Certified in Risk and Information Systems Control (CRISC) — Question 288

An organization's internal auditors have identified a new IT control deficiency in the organization's identity and access management (IAM) system. It is most important for the risk practitioner to:

Answer options

• A. perform a follow-up risk assessment to quantify the risk impact
• B. verify that applicable risk owners understand the risk
• C. implement compensating controls to address the deficiency
• D. recommend replacement of the deficient system

Correct answer: B

Explanation

The correct answer is B because it is crucial for risk owners to comprehend the identified risk so they can take appropriate actions. While performing a follow-up risk assessment (A) and implementing compensating controls (C) are important, they should come after ensuring that risk owners are informed. Recommending the replacement of the system (D) may not be necessary and could be an extreme measure depending on the context of the deficiency.