Certified Information Systems Auditor (CISA) — Question 645

Which of the following is necessary for effective risk management in IT governance?

Answer options

• A. Local managers are solely responsible for risk evaluation.
• B. Risk management strategy is approved by the audit committee.
• C. Risk evaluation is embedded in management processes.
• D. IT risk management is separate from corporate risk management.

Correct answer: C

Explanation

The correct answer, C, highlights that incorporating risk evaluation into management processes ensures that risks are continuously assessed and managed throughout the organization. Option A is incorrect because risk evaluation should involve multiple levels of management, not just local managers. Option B, while important, does not directly address the integration of risk evaluation into processes, and option D is wrong as it suggests a disconnect that can hinder effective risk management.