Certified in Risk and Information Systems Control (CRISC) — Question 464

A segregation of duties control was found to be ineffective because it did not account for all applicable functions when evaluating access. Who is responsible for ensuring the control is designed to effectively address risk?

Answer options

• A. Control tester
• B. Risk manager
• C. Risk owner
• D. Control owner

Correct answer: D

Explanation

The control owner is responsible for the design and implementation of controls to mitigate risks. This includes ensuring that all relevant functions are considered when establishing controls. The control tester, risk manager, and risk owner play roles in testing and managing risks but do not have the same responsibility for the design of the control.