Certified in Risk and Information Systems Control (CRISC) — Question 21

Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Answer options

• A. A decrease in the number of key controls
• B. Changes in control design
• C. An increase in residual risk
• D. Changes in control ownership

Correct answer: C

Explanation

The correct answer is C, as an increase in residual risk indicates a higher potential for loss despite existing controls. Other options, such as a decrease in key controls or changes in control design and ownership, may not directly reflect the overall risk exposure to the organization.