Certified in Risk and Information Systems Control (CRISC) — Question 815

A risk practitioner notices a trend of noncompliance with an IT-related control. Which of the following would BEST assist in making a recommendation to management?

Answer options

• A. Reviewing the IT policy with the risk owner
• B. Reviewing the roles and responsibilities of control process owners
• C. Assessing noncompliance with control best practices
• D. Assessing the degree to which the control hinders business objectives

Correct answer: D

Explanation

Option D is correct because understanding how a control impacts business objectives can provide critical insights for management decisions. The other options focus on reviewing policies or roles, which may not directly address the implications of noncompliance on business goals.