Cisco®
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

Free ISACA CRISC Exam Questions (page: 36)

Page 36 of 238
PDF with 1895 Questions

Which of the following is the PRIMARY reason to use key control indicators (KCIs) to evaluate control operating effectiveness?

  1. To measure business exposure to risk
  2. Toidentify control vulnerabilities
  3. To monitor the achievement of set objectives
  4. To raise awareness of operational issues

Answer(s): C

Explanation:

Key control indicators (KCIs) are metrics that measure how well a specific control is performing in reducing the causes, consequences, or likelihood of a risk1. KCIs are used to evaluate the control operating effectiveness, which is the degree to which a control achieves its intended objectives and mitigates the risk2.
The primary reason to use KCIs to evaluate control operating effectiveness is to monitor the achievement of set objectives. This means that KCIs help to:
Track and report the progress and performance of the control against the predefined targets, standards, or benchmarks
Identify and address any gaps, deviations, or issues in the control operation or outcome Provide feedback and assurance to the stakeholders and regulators on the adequacy and reliability of the control
Support the continuous improvement and optimization of the control3 References = Key Control Indicator (KCI) - CIO Wiki, Evaluating and Improving Internal Control in Organizations - IFAC, A Methodical Approach to Key Control Indicators



Which of the following would be of MOST concern to a risk practitioner reviewing risk action plans for documented IT risk scenarios?

  1. Individuals outside IT are managing action plans for the risk scenarios.
  2. Target dates for completion are missing from some action plans.
  3. Senior managementapproved multiple changes to several action plans.
  4. Many action plans were discontinued after senior management accepted the risk.

Answer(s): D

Explanation:

The most concerning factor for a risk practitioner reviewing risk action plans for documented IT risk scenarios is that many action plans were discontinued after senior management accepted the risk. Risk action plans are documents that define the roles, responsibilities, procedures, and resources for implementing the risk responses and strategies for the IT risk scenarios. Risk action plans help to reduce, transfer, avoid, or accept the IT risks, and to monitor and report on the IT risk performance and improvement. Discontinuing risk action plans after senior management accepted the risk is a major concern, because it may indicate that the risk acceptance decision was not based on a proper risk analysisor evaluation, or that the risk acceptance decision was not communicated or coordinated with the relevant stakeholders, such as the board, management, business units, and IT functions. Discontinuing risk action plans after senior management accepted the risk may also create challenges or risks for the organization, such as compliance, legal, reputational, or operational risks, or conflicts or inconsistencies with the organization's risk appetite, risk objectives, or risk policies. The other options are not as concerning as discontinuing risk action plans after senior management accepted the risk, although they may also pose some difficulties or limitations for the risk management process. Individuals outside IT managing action plans for the risk scenarios, target dates for completion missing from some action plans, and senior management approving multiple changes to several action plans are all factors that could affect the quality and timeliness of the risk management process, but they donot necessarily indicate a lack of risk management accountability or oversight. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.4.1, page 4-32.



Which of the following is the MOST important requirement when implementing a data loss prevention (DLP) system?

  1. Identifying users who have access
  2. Selecting an encryption solution
  3. Definingthe data retention period
  4. Determining the value of data

Answer(s): D

Explanation:

Determining the value of data is essential when implementing a DLP system. Understanding data value helps prioritize protection efforts, allocate resources effectively, and ensure that critical information assets are adequately safeguarded against loss or unauthorized access.


Reference:

ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Data Classification and Protection.



Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

  1. Approving operational strategies and objectives
  2. Monitoring the results of actions taken to mitigate risk
  3. Ensuring the effectiveness of the risk management program
  4. Ensuring risk scenarios are identified and recorded in the risk register

Answer(s): B



After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

  1. recommend a program that minimizes the concerns of that production system.
  2. inform the process owner of the concerns and propose measures to reduce them.
  3. inform the IT manager of the concerns and propose measures to reduce them.
  4. inform the development team of the concerns and together formulate risk reduction measures.

Answer(s): B

Explanation:

The most appropriate action for the risk manager to take after undertaking a risk assessment of a production system is to inform the process owner of the concerns and propose measures to reduce them, as the process owner has the authority and responsibility to manage the production system and its associated risks and controls, and to decide on the optimal risk response. Recommending a program that minimizes the concerns of that production system, informing the IT manager of the concerns and proposing measures to reduce them, and informing the development team of the concerns and together formulating risk reduction measures are not the most appropriate actions, as they may not involve the process owner, who is the key stakeholder and decision maker for the production system and its risks. References = CRISC Review Manual, 7th Edition, page 101.



Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

  1. Improving risk awareness
  2. Obtaining buy-in from risk owners
  3. Leveraging existing metrics
  4. Optimizing risk treatment decisions

Answer(s): A

Explanation:

The main benefit of involving stakeholders in the selection of key risk indicators (KRIs) is improving risk awareness, as it helps to communicate the risk exposure, appetite, and tolerance of the organization to the relevant parties. KRIs are metrics that provide information on the level of exposure to a given operational risk1. By involving stakeholders in the selection of KRIs, the risk practitioner can ensure that the KRIs are aligned with the stakeholder expectations, needs, and objectives, and that they reflect the most significant risks that affect the organization. This also helps to foster a risk culture and a shared understanding of risk among the stakeholders, which can enhance the risk management process and performance. The other options are not the main benefit of involving stakeholders in the selection of KRIs, although they may be some of the outcomes or advantages of doing so. Obtaining buy-in from risk owners, leveraging existing metrics, and optimizing risk treatment decisions are all important aspects of risk management, but they are not the primary reason for involving stakeholders in the selection of KRIs. References = Key Risk Indicators; Key Risk Indicators: A Practical Guide; The 10 Types of Stakeholders That You Meet in Business; What are Stakeholders? Stakeholder Definition | ASQ



Improvements in the design and implementation of a control will MOST likely result in an update to:

  1. inherent risk.
  2. residual risk.
  3. risk appetite
  4. risk tolerance

Answer(s): B

Explanation:

Residual risk is the risk that remains after applying controls to mitigate the inherent risk. Inherent risk is the risk that exists before considering the controls. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk tolerance is the acceptable level of variation from the risk appetite. Improvements in the design and implementation of a control will most likely result in an update to the residual risk, because they will reduce the likelihood and impact of the risk event, and therefore lower the risk exposure and value. By improving the design and implementation of a control, the organization can enhance the effectiveness and efficiency of the control, and ensure that it is aligned with the risk objectives, expectations, and outcomes. The improvement can also address any gaps, overlaps, redundancies, or conflicts among the controls, and any changes or enhancements that are needed to optimize the controls. The other options are less likely to be updated due to improvements in the design and implementation of a control. The inherent risk will not change, as it is based on the nature and value of the asset and the threats and vulnerabilities that exist. The risk appetite and the risk tolerance will also not change, as they are based on the organization's culture, strategy, and stakeholder expectations. Therefore, the most likely factor to be updated is the residual risk, as it reflects the actual risk level that the organization faces after applying the controls. References = Risk IT Framework, ISACA, 2022, p. 131



Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

  1. Implement user access controls
  2. Perform regular internal audits
  3. Develop and communicate fraud prevention policies
  4. Conduct fraud prevention awareness training.

Answer(s): C

Explanation:

Developing and communicating fraud prevention policies is the most effective way to reduce potential losses due to ongoing expense fraud because it creates a culture of integrity and accountability, sets clear expectations and consequences for employees, and deters fraudulent behavior. Implementing user access controls, performing regular internal audits, and conducting fraud prevention awareness training are also important controls, but they are more reactive and detective than preventive. References = Risk and Information Systems

Control Study Manual, Chapter 4, Section 4.3.2, page 4-26.



Viewing page 36 of 238
Viewing questions 281 - 288 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

CRISC Exam Discussions & Posts