Certified in Risk and Information Systems Control (CRISC) — Question 1372

Which of the following activities should only be performed by the third line of defense?

Answer options

• A. Operating controls for risk mitigation
• B. Testing the effectiveness and efficiency of internal controls
• C. Providing assurance on risk management processes
• D. Recommending risk treatment options

Correct answer: C

Explanation

The correct answer, C, is appropriate because providing assurance on risk management processes is a key responsibility of the third line of defense, which typically consists of internal auditors. Options A, B, and D are activities that can be performed by the first and second lines of defense, such as risk management and control implementation.