New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Isaca CRISC Exam - Topic 6 Question 104 Discussion

Actual exam question for Isaca's CRISC exam
Question #: 104
Topic #: 6
[All CRISC Questions]

During a risk assessment, a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process. Which of the following would enable the MOST effective management of the residual risk?

Show Suggested Answer Hide Answer
Suggested Answer: A

A compensating control is a control that is implemented to reduce the risk exposure when the primary control is not feasible or cost-effective. A compensating control may not directly address the root cause of the risk, but it can provide an alternative or supplementary way of mitigating the risk. A residual risk is the risk that remains after the risk response has been implemented. A residual risk can be accepted, monitored, or further reduced depending on the risk tolerance and appetite of the organization. During a risk assessment, a risk practitioner is a person who is responsible for identifying and analyzing the potential sources and consequences of risk events. When a risk practitioner learns that an IT risk factor is adequately mitigated by compensating controls in an associated business process, the action that would enable the most effective management of the residual risk is to schedule periodic reviews of the compensating controls' effectiveness, which means to measure and evaluate the performance and compliance of the compensating controls on a regular basis. By scheduling periodic reviews of the compensating controls' effectiveness, the risk practitioner can ensure that the compensating controls are stilloperating as intended, and that they are delivering the expected results. The risk practitioner can also identify any gaps or weaknesses in the compensating controls, and recommend any improvements or adjustments as needed.Reference= CRISC Review Manual, 7th Edition, page 177.


by Luisa at Nov 19, 2025, 07:23 PM

Limited Time Offer

25%

Off

Get Premium CRISC Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Alida
10 hours ago
I disagree, B) is more important for transparency.
upvoted 0 times
...
Lavonna
6 days ago
A) is definitely the best choice. Regular reviews are key!
upvoted 0 times
...
Mabel
11 days ago
I bet the exam writers had a field day coming up with these options. They're really trying to trip us up, aren't they?
upvoted 0 times
...
Latonia
16 days ago
Hmm, this question is a real head-scratcher. I hope the answer isn't "all of the above" - that would be too easy!
upvoted 0 times
...
Merilyn
21 days ago
D) Reassigning ownership to IT might not be the best solution if the business process owners are better equipped to manage the controls.
upvoted 0 times
...
Margo
26 days ago
C) Additional IT controls could be overkill if the business process controls are already adequate.
upvoted 0 times
...
Malinda
1 month ago
B) Reporting to senior management is important for visibility, but doesn't directly address the residual risk.
upvoted 0 times
...
Mary
1 month ago
A) Periodic reviews are key to ensuring the controls remain effective. This is the way to go.
upvoted 0 times
...
Rosann
1 month ago
I recall that ownership reassignment can clarify responsibilities, but I’m not convinced it directly addresses the residual risk effectively.
upvoted 0 times
...
Martha
2 months ago
I lean towards recommending additional IT controls, but I wonder if that might complicate things instead of simplifying the risk management process.
upvoted 0 times
...
Willodean
2 months ago
This question is testing our understanding of risk management principles. Based on my experience, scheduling regular reviews of the compensating controls (option A) is the most effective way to ensure the residual risk is properly managed over time. The other options don't directly address the ongoing monitoring and assessment of the controls.
upvoted 0 times
...
Desmond
2 months ago
I'm a bit confused by this question. There are a few options that seem reasonable, but I'm not sure which one would be considered the "most effective." I'll need to carefully review the details of each choice to determine the best approach.
upvoted 0 times
...
Lorriane
2 months ago
This question feels similar to one we practiced about compensating controls. I think reporting to senior management could be crucial, but I'm not entirely confident.
upvoted 0 times
...
Tammara
2 months ago
Okay, I think I've got this. The question is asking about managing residual risk, so the best approach would be to schedule periodic reviews of the compensating controls. That way, you can proactively identify any issues and make adjustments as needed.
upvoted 0 times
...
Kanisha
2 months ago
I remember we discussed the importance of periodic reviews in class, but I'm not sure if that's the best option here.
upvoted 0 times
...
Tambra
3 months ago
B could be important too. Senior management should know about risks.
upvoted 0 times
...
Allene
3 months ago
Hmm, this is a tricky one. I think the key is to focus on the concept of "residual risk" and how to best manage that. Based on my understanding, option A seems like the most logical choice to ensure the compensating controls remain effective over time.
upvoted 0 times
...
Jerry
3 months ago
I'm not entirely sure how to approach this question. The key seems to be identifying the most effective way to manage the residual risk, but I'm not confident in my understanding of the differences between the answer choices.
upvoted 0 times
Yolande
3 months ago
I think periodic reviews are crucial for effectiveness.
upvoted 0 times
...
...

Save Cancel