Assessing IT risks is BEST achieved by:

A.
evaluating threats associated with existing IT assets and IT projects.

B.
using the firm’s past actual loss experience to determine current exposure.

C.
reviewing published loss statistics from comparable organizations.

D.
reviewing IT control weaknesses identified in audit reports.

Explanation:
To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative
risk assessment approaches. Choices B, C and D are potentially useful inputs to the risk assessment
process, but by themselves are not sufficient.Basing an assessment on past losses will not
adequately reflect inevitable changes to the firm’s IT assets, projects, controls and strategic
environment. There are also likely to be problems with the scope and quality of the loss data
available to beassessed . Comparable organizations will have differences in their IT assets, control
environment and strategic circumstances. Therefore, their loss experience cannot be used to directly
assess organizational IT risk. Control weaknesses identified during audits will be relevant in assessing
threat exposure and further analysis may be needed to assess threat probability. Depending on the
scope of the audit coverage, it is possible that not all of the critical IT assets and projects will have
recently been audited, and there may not be a sufficient assessment of strategic IT risks.