To see what the exact process need a control and what the process to update the control or remove it with alternative control

B. Reviewing system functionalities associated with business processes. This method involves closely examining how system functionalities align with and support the business processes they are intended to facilitate. By reviewing these functionalities in the context of the business processes, it becomes easier to identify controls that may no longer be necessary or relevant. This could be due to changes in business processes, technological advancements, or the elimination of the risks that the controls were initially designed to mitigate. This approach ensures that controls are continuously aligned with current business needs and are not just in place because of past requirements. It's a proactive way to streamline processes and improve efficiency without compromising on risk management.

focuses on ensuring that the controls align with business processes. It helps in identifying controls that might have become redundant due to changes in system functionalities or business processes.

B. Reviewing system functionalities associated with business processes. The best method to identify unnecessary controls is to review system functionalities associated with business processes. This approach involves assessing the alignment between controls and the actual functionalities of systems and processes. By examining whether controls are directly relevant to the functionalities and operations of the organization, you can identify controls that might be redundant, outdated, or unnecessary. While all the options can contribute to identifying unnecessary controls, option B directly focuses on the connection between controls and system functionalities. Evaluating controls against audit requirements (option A), monitoring KRIs (option C), and evaluating the impact of removing controls (option D) are also valuable approaches, but they might not specifically target the alignment between controls and system functionalities as effectively as reviewing the system functionalities themselves.

Going with "D", evaluating does not mean removing the control from production. "A" does not make sense to wait until audit discovers such and might not be a concern according to their methodology. "B" Controls are not necessarily mapped to system functionalities. "C" KRI's mainly for key risks and could be mapped to effective controls not unnecessary controls

I feel like B goes more to the core of why the controls are there in the first place. To be honest both b and d would get the same outcome but ISACA like to put questions like this in

B is the right choice

why not option A? evaluating existing controls against audit requirements allows for a systematic review of all controls in place and enables an assessment of whether they are necessary or not. The audit requirements can provide a framework for evaluating whether controls are aligned with the organization's goals, objectives and risks.

Agree it is D

Evaluating the impact of removing existing controls is the BEST method to identify unnecessary controls. By evaluating the impact of removing existing controls, an organization can determine whether a control is actually needed to mitigate a particular risk. This can be done by conducting a risk assessment to identify the risks associated with the process or system, and then evaluating the effectiveness of the existing controls in mitigating those risks.

The correct one is C

If you want to know is your door password is still needed for access control, then u remove your door password access? are u guys crazy? put your business in risk to test the control? Not D for sure. go for B

B seems right

D looks like the best answer