Certified in Risk and Information Systems Control (CRISC) — Question 818

To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Answer options

• A. Third-party provider
• B. Business owner
• C. IT department
• D. Risk manager

Correct answer: B

Explanation

The business owner should assume responsibility for the risk of calculation errors because they have the ultimate accountability for the financial data and its accuracy. The third-party provider may deliver the application, but the business owner is responsible for its use and the outcomes it produces. The IT department and risk manager may play supportive roles, but they do not own the risk in this context.