Certified in Risk and Information Systems Control (CRISC) — Question 367

When documenting a risk response, which of the following provides the STRONGEST evidence to support the decision?

Answer options

• A. A memo indicating risk acceptance
• B. Verbal majority acceptance of risk by committee
• C. List of compensating controls
• D. IT audit follow-up responses

Correct answer: D

Explanation

The correct answer, D, provides the strongest evidence as IT audit follow-up responses are typically documented and reflect a formal evaluation of risk management practices. In contrast, a memo (A) and verbal acceptance (B) lack the rigor of formal documentation, while a list of compensating controls (C) does not inherently validate the acceptance of risk.