Certified in Risk and Information Systems Control (CRISC) — Question 302
An IT risk practitioner has been asked to regularly report on the overall status and effectiveness of the IT risk management program. Which of the following is
MOST useful for this purpose?
Answer options
- A. Capability maturity level
- B. Balanced scorecard
- C. Control self-assessment (CSA)
- D. Internal audit plan
Correct answer: B
Explanation
The Balanced scorecard provides a comprehensive framework for reporting on the effectiveness of an IT risk management program by integrating financial and non-financial performance measures. While the Capability maturity level, Control self-assessment (CSA), and Internal audit plan are useful tools, they do not offer the same breadth of insight into overall program effectiveness as the Balanced scorecard.