Certified in Risk and Information Systems Control (CRISC) — Question 839

Within the three lines of defense model, the accountability for the system of internal controls resides with:

Answer options

• A. enterprise risk management (ERM).
• B. the risk practitioner.
• C. the chief information officer (CIO).
• D. the board of directors.

Correct answer: D

Explanation

The board of directors is ultimately accountable for the internal control system as they oversee organizational governance and risk management. While ERM, risk practitioners, and the CIO play important roles in managing risk, they report to the board and do not hold the same level of accountability.