Exam CRISC topic 1 question 636 discussion

Internal audits are pivotal because they provide an independent evaluation of risk management practices across the organization, assessing both the effectiveness of controls and compliance with policies and regulatory requirements.

B. Management's risk self-assessment Management's risk self-assessment involves the organization's own assessment and understanding of its risks, which can provide valuable insights into the organization's risk profile. While external audits, internal audits, and information security vulnerability assessments are important components of risk management, management's self-assessment reflects the organization's own perception of risks, goals, and strategies, and it plays a central role in shaping the overall risk profile and risk management strategy.

B. Management's risk self-assessment. Management's risk self-assessment is typically the most relevant input to an organization's risk profile. This assessment involves key members of the organization's management team evaluating and quantifying the risks associated with their areas of responsibility. It reflects the insights and perspectives of those closest to the operations and strategic direction of the organization. While inputs from external audits, internal audits, and information security vulnerability assessments are valuable sources of information for assessing risk, they may not provide as comprehensive an understanding of an organization's risk profile as the insights and assessments of the organization's own management team. Internal and external audits often focus on specific areas or compliance requirements, while a risk self-assessment considers a broader range of risks and their potential impacts on the organization's objectives.

Believe it is A. This question seems to be pitting the potentially subjective final results from internal activity against what is seen as less subjective, and external audit activity.

Is not it D?