The most useful information to include in a risk report regarding control effectiveness is whether the controls are functioning as intended to reduce risk to acceptable levels. This directly addresses the core purpose of controls.
While alignment with standards (B) is important, it doesn't guarantee effectiveness. Confirmation of deficiencies by external audits (C) is relevant, but the primary focus is on whether controls are working.
[Reference: ISACA materials on risk reporting and control evaluation, often within the Risk IT Framework and related publications, emphasize the importance of reporting on control effectiveness in terms of risk reduction. The focus should be on whether controls are achieving their intended purpose., ]
Submit