Certified in Risk and Information Systems Control (CRISC) — Question 38

During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Answer options

• A. a control mitigation plan is in place
• B. residual risk is accepted
• C. compensating controls are in place
• D. risk management is effective

Correct answer: C

Explanation

The correct answer is C because compensating controls can effectively mitigate the risks posed by ineffective controls. Options A and B do not ensure that the control environment remains effective, and while D suggests that risk management is functioning, it doesn't address the specific issue of inadequate controls.