If an IS auditor notices high residual risk due to confidentiality requirements, what type of risk is normally high?

In the context of risk management, when an IS auditor identifies high residual risk related to confidentiality, this typically points to concerns surrounding inherent risk. Inherent risk is the level of risk that exists in the absence of any controls. It reflects the likelihood of risk occurring due to the nature of the environment, processes, or systems and is typically high when sensitive data is involved, such as personally identifiable information (PII) or protected health information (PHI).

High inherent risk indicates that there are significant vulnerabilities or threats in the system that could lead to breaches of confidentiality. For example, if confidential data is highly valuable or subject to regulations, the inherent risk becomes more pronounced because of the potential consequences of a data breach.

When the controls that are in place do not adequately mitigate these risks, the result is high residual risk, which is the risk remaining after all controls have been applied. In this scenario, the presence of high residual risk suggests that, despite existing controls, the risks associated with maintaining the confidentiality of data are still significant, usually due to the inherent complexities and threats related to handling sensitive information.