Certified in Risk and Information Systems Control (CRISC) — Question 862

Following an acquisition, the acquiring company's risk practitioner has been asked to update the organization's IT risk profile. What is the MOST important information to review from the acquired company to facilitate this task?

Answer options

• A. Risk assessment and risk register
• B. Risk disclosures in financial statements
• C. Business objectives and strategies
• D. Internal and external audit reports

Correct answer: A

Explanation

The most critical information to review is the Risk assessment and risk register, as it provides a comprehensive overview of existing risks and their management in the acquired organization. While financial disclosures, business objectives, and audit reports are important, they do not offer the same level of detail regarding specific IT risks and mitigation strategies.