Exam CRISC topic 1 question 500 discussion

The best way to validate whether controls have been implemented according to the risk mitigation action plan is to test the control design. Testing the control design involves examining the specific control activities that have been put in place and determining if they adequately address the identified risks as outlined in the action plan. This goes beyond simply reviewing documentation and looks at how controls operate in practice.

B. Test the control design. The best way to validate whether controls have been implemented according to the risk mitigation action plan is to test the control design. This involves assessing whether the controls that were designed and put in place are operating as intended and effectively mitigating the identified risks. Testing the control design ensures that the controls are properly configured and capable of addressing the specific risks they were designed to mitigate. While implementing key risk indicators (KRIs) and key performance indicators (KPIs) are valuable tools for monitoring and measuring the effectiveness of controls and risk management efforts, they are not specifically focused on validating the implementation of controls according to the risk mitigation action plan. Testing the control environment can also be part of the process, but testing the control design comes first to confirm that the controls are correctly established before assessing their ongoing effectiveness.

B. Test the control design Testing the control design ensures that the controls have been structured and set up in a manner that will effectively manage and mitigate the identified risks. This validation step is crucial to ascertain whether the controls have been implemented according to the risk mitigation action plan.

my answer is c

Going with "B", the question asks if the control is implemented per the agreed mitigation plan. The mitigation plan should define the control and determine its objective to mitigate the risk. Testing the control design will guarantee its effectiveness and whether it is operating well and achieving the needed objectives

The question is about VALIDATING. Validating means to confirm, corroborate, substantiate, verify, authenticate. Implementing KRI-s (A) is not validation. I say here validation can come through testing. In turn, id go with B - sure, this is about if control design works VS agreeing with the plan, but feel thats the best offer here.

Note that the question mentions multiple controls, with only C covering multiple with "control environment".

Agree.

Why not A? Risk indicator is a measure used by an organization to determine the level of current risk for an activity. This helps the organization to monitor the risk level... Examples of key risk indicators are: -Number of unauthorized software detected in audit. -Hours of system downtime -Number of systems without antivirus The goal is to evaluate whether mitigating controls have been implemented. If the controls have been implemented then there should be a mitigating effect i.e. reduced likelihood/severity. This should be measurable by KRIs. Regarding C, from the CRISC review manual 6th edition: "Assessing the control environment provides the risk practitioner with an opportunity to evaluate the risk culture and effectiveness of the current risk management program, which can be used to determine both the level of risk currently facing the organization and the seriousness of that risk." I dont see how C is relevant. Thoughts?

You cannot validate the implementation of the control by testing the control environment. So C is definitely not the correct answer. The question was, what is the BEST way to validate...

Echo C

C should be the right answer as Control testing proves the effectiveness of the implementation

It looks like C is the answer. See R3-104.

If the controls are effective KRIs wont be triggered. Hence the answer is A

How come the answer is A? KRI is for future purposes. I think the answer should be C as with testing it can confirm the proper implementation.