Certified in Risk and Information Systems Control (CRISC) — Question 424

Which of the following should be the PRIMARY input when designing IT controls?

Answer options

• A. Internal and external risk reports
• B. Outcome of control self-assessments
• C. Benchmark of industry standards
• D. Recommendations from IT risk experts

Correct answer: A

Explanation

The primary input for designing IT controls should be internal and external risk reports, as they provide a comprehensive view of potential risks that need to be addressed. While the other options are important, they are secondary to the insights gained from risk reports, which directly influence the effectiveness of the controls.