Certified in Risk and Information Systems Control (CRISC) — Question 431

In the three lines of defense model, which of the following activities would be completed by the FIRST line of defense?

Answer options

• A. A risk practitioner executes an annual assessment of key controls that impact financial statements
• B. Internal control activities are reviewed monthly by a risk management committee
• C. Control owners review a monthly report on the operation of high-risk controls
• D. Internal audit reviews high-risk areas to ensure controls are executed in a timely manner

Correct answer: C

Explanation

The FIRST line of defense consists of those who own and manage risk, which includes control owners reviewing reports on high-risk controls. The other options describe activities more aligned with the second or third lines of defense, such as oversight and audit functions.