A company has a well-established and effective risk management process. Which of the following risk management practices would MOST likely expose the company to the greatest amount of compliance risk?
Let us use the KEC steps in answering this question
K – E – C
K = Key concept or keywords. The key word in this question here is “well-established risk management process“.
It means what the company has is working well and effective. There is little or no internal exposure for the organisation.
E = Eliminate 2 options. We can already note from the question that they are asking for the “MOST likely” which means our response should reflect the practice with the highest risk.
We can eliminate A and C. They are the least.
C = Choose the best answer that matches the keyword.
So we can clearly see that mitigation is not a problem because their internal controls are working.
We are thus left with B = Risk transfer. This is the highest risk because the control mitigation is done by a third party but the company will still suffer a loss if the third party’s control environment is weak.
For example, if you outsource your accounting function with a third party and that third party treats your accounts badly, you will still have to pay fines and penalties even though you transferred the risk to a third party.
So the correct response is B = Risk Transfer.
For more CISA and CIA exam tips delivered directly to your inbox, subscribe below.