Certified in Risk and Information Systems Control (CRISC) — Question 304

Which of the following is the BEST method to identify unnecessary controls?

Answer options

• A. Evaluating existing controls against audit requirements
• B. Reviewing system functionalities associated with business processes
• C. Monitoring existing key risk indicators (KRIs)
• D. Evaluating the impact of removing existing controls

Correct answer: D

Explanation

The correct answer is D because evaluating the impact of removing existing controls directly helps in understanding their necessity. The other options focus on assessing or monitoring controls without specifically addressing their redundancy, which does not effectively identify unnecessary controls.