Free ISACA CISA Actual Exam Questions - Question 9 Discussion
the following would provide the MOST useful information about
risk appetite?
Good point on D, but I think A is stronger since risk policies formally document the organization's risk appetite, making them the primary source. Management views can be subjective or change often. So A.
B imo, risk assessments reveal how risk appetite is applied, showing practical limits.
It’s D because management assertions reflect the leadership’s real view on risk appetite, which might differ from written policies. They show the actual risk tolerance mindset at the top.
I’m thinking risk assessments (B) might show how risk appetite is applied in practice, not just documented. Policies say what should be done, but assessments reveal actual risk-taking behavior. Does that make sense?
A vs D? Risk policies usually outline the organization’s risk appetite clearly, setting boundaries on acceptable risks. Management assertions might be more subjective or biased, so they’re less reliable. I think A makes more sense for getting a solid grasp on risk appetite before diving into the audit.