The IS auditor's primary concern when an organization has recently implemented a Voice-over IP (VoIP) communication system is a single point of failure for both voice and data communications. VoIP is a technology that allows voice communication over IP networks such as the internet. VoIP can offer benefits such as lower costs, higher flexibility, and better integration with other applications. However, VoIP also introduces risks such as dependency on network availability, performance, and security. If both voice and data communications share the same network infrastructure and devices, then a single point of failure can affect both services simultaneously and cause significant disruption to business operations. Therefore, the IS auditor should evaluate the availability and redundancy of the network components and devices that support VoIP communication. The other options are not as critical as a single point of failure for both voice and data communications, as they do not pose a direct threat to business continuity. References: CISA Review Manual,
27th Edition, page 385

The best source of information for an IS auditor to use as a baseline to assess the adequacy of an organization' s privacy policy is the local privacy standards and regulations. Privacy standards and regulations are legal requirements that specify how personal data should be collected, processed, stored, shared, and disposed of by organizations. By using local privacy standards and regulations as a baseline, the IS auditor can ensure that the organization's privacy policy complies with the applicable laws and protects the rights and interests of data subjects. Historical privacy breaches and related root causes, globally accepted privacy best practices, and benchmark studies of similar organizations are useful sources of information for improving an organization's privacy policy, but they are not as authoritative and relevant as local privacy standards and regulations. References: CISA Review Manual (Digital Version): Chapter 2 - Governance and Management of Information Technology

Stratified mean per unit sampling is a method of audit sampling that divides the population into subgroups (strata) based on some characteristic, such as monetary value, and then selects a sample from each stratum using mean per unit sampling. Mean per unit sampling is a method of audit sampling that estimates the total value of a population by multiplying the average value of the sample items by the number of items in the population. Stratified mean per unit sampling is suitable for populations that have a high variability or a skewed distribution, such as the bank accounts in this question. By stratifying the population, the auditor can reduce the sampling error and increase the precision of the estimate.
Difference estimation sampling (option A) is not the best sampling approach for these accounts. Difference estimation sampling is a method of audit sampling that estimates the total error or misstatement in a population by multiplying the average difference between the book value and the audited value of the sample items by the number of items in the population. Difference estimation sampling is suitable for populations that have a low variability and a symmetrical distribution, which is not the case for the bank accounts in this question.
Customer unit sampling (option C) is not a sampling approach, but a type of monetary unit sampling.
Monetary unit sampling is a method of audit sampling that selects sample items based on their monetary value, rather than their physical units. Customer unit sampling is a variation of monetary unit sampling that treats each customer account as a single unit, regardless of how many transactions or balances it contains.
Customer unit sampling may be appropriate for testing existence or occurrence assertions, but not for estimating total values.
Unstratified mean per unit sampling (option D) is not the best sampling approach for these accounts.
Unstratified mean per unit sampling is a method of audit sampling that applies mean per unit sampling to the entire population without dividing it into subgroups. Unstratified mean per unit sampling may result in a larger sample size and a lower precision than stratified mean per unit sampling, especially for populations that have a high variability or a skewed distribution, such as the bank accounts in this question.
Therefore, option B is the correct answer.
References:
* Audit Sampling - AICPA
* Audit Sampling: Examples and Guidance To The Sampling Methods
* Audit Sampling |Audit | Financial Audit - Scribd

High employee turnover (A) poses the greatest risk because it leads to knowledge loss, operational disruptions, and potential security risks from departing employees.A constantly changing workforce can also impact compliance, training, and overall IT stability.
Other options:
Lack of customer satisfaction surveys (B)is a business issue but not a critical IT risk.
Aging staff (C)may be a long-term risk but does not have an immediate impact.
Frequent software upgrades (D)can be beneficial if managed correctly.
Reference:ISACA CISA Review Manual, IT Governance and Management of IT