When allocating scarce resources for overdue audit corrective actions,risk impactis the main prioritization criterion.

CRISC guidance dictates that corrective actions should first address risksposing the greatest potential harmto the enterprise’s objectives—whether financial, reputational, operational, or compliance-related.

Supporting extract (CRISC study materials):

“Prioritization of treatment options for numerous risk scenarios will be most effective when based on the likelihood of compromise and subsequent impact.” (Slide 311).

Thus, thelevel of risk impactdetermines:

Which issues could cause the most damage if unaddressed.

Which corrective actions are most urgent.

The most effective allocation of resources for mitigation.

While cost-benefit and control indicators are valuable supplementary factors,impact severityalways takes precedence in a risk-based prioritization model.

Hence, the correct answer isA. Level of risk impact.