A risk register is a document that is used as a risk management tool to identify and track risks that may affect a project or an organization1. A risk register should be updated regularly to reflect the current status and changes of the risks, as well as the actions taken to mitigate or resolve them2. The most comprehensive information for updating a risk register would come from the results of the latest risk assessment, which is a process that involves identifying, analyzing, and evaluating the risks and their potential impacts3. A risk assessment provides a detailed and systematic overview of the risks, theirsources, causes, likelihood, severity, and consequences, as well as the existing and planned controls andresponses4. A risk assessment also helps to prioritize the risks based on their level of exposure and urgency, and to align them with the organization’s risk appetite and tolerance5. Therefore, the results of the latest risk assessment would provide the most relevant and complete information for updating a risk register and ensuring that it reflects the current risk profile and situation of the project or the organization. Results of a risk forecasting analysis are not the most comprehensive information for updating a risk register, as they do not provide a complete picture of the risks and their impacts. A risk forecasting analysis is a technique that uses historical data, trends, and scenarios to estimate the potential outcomes and impacts of future events that may affect the organization’s objectives and performance6. A risk forecasting analysis can help to anticipate and prepare for the risks, but it does not provide specific information on the sources, causes, likelihood, severity, and consequences of the risks, nor the existing and planned controls and responses. A review ofcompliance regulations is not the most comprehensive information for updating a risk register, as it does not cover all the aspects and dimensions of risk management. A review of compliance regulations is a process that involves checking and verifying that the organization’s activities, processes, and systems are in accordance with the applicable laws, rules, and standards7. A review of compliance regulations can help to identify and mitigate the risks related to legal or regulatory violations, but it does not provide specific information on the other types and sources of risks, such as operational, strategic, financial, or reputational risks, nor the existing and planned controls and responses. Findings of the most recent audit are not the most comprehensive information for updating a risk register, as they do not provide a current and holistic view of the risks and their impacts. An audit is an independent examination and evaluation of the organization’s activities, processes, and systems, to provide assurance and advice on their adequacy and effectiveness. An audit can help to identify and report the issues or gaps in the organization’s risk management, but it does not provide specific information on the current status and changes of the risks, nor the existing and planned controls and responses. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.