During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

A. a control mitigation plan is in place
B. residual risk is accepted
C. compensating controls are in place
D. risk management is effective