Certified in Risk and Information Systems Control (CRISC) — Question 203

Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Answer options

• A. Review vendors' performance metrics on quality and delivery of processes.
• B. Review vendors' internal risk assessments covering key risk and controls.
• C. Obtain independent control reports from high-risk vendors.
• D. Obtain vendor references from third parties.

Correct answer: C

Explanation

The correct answer is C because independent control reports provide an unbiased view of a vendor's internal controls and risk management practices, which is crucial for evaluating their control environment. Options A and B focus on performance metrics and internal assessments, which may not provide an external perspective on control effectiveness. Option D, while useful, does not directly assess the control environment.