Certified in Risk and Information Systems Control (CRISC) — Question 1324

What should a risk practitioner do FIRST when an assessment reveals a control is not operating as intended?

Answer options

• A. Determine the root cause of the control issue.
• B. Recommend updates to the control procedures.
• C. Discuss the status with the control owner.
• D. Recommend compensating controls.

Correct answer: A

Explanation

The correct answer is A because identifying the root cause of the control issue is essential for understanding why the control is ineffective. Without this understanding, recommending updates or compensating controls (options B, D) or discussing the status (option C) may not address the underlying problem.