Watch this video on YouTube
What should an IS auditor review first when evaluating management's risk assessment of information systems?