An auditor reviews an organization's risk register and finds that all identified risks are rated as 'Medium' with no High or Low ratings. What does this MOST likely indicate?

Home › MCQs › CISA › Question #6868

CISA QUESTION #6868

Question 1

Appropriate risk profile
Risk assessment lacks meaningful differentiation and cannot guide risk management priorities✔️
Balanced risk management
Effective risk mitigation

Correct Answer Explanation

A risk register where all risks are rated identically provides no useful prioritization. Risk assessment must meaningfully differentiate severity to guide resource allocation and management attention. When everything is 'medium,' management cannot determine what requires immediate attention versus what can be accepted or addressed later.

More Options