Exam CISA topic 1 question 825 discussion

C. Business management The primary responsibility for the design of IT controls to meet control objectives typically falls on the shoulders of business management. Business management is responsible for setting the overall objectives and requirements for IT controls that align with the organization's goals and compliance requirements. They determine what controls are necessary to mitigate risks and ensure the security and integrity of IT systems and data. While IT managers, internal auditors, and risk management teams may play supporting roles in this process, the ultimate responsibility for designing and implementing IT controls lies with the business management as they are the ones who have the most direct knowledge of the organization's specific needs and objectives.

I agree, it should be C

C. Business management is primarily responsible for the design of IT controls to meet control objectives. IT controls are designed to mitigate the risks associated with IT systems and ensure that they operate effectively and efficiently. The responsibility for designing and implementing IT controls lies with the business management responsible for the system in question. Business management should identify the risks associated with the IT system and design IT controls to address those risks. IT managers are responsible for managing the IT system but may not have the necessary understanding of business objectives and risks to design effective IT controls. Internal auditors may review and assess the effectiveness of IT controls but are not responsible for designing them. Risk management may identify and assess risks, but it is ultimately the responsibility of business management to design controls to address those risks.