Certified in Risk and Information Systems Control (CRISC) — Question 1393

An organization is implementing a project to automate the purchasing process, including the modification of approval controls. Which of the following tasks is the responsibility of the risk practitioner?

Answer options

• A. Test approval process controls once the project is completed.
• B. Update the existing controls for changes in approval processes from this project.
• C. Perform a gap analysis of the impacted control processes.
• D. Verify that existing controls continue to properly mitigate defined risk.

Correct answer: C

Explanation

The correct answer is C, as the risk practitioner is responsible for identifying any gaps in the control processes that may arise from the changes in the approval system. Option A is incorrect because testing controls is typically done after implementation, not during the project. Option B is not the primary responsibility of the risk practitioner, as that task often falls to project managers. Option D is also incorrect as verifying existing controls is part of an ongoing process rather than a specific task related to the project changes.