CISA Certified Information Systems Auditor – Question0182

Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

A.
Identify aggregate residual IT risk for each business line.
B. Obtain a complete listing of the entity’s IT processes.
C. Obtain a complete listing of assets fundamental to the entity’s businesses.
D. Identify key control objectives for each business line’s core processes.

Correct Answer: D