The PRIMARY purpose of using control metrics is to evaluate the variance against objectives, because control metrics are measures that indicate the performance and effectiveness of the controls in achieving the desired outcomes and goals. Control metrics can help to identify and quantify the gaps or deviations between the actual and expected results of the controls, and to provide feedback and improvement for the control design and implementation. The other options are not the primary purpose, because:

Option A: Amount of risk reduced by compensating controls is a result of using control metrics, but not the primary purpose. Compensating controls are controls that provide an alternative or additional level of protection or assurance when the primary or preferred controls are not feasible or effective. Control metrics can help to measure and monitor the amount of risk reduced by compensating controls, but they are not the only or the most important measure of the control performance and effectiveness.

Option B: Amount of risk present in the organization is an input to using control metrics, but not the primary purpose. The amount of risk present in the organization is the level of exposure and uncertainty that the organization faces in pursuing its objectives and goals. Control metrics can help to assess and report the amount of risk present in the organization, but they are not the only or the most important measure of the risk profile and exposure.

Option D: Number of incidents is a source of using control metrics, but not the primary purpose. Incidents are events or occurrences that disrupt or threaten the normal operations or security of the organization. Control metrics can help to analyze and respond to the number of incidents, but they are not the only or the most important measure of the incident management andresolution. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 120.