Certified in Risk and Information Systems Control (CRISC) — Question 329

Which of the following is the STRONGEST indication that controls implemented as part of a risk action plan are not effective?

Answer options

• A. A security breach occurs.
• B. Internal audit identifies recurring exceptions.
• C. Changes are put into production without management approval.
• D. A sample is used to validate the action plan.

Correct answer: B

Explanation

The correct answer, B, indicates that internal audits consistently find exceptions, suggesting that the controls are not functioning as intended. Option A, while serious, may not necessarily indicate poor controls if it is an isolated incident. Option C shows a procedural failure, but does not directly point to the ineffectiveness of the controls themselves. Option D simply indicates a method of validation rather than a measure of control effectiveness.