Certified in Risk and Information Systems Control (CRISC) — Question 393

An organization is considering outsourcing user administration controls for a critical system. The potential vendor has offered to perform quarterly self-audits of its controls instead of having annual independent audits. Which of the following should be of GREATEST concern to the risk practitioner?

Answer options

• A. The vendor will not achieve best practices
• B. The vendor will not ensure against control failure
• C. The controls may not be properly tested
• D. Lack of a risk-based approach to access control

Correct answer: C

Explanation

The greatest concern is that self-audits may not provide an adequate level of scrutiny, potentially leading to inadequately tested controls, which directly relates to the validity and effectiveness of those controls. The other options, while important, do not directly address the fundamental issue of control testing integrity that is critical for maintaining security in a critical system.