Isaca Certified in Risk and Information Systems Control CRISC Question # 189 Topic 19 Discussion

CRISC Exam Topic 19 Question 189 Discussion:

Question #: 189

Topic #: 19

A service provider is managing a client’s servers. During an audit of the service, a noncompliant control is discovered that will not be resolved before the next audit because the client cannot afford the downtime required to correct the issue. The service provider’s MOST appropriate action would be to:

develop a risk remediation plan overriding the client's decision

make a note for this item in the next audit explaining the situation

insist that the remediation occur for the benefit of other customers

ask the client to document the formal risk acceptance for the provider

Get Premium CRISC Questions

Explanation

A noncompliant control is a control that does not meet the requirements or standards of an audit, regulation, or policy. A noncompliant control can expose the organization to risks such as errors, fraud, or breaches. When a noncompliant control is identified, the service provider and the client should work together to resolve the issue as soon as possible. However, sometimes the resolution may not be feasible or cost-effective, and the client may decide to accept the risk associated with the noncompliant control.

In this case, the service provider’s most appropriate action would be to ask the client to document the formal risk acceptance for the provider. This means that the client should acknowledge the existence and consequences of the noncompliant control, and provide a written justification for accepting the risk. The risk acceptance document should also specify the roles and responsibilities of the service provider and the client, and the duration and conditions of the risk acceptance. The risk acceptance document should be signed by the client’s senior management and the service provider’s management, and kept as part of the audit evidence.

The other options are not appropriate actions for the service provider. Developing a risk remediation plan overriding the client’s decision would be disrespectful and unprofessional, as it would ignore the client’s authority and preference. Making a note for this item in the next audit explaining the situation would be insufficient and misleading, as it would imply that the issue is still unresolved and that the service provider is responsible for it. Insisting that the remediation occur for the benefit of other customers would be unreasonable and impractical, as it woulddisregard the client’s business needs and constraints, and potentially harm the relationship between the service provider and the client. References =

Risk Acceptance - Institute of Internal Auditors

New Guidance on the Evaluation of Non-compliance with the Risk Assessment Standard and its Peer Review Impact - REVISED

The Impact of Non-compliance: Understanding The Risks And Consequences

Actual exam question for Isaca CRISC exam by Lumen84750 at Oct 13, 2025, 4:26:13 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Isaca Certified in Risk and Information Systems Control CRISC Question # 189 Topic 19 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 189 Topic 19 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Isaca Certified in Risk and Information Systems Control CRISC Question # 189 Topic 19 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 189 Topic 19 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval