Best Basis for Selecting Audits

B.

The BEST basis for selecting the audits to be performed when determining which IS audits to conduct during the upcoming year, given that internal audit has received a request from management for multiple audits of the contract division due to fraud findings during the prior year, is option A, which is to select audits based on an organizational risk assessment.

An organizational risk assessment is a comprehensive and systematic process for identifying, analyzing, and prioritizing risks to the organization's assets, operations, and objectives. It involves assessing the likelihood and potential impact of risks, identifying the controls in place to mitigate or prevent risks, and evaluating the effectiveness of those controls. Based on the results of the risk assessment, the audit plan can be developed, which identifies the audits to be performed and the frequency of those audits.

In this case, fraud findings in the contract division suggest that there is a higher risk of fraud occurring in that area. However, this does not necessarily mean that multiple audits of the contract division are the best use of the internal audit resources. The risk assessment process can help identify the areas of the organization with the highest risk of fraud, as well as the other risks that could impact the achievement of the organization's objectives. The audit plan can then be developed based on the identified risks, including the prioritization of audits based on the level of risk.

Selecting audits based on collusion risk (option B) may be relevant in some cases but is not as comprehensive as selecting audits based on a risk assessment. Collusion risk may be relevant if there are multiple individuals involved in the fraud, but it does not necessarily provide a comprehensive view of all the risks facing the organization.

Selecting audits based on the skill sets of the IS auditors (option C) is not the best basis for selecting audits because it does not consider the risks facing the organization. While it is important to consider the skills of the IS auditors, the selection of audits should be driven by the risks facing the organization rather than the skills of the auditors.

Selecting audits based on management's suggestion (option D) is not the best basis for selecting audits because it does not consider the risks facing the organization. While management may have identified fraud in the contract division, this does not necessarily mean that multiple audits of the contract division are the best use of the internal audit resources. A risk assessment process is a more comprehensive approach to identifying the audits to be performed.