The best answer is C. Interview relevant stakeholders in the business.
ISACA guidance on risk-based audit planning emphasizes understanding the business context, identifying risk themes, and engaging stakeholders to determine what matters most. One ISACA example describes interviewing hundreds of leaders to identify risk themes for audit planning. Stakeholder interviews give the auditor a direct view of business objectives, current risks, process changes, emerging concerns, and management priorities across the enterprise.
Option A. Review peer benchmarking results can provide context, but benchmarking does not reveal the organization’s own risk drivers.
Option B. Review open issues from recent audit reports is useful input, but it is backward-looking and incomplete by itself.
Option D. Conduct a risk survey with the CIO is too narrow because risk-based audit planning should reflect the broader business, not only the CIO’s perspective.
Therefore, C is the correct answer because interviewing relevant business stakeholders is the best way to identify the key areas that should shape a risk-based audit plan.
References (Official ISACA):
ISACA Journal, Transforming the IT Audit Function—Taking the Digital Journey.
ISACA Journal, IS Audit Basics: Risk-based Audit Planning for Beginners.
ISACA Journal, Business Skills for the IT Audit and Assurance Professional.
ISACA, The Future of Cybersecurity Assessments Is Here — includes stakeholder interviews as part of risk assessment.
