Certified in Risk and Information Systems Control (CRISC) — Question 498

Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Answer options

• A. Obtain an objective view of process gaps and systemic errors.
• B. Ensure the risk profile is defined and communicated.
• C. Validate the threat management process.
• D. Obtain objective assessment of the control environment.

Correct answer: A

Explanation

The correct answer is A because a third-party review provides an independent evaluation that helps identify process gaps and systemic errors that might be overlooked internally. Options B, C, and D are important aspects of risk management but do not capture the primary purpose of seeking an objective assessment from an outside entity.