The Importance of Audit Committee Review in IT Risk Assessment

D.

The best justification for the audits selected by an audit committee reviewing an annual IT risk assessment would be D) Underlying business risks.

Explanation:

Risk assessment is a process of identifying and analyzing potential events that could negatively affect the achievement of an organization's objectives. In the case of IT risk assessment, it involves identifying and evaluating potential risks related to the use of technology that could negatively impact the achievement of the organization's objectives.

When conducting an IT risk assessment, it is essential to consider the underlying business risks that could be impacted by IT risks. This is because IT risks are often closely related to business risks. For example, if an organization relies heavily on an e-commerce website to generate revenue, the website's downtime due to a cyber-attack could negatively impact the organization's revenue and customer satisfaction.

Therefore, by selecting audits based on underlying business risks, the audit committee can ensure that the organization's most critical risks are being assessed and evaluated. This approach can help the organization prioritize its resources and focus on addressing the most significant risks first.

On the other hand, A) Likelihood of an IT process failure, B) Key IT general process controls, and C) Applications impacted are all important factors to consider when conducting an IT risk assessment, but they are more focused on the technical aspects of IT risks rather than the business impact. Therefore, while these factors may be relevant to the audit committee's decision-making process, they are not the best justification for the audits selected.