Question 37
Domain 2 — Risk Identification, Assessment, and AnalysisWhat is inherent risk?
Correct answer: B
Explanation
Inherent risk is the level of risk that exists before any controls, safeguards, or mitigation measures are applied. It is the starting risk exposure, so "risk before any controls are implemented" matches the definition.
Why each option is right or wrong
A. Risk after controls are applied
B. Risk before any controls are implemented
Under standard risk-management definitions used in audit and compliance frameworks, inherent risk is assessed at the point of gross exposure, before any mitigating controls are considered. The examiner is looking for the baseline level of risk attached to the activity itself, not the residual risk after safeguards, so the option describing risk before controls are implemented matches that definition exactly.
C. The cost of implementing controls
D. Risk that has been transferred to a third party