Certified in Risk and Information Systems Control (CRISC) — Question 456

What is the PRIMARY purpose of reporting residual risk from two consecutive IT risk assessments to management?

Answer options

• A. To enable decisions regarding risk treatment plans
• B. To prevent new risk from impacting the organization's information assets
• C. To ensure management will adjust the acceptable level of risk
• D. To monitor the effectiveness of controls over time

Correct answer: D

Explanation

The correct answer is D because reporting residual risk over time allows management to assess how well the controls are functioning. Options A, B, and C are not the primary focus of reporting residual risk; they pertain to risk treatment and management decisions rather than monitoring control effectiveness.