Certified Information Systems Auditor (CISA) — Question 447

Which of the following BEST indicates the effectiveness of an organization's risk management program?

Answer options

• A. Residual risk is minimized.
• B. Inherent risk is eliminated.
• C. Control risk is minimized.
• D. Overall risk is quantified.

Correct answer: A

Explanation

The correct answer, A, indicates that minimizing residual risk demonstrates the effectiveness of a risk management program, as it reflects the risks that remain after controls are applied. Options B and C are incorrect because inherent risk cannot be completely eliminated and minimizing control risk does not necessarily reflect overall program effectiveness. Option D is also misleading as quantifying overall risk doesn't directly indicate how effectively risks are managed.