Certified in Risk and Information Systems Control (CRISC) — Question 975

An internal audit report reveals that a legacy system is no longer supported. Which of the following is the risk practitioner’s MOST important action before recommending a risk response?

Answer options

• A. Explore the feasibility of replacing the legacy system.
• B. Identify other legacy systems within the organization.
• C. Assess the potential impact and cost of mitigation.
• D. Review historical application downtime and frequency.

Correct answer: C

Explanation

The most crucial action is to assess the potential impact and cost of mitigation (C) as it helps understand the severity of the risk and the resources required for a response. Exploring replacement (A) and identifying other legacy systems (B) may be important but come after understanding the implications of the current system. Reviewing historical downtime (D) can provide context but does not directly address the risk posed by the unsupported legacy system.