Certified in Risk and Information Systems Control (CRISC) — Question 396

A risk practitioner identifies a database application that has been developed and implemented by the business independently of IT. Which of the following is the
BEST course of action?

Answer options

• A. Document the reasons for the exception.
• B. Include the application in IT risk assessments.
• C. Propose that the application be transferred to IT.
• D. Escalate the concern to senior management.

Correct answer: C

Explanation

The correct answer is C because transferring the application to IT ensures it is managed according to organizational standards and best practices. Options A and B do not resolve the underlying issue of IT oversight, while D may delay necessary action without effectively addressing the risk.