What are the three lines of defense in IT risk management?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SPEA-V 369 Managing Information Technology Exam. Prepare with multiple choice questions and flashcards, each with hints and explanations. Ready yourself for success!

Multiple Choice

What are the three lines of defense in IT risk management?

Explanation:
The three lines of defense in IT risk management describe how responsibility and oversight are layered: the first line is operational management, owning and running processes and applying day-to-day controls; the second line is the risk and compliance function, which establishes policies, monitors risk, and provides guidance; the third line consists of internal and external audits, offering independent assurance on the effectiveness of governance, risk management, and controls. This structure ensures risk is managed at the point of activity, oversight comes from a separate function, and independent evaluation comes from audits. The described arrangement—operational management as the first line, risk/compliance as the second line, and internal/external audits as the third line—embodies this approach. Other options either place responsibility for all audits in one group or rely on a single entity to handle controls and oversight, which reduces independence and thoroughness.

The three lines of defense in IT risk management describe how responsibility and oversight are layered: the first line is operational management, owning and running processes and applying day-to-day controls; the second line is the risk and compliance function, which establishes policies, monitors risk, and provides guidance; the third line consists of internal and external audits, offering independent assurance on the effectiveness of governance, risk management, and controls. This structure ensures risk is managed at the point of activity, oversight comes from a separate function, and independent evaluation comes from audits. The described arrangement—operational management as the first line, risk/compliance as the second line, and internal/external audits as the third line—embodies this approach. Other options either place responsibility for all audits in one group or rely on a single entity to handle controls and oversight, which reduces independence and thoroughness.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy