Certified in Risk and Information Systems Control (CRISC) — Question 1126

Which of the following is the BEST criteria to determine whether a control environment is effective?

Answer options

• A. The controls increase the organization's tolerance for risk.
• B. The controls increase the projected amount of loss the organization would incur.
• C. The controls reduce the likelihood of realizing the associated risk scenario.
• D. The controls transfer the associated risk to a third party.

Correct answer: C

Explanation

Option C is correct because effective controls should lower the probability of a risk event occurring. Options A and B are incorrect as increasing risk tolerance or projected losses does not signify effectiveness. Option D is also incorrect because transferring risk does not necessarily reflect the control environment's effectiveness; it merely shifts responsibility.