When allocating scarce resources for overdue audit corrective actions, risk impact is the main prioritization criterion.

CRISC guidance dictates that corrective actions should first address risks posing the greatest potential harm to the enterprise’s objectives—whether financial, reputational, operational, or compliance-related.

Supporting extract (CRISC study materials):

“Prioritization of treatment options for numerous risk scenarios will be most effective when based on the likelihood of compromise and subsequent impact.” (Slide 311).

Thus, the level of risk impact determines:

Which issues could cause the most damage if unaddressed.

Which corrective actions are most urgent.

The most effective allocation of resources for mitigation.

While cost-benefit and control indicators are valuable supplementary factors, impact severity always takes precedence in a risk-based prioritization model.

Hence, the correct answer is A. Level of risk impact.