Which of the following factors an IS auditor should primarily consider when determining the acceptable level of risk:
A. A. Risk acceptance is the responsibility of senior management. B. B. All risks do not need to be eliminated for a business to be profitable. C. C. Risks must be identified and documented in order to perform proper analysis on them. D. D. Line management should be involved in the risk analysis because management sees risks daily that others would not recognize.
C. Risks must be identified and documented in order to perform proper analysis on them.
Though all factors are relevant, primarily consideration should be documentation of identified risk. In order to manage and control a risk, it first must be recognized as a risk. Only after documentation, other factors to be considered.