During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?
Escalation ensures that the risk associated with missed high-severity incidents is communicated to decision-makers.
Why this answer
The risk practitioner should escalate the findings to senior management with a recommendation to enhance the control because the detective control's failure to detect 15% of incidents, while within the 20% acceptable error rate, specifically missed high-severity incidents. High-severity incidents pose a disproportionate risk to the organization, and a control that fails to detect them is not effective in mitigating critical risks, regardless of meeting a generic threshold. Escalation ensures that management is aware of the residual risk and can authorize appropriate enhancements, such as tuning the control's detection logic or implementing additional monitoring for high-severity events.
Exam trap
Cisco often tests the misconception that meeting a quantitative KCI threshold automatically means a control is effective, without considering the qualitative severity of the incidents missed.
How to eliminate wrong answers
Option A is wrong because accepting the control as effective based solely on the 20% threshold ignores the materiality of the missed incidents; a control that misses high-severity incidents is not effective for risk management, even if it meets a quantitative KCI. Option C is wrong because implementing a compensating control is a tactical response that should be directed by management after escalation, not a first action by the risk practitioner, and it bypasses the need to address the root cause of the control's failure to detect high-severity incidents. Option D is wrong because revising the KCI threshold to include severity weighting is a metric adjustment that does not directly address the immediate control deficiency; the practitioner must first report the finding to management, who can then decide on metric changes as part of a broader remediation plan.