Certified in Risk and Information Systems Control (CRISC) — Question 1027

An organization requires a third-party attestation report annually from all service providers. One service provider is unable to provide the required report due to recent changes in ownership. Which of the following is the BEST course of action for the risk practitioner?

Answer options

• A. Verify that an exception has been approved.
• B. Implement additional controls to mitigate the risk.
• C. Approve an exception for the report and document associated controls.
• D. Execute an independent review of the service provider.

Correct answer: D

Explanation

The best action is to execute an independent review of the service provider to assess the risks associated with the lack of the attestation report due to ownership changes. This approach ensures that the organization maintains oversight and can identify any potential issues without relying solely on the provider's claims. The other options either do not address the immediate risk effectively or assume that exceptions can be managed without proper evaluation.