Certified in Risk and Information Systems Control (CRISC) — Question 479

Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?

Answer options

• A. Threat analysis results
• B. Peer benchmarks
• C. Business impact analysis (BIA) results
• D. Internal audit reports

Correct answer: C

Explanation

The Business Impact Analysis (BIA) results provide critical insights into how deficiencies can affect business operations, making it the most useful for assessing their magnitude. In contrast, threat analysis results focus on potential risks, peer benchmarks compare performance without detailing deficiencies, and internal audit reports may not comprehensively cover the specific impacts of identified weaknesses.