requirements to support scoring decisions. There should also be guidelines for overriding risk assessments in
special cases and the circumstances under which they can be overridden.