Isaca Certified in Risk and Information Systems Control CRISC Question # 475 Topic 48 Discussion

CRISC Exam Topic 48 Question 475 Discussion:

Question #: 475

Topic #: 48

Which of the following has the MOST validity for conducting risk assessments?

Internal control effectiveness measured through inference from external assessment

Control effectiveness determined through subject matter expertise estimation

Inferences of internal control effectiveness from peer reports

Internal control effectiveness measured through direct testing

Get Premium CRISC Questions

Explanation

The correct answer isDbecauseinternal control effectiveness measured through direct testingprovides the most valid basis for conducting risk assessments. Direct testing produces objective evidence about whether controls are designed appropriately and operating effectively. It is stronger and more reliable than estimates, external inference, or peer-based assumptions because it evaluates the actual control environment of the organization.

The other options are less valid:

A. Internal control effectiveness measured through inference from external assessmentmay provide useful insight, but it is indirect and may not reflect the organization’s actual internal control performance.

B. Control effectiveness determined through subject matter expertise estimationcan support assessment, but it remains judgment-based rather than evidence-based.

C. Inferences of internal control effectiveness from peer reportsare indirect and may not be relevant to the organization’s own environment, systems, or risk exposure.

Exact Extracts supporting the answer:

“To best identify information systems control deficiencies gap analysis is used. It highlights the discrepancies between desired control objectives and actual control design and operational effectiveness.”

“The MOST important criterion when reviewing information security controls is ensuring that the controls are effectively addressing risk.”

“The BEST way to ensure that an information systems control is appropriate and effective is to verify that the risk associated with the control is mitigated.”

“To determine control effectiveness it ' s essential to verify that the control meets the test results of intended objectives.”

“Testing the control to ensure that the risk has been adequately mitigated is the best action to take once a new control has been implemented validating that the control effectively addresses the identified risk.”

These extracts support that the most valid evidence of control effectiveness comes from actual verification and testing, not from assumptions or indirect sources. Therefore,direct testingprovides the strongest validity for risk assessments.

===========

Actual exam question for Isaca CRISC exam by Kai416 at Apr 1, 2026, 6:50:59 PM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 475 Topic 48 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 475 Topic 48 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: force70

Isaca Certified in Risk and Information Systems Control CRISC Question # 475 Topic 48 Discussion

Isaca Certified in Risk and Information Systems Control CRISC Question # 475 Topic 48 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval