Certified in Risk and Information Systems Control (CRISC) — Question 653

A risk practitioner observed that a high number of policy exceptions were approved by senior management. Which of the following is the risk practitioner's BEST course of action to determine root cause?

Answer options

• A. Perform control testing.
• B. Review policy change history.
• C. Review the risk profile.
• D. Interview the control owner.

Correct answer: D

Explanation

The best course of action is to interview the control owner, as they can provide insights into why exceptions are being granted and the decision-making process behind them. Performing control testing, reviewing policy change history, and analyzing the risk profile may provide useful information, but they do not directly address the reasons for the exceptions like interviewing the control owner does.