IT control self-assessments are techniques that involve identifying and evaluating the effectiveness and efficiency of the IT controls that are designed and implemented to mitigate the IT risks, by the managers and staff within the organization12.

An ineffective control is a control that does not achieve its intended objective or purpose, or does not operate as designed or expected34.

A low residual risk scenario is a situation or occurrence that has a low likelihood and impact of affecting the organization’s objectives, performance, or value creation, after considering the existing controls and their effectiveness56.

The next course of action when reviewing management’s IT control self-assessments and noting an ineffective control that links to several low residual risk scenarios is to recommend management accept the low-risk scenarios, which is a risk response strategy that involves acknowledging and tolerating the level of risk exposure, and not taking any further action to reduce or eliminate it78.

Recommending management accept the low-risk scenarios is the next course of action because it is the most cost-effective and reasonable option, given that the level of risk exposure is low andacceptable, and the cost and effort of implementing or improving the control may outweigh the potential benefits or value78.

Recommending management accept the low-risk scenarios is also the next course of action because it is consistent with the risk management process and objectives, which are to identifyand address the risks that may affect the achievement of the organization’s goals and the delivery of value to the stakeholders, and to optimize the balance between risk and reward78.

The other options are not the next course of action, but rather possible alternatives or steps that may be considered or followed in different circumstances or scenarios. For example:

Assessing management’s risk tolerance is a step that involves determining and communicating the acceptable or tolerable level of risk exposure for the organization or its business units, based on the organization’s risk appetite, criteria, and objectives78. However, this stepis not the next course of action because it is usually done before or during the risk assessment process, and not after noting an ineffective control that links to several low residual risk scenarios78.

Proposing mitigating controls is a course of action that involves suggesting or recommending additional or alternative controls that can reduce or eliminate the level of risk exposure, and improve the effectiveness and efficiency of the risk management process78. However, this course of action is not the next course of action because it is not necessary or appropriate for low residual risk scenarios, as the cost and effort of implementing or improving the controls may outweigh the potential benefits or value78.

Re-evaluating the risk scenarios associated with the control is a course of action that involves revising and updating the likelihood and impact of the risk scenarios, and the level of risk exposure or tolerance for the organization, based on the current or changed conditions or factors that influence the risk landscape78. However, this course of action is not the next course of action because it is not required or relevant for low residual risk scenarios, as the level of risk exposure is already low and acceptable, and the ineffective control does not significantly affect the risk assessment78. References =

1: Control Self Assessments - PwC1

2: Control self-assessment - Wikipedia2

3: Ineffective Controls: What They Are and How to Identify Them3

4: Ineffective Controls: What They Are and How to Identify Them4

5: Residual Risk - Definition and Examples5

6: Residual Risk: Definition, Formula & Management6

7: Risk IT Framework, ISACA, 2009

8: IT Risk Management Framework, University of Toronto, 2017