Is the IT organization committed to active and continuous risk assessment process as an important tool in providing information on the design and implementation of internal controls, in the definition of the IT strategic plan, and in the monitoring and evaluation mechanisms