Certified in Risk and Information Systems Control (CRISC) — Question 69

When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Answer options

• A. Propose mitigating controls
• B. Assess management's risk tolerance
• C. Recommend management accept the low risk scenarios
• D. Re-evaluate the risk scenarios associated with the control

Correct answer: D

Explanation

The correct answer is D because re-evaluating the risk scenarios will provide deeper insights into the control's effectiveness and any potential adjustments needed. Proposing mitigating controls (A) or assessing risk tolerance (B) may be premature without first understanding the current risk landscape. Recommending acceptance of the low-risk scenarios (C) does not address the identified ineffective control.