Certified in Risk and Information Systems Control (CRISC) — Question 706

After the review of a risk record, internal audit questioned why the risk was lowered from medium to low. Which of the following is the BEST course of action in responding to this inquiry?

Answer options

• A. Notify the business at the next risk briefing
• B. Obtain industry benchmarks related to the specific risk
• C. Provide justification for the lower risk rating
• D. Reopen the risk issue and complete a full assessment

Correct answer: C

Explanation

The correct answer is C because providing justification for the lowered risk rating directly addresses the audit's concern and ensures transparency. Options A and B do not directly respond to the inquiry, while D unnecessarily complicates the situation by reopening the issue when a clear explanation suffices.