Exam CRISC topic 1 question 975 discussion

I would also pick C but would like to point out that A could be right option too. The risk register which ISACA has shown in their manual have a justification column which could be used as an evidence if a company decides to use the same standard for memo for risk acceptance.

thinking from ISACA perspective - in the manual under risk response we talk about risk acceptance, mitigation, etc. a compensating control is a form of mitigation, therefore i pick C

The way I read the question, a decision has been made on how to handle a risk (accept, avoid, mitigate, etc.) Now you want evidence to back up the response you are documenting. A shows a written risk response, accepting the risk, but not a reason why for the response. B shows another risk response, but it is verbal (so no hard evidence), plus no why. C would go with mitigate or accept and support the decision as it is evidence of a state. D - responses to IT Audit would be information about inquiry, that could be evidence to make a decision for a selected risk response. So, C or D most likely. Deciding which is better evidence between them is more difficult. Going with D just because audit responses are evidence :)

c: When documenting a risk response, the list of compensating controls provides the STRONGEST evidence to support the decision. Compensating controls are specific actions taken to mitigate risks that cannot be eliminated or reduced to an acceptable level. They provide a clear and comprehensive plan for managing identified risks and reducing their potential impact. By documenting compensating controls, risk practitioners provide evidence to support their decision-making process and demonstrate that they have taken appropriate steps to manage identified risks.

Correction, reason: A list of compensating controls would provide the strongest evidence to support the decision when documenting a risk response. Compensating controls are put in place to mitigate a risk, and documenting them provides evidence of the organization's efforts to address the risk. A memo indicating risk acceptance is useful, but it does not provide evidence that the organization has taken steps to mitigate the risk. Similarly, IT audit follow-up responses may indicate that corrective actions have been taken, but they do not necessarily indicate that compensating controls have been implemented.

Follow-up Audit is an audit which verifies that corrective actions have been accomplished as scheduled. It determines that the actions are effective in preventing or minimizing future recurrence.

IT A, without accepting the risk how the response would be implemented.

D: IT follow-up audit responses is my choice. I don't know how just having a list of compensating controls provides the strongest evidence.