Information System Auditing Process - Planning

In a risk-based approach to audit resource allocation, prioritizing areas with high impact on business objectives and high risk exposure is the most appropriate strategy.

A risk-based approach fundamentally focuses on addressing the highest risks to an organization first. Areas that have both high potential impact on business objectives and high risk exposure represent the greatest potential threats to an organization, making them the logical priority for audit resources.

The option about sophisticated technology is incorrect because complexity alone doesn't necessarily indicate high risk - some simple systems may carry greater risk depending on what they process.

The option about standard rotation cycles (auditing areas not reviewed in three years) follows a time-based rather than risk-based approach, which doesn't align with the question's premise.

The option about management concerns may be part of risk consideration, but isn't necessarily the most appropriate basis in a structured risk-based approach. Management concerns might be subjective and miss objective risk factors that proper risk assessment would identify.

Preventive controls are safeguards implemented in advance to eliminate or reduce the likelihood of errors, fraud, or unauthorized actions. By acting before an event can take place, they proactively protect the confidentiality, integrity, and availability of information systems, whereas detective and corrective controls operate after an event has occurred.

Compensating controls are alternative controls that serve as safeguards when primary controls are inadequate, missing, or not feasible to implement. They're specifically designed to offset known weaknesses in a system or process.

The correct answer states that compensating controls 'provide alternatives when primary controls are inadequate,' which precisely captures their purpose and function in information security.

The second option describes preventive controls, which are proactively built into systems to stop errors or security breaches before they occur.

The third option describes real-time detective controls, which monitor systems continuously and identify issues as they happen, rather than providing alternative control mechanisms.

The fourth option describes controls selected based on cost-benefit analysis, which is a methodology for choosing controls rather than a description of what compensating controls actually are. While compensating controls might be implemented following a cost-benefit analysis, this doesn't define their fundamental purpose.