Certified in Risk and Information Systems Control (CRISC) — Question 585
Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?
Answer options
- A. Inspect external audit documentation.
- B. Review management's detailed action plans.
- C. Observe the control enhancements in operation.
- D. Interview control owners.
Correct answer: C
Explanation
The correct answer is C because observing the control enhancements in operation provides direct evidence that the issues have been effectively addressed. While inspecting documentation or reviewing action plans can provide insight, they do not confirm the actual implementation and effectiveness of the controls. Interviewing control owners may yield subjective responses and does not guarantee that the issues have been resolved.