Certified in Risk and Information Systems Control (CRISC) — Question 880

Which of the following should be of GREATEST concern when reviewing the results of an independent control assessment to determine the effectiveness of a vendor's control environment?

Answer options

• A. The controls had recurring noncompliance
• B. The report was provided directly from the vendor
• C. The control owners disagreed with the auditor's recommendations
• D. The risk associated with multiple control gaps was accepted

Correct answer: A

Explanation

The greatest concern is option A because recurring noncompliance indicates a persistent failure to meet control requirements, which can lead to significant risks. Options B, C, and D are important but do not reflect the immediate operational risk posed by ongoing noncompliance with controls.