Final answer:
Residual risk is the level of risk that remains after accounting for all mitigating factors and control measures. It is different from inherent risk, which is the risk prior to any controls, and from accepted risk which may occur when management chooses not to act against an inherent risk.
Step-by-step explanation:
Out of the given statements about residual risk, only one is true:
- It is the level of risk after considering controls and other mitigating factors.
Residual risk refers to the risk that remains after all efforts have been made to identify and eliminate risks through control measures and mitigation strategies. If an inherent risk is present and management decides not to act upon it, this decision does represent a type of acceptance of risk, but this kind of risk is more appropriately referred to as 'accepted risk' or 'tolerated risk', rather than residual risk.
Inherent risk is the natural level of risk before controls are considered, and it is different from residual risk, which accounts for the effectiveness of the controls in place. Furthermore, 'gross risk' often refers to the risk before any mitigation or controls are considered, which aligns with the concept of inherent risk, not residual risk.