Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam Questions
Certified in Risk and Information Systems Control (Page 57 )

Updated On: 24-Feb-2026
Page 57 of 380
PDF with 1895 Questions

Which of the following is the PRIMARY role of the board of directors in corporate risk governance?

  1. Approving operational strategies and objectives
  2. Monitoring the results of actions taken to mitigate risk
  3. Ensuring the effectiveness of the risk management program
  4. Ensuring risk scenarios are identified and recorded in the risk register

Answer(s): B



After undertaking a risk assessment of a production system, the MOST appropriate action is fcr the risk manager to

  1. recommend a program that minimizes the concerns of that production system.
  2. inform the process owner of the concerns and propose measures to reduce them.
  3. inform the IT manager of the concerns and propose measures to reduce them.
  4. inform the development team of the concerns and together formulate risk reduction measures.

Answer(s): B

Explanation:

The most appropriate action for the risk manager to take after undertaking a risk assessment of a production system is to inform the process owner of the concerns and propose measures to reduce them, as the process owner has the authority and responsibility to manage the production system and its associated risks and controls, and to decide on the optimal risk response. Recommending a program that minimizes the concerns of that production system, informing the IT manager of the concerns and proposing measures to reduce them, and informing the development team of the concerns and together formulating risk reduction measures are not the most appropriate actions, as they may not involve the process owner, who is the key stakeholder and decision maker for the production system and its risks. References = CRISC Review Manual, 7th Edition, page 101.



Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

  1. Improving risk awareness
  2. Obtaining buy-in from risk owners
  3. Leveraging existing metrics
  4. Optimizing risk treatment decisions

Answer(s): A

Explanation:

The main benefit of involving stakeholders in the selection of key risk indicators (KRIs) is improving risk awareness, as it helps to communicate the risk exposure, appetite, and tolerance of the organization to the relevant parties. KRIs are metrics that provide information on the level of exposure to a given operational risk1. By involving stakeholders in the selection of KRIs, the risk practitioner can ensure that the KRIs are aligned with the stakeholder expectations, needs, and objectives, and that they reflect the most significant risks that affect the organization. This also helps to foster a risk culture and a shared understanding of risk among the stakeholders, which can enhance the risk management process and performance. The other options are not the main benefit of involving stakeholders in the selection of KRIs, although they may be some of the outcomes or advantages of doing so. Obtaining buy-in from risk owners, leveraging existing metrics, and optimizing risk treatment decisions are all important aspects of risk management, but they are not the primary reason for involving stakeholders in the selection of KRIs. References = Key Risk Indicators; Key Risk Indicators: A Practical Guide; The 10 Types of Stakeholders That You Meet in Business; What are Stakeholders? Stakeholder Definition | ASQ



Improvements in the design and implementation of a control will MOST likely result in an update to:

  1. inherent risk.
  2. residual risk.
  3. risk appetite
  4. risk tolerance

Answer(s): B

Explanation:

Residual risk is the risk that remains after applying controls to mitigate the inherent risk. Inherent risk is the risk that exists before considering the controls. Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk tolerance is the acceptable level of variation from the risk appetite. Improvements in the design and implementation of a control will most likely result in an update to the residual risk, because they will reduce the likelihood and impact of the risk event, and therefore lower the risk exposure and value. By improving the design and implementation of a control, the organization can enhance the effectiveness and efficiency of the control, and ensure that it is aligned with the risk objectives, expectations, and outcomes. The improvement can also address any gaps, overlaps, redundancies, or conflicts among the controls, and any changes or enhancements that are needed to optimize the controls. The other options are less likely to be updated due to improvements in the design and implementation of a control. The inherent risk will not change, as it is based on the nature and value of the asset and the threats and vulnerabilities that exist. The risk appetite and the risk tolerance will also not change, as they are based on the organization's culture, strategy, and stakeholder expectations. Therefore, the most likely factor to be updated is the residual risk, as it reflects the actual risk level that the organization faces after applying the controls. References = Risk IT Framework, ISACA, 2022, p. 131



Which of the following is the MOST effective way to reduce potential losses due to ongoing expense fraud?

  1. Implement user access controls
  2. Perform regular internal audits
  3. Develop and communicate fraud prevention policies
  4. Conduct fraud prevention awareness training.

Answer(s): C

Explanation:

Developing and communicating fraud prevention policies is the most effective way to reduce potential losses due to ongoing expense fraud because it creates a culture of integrity and accountability, sets clear expectations and consequences for employees, and deters fraudulent behavior. Implementing user access controls, performing regular internal audits, and conducting fraud prevention awareness training are also important controls, but they are more reactive and detective than preventive. References = Risk and Information Systems

Control Study Manual, Chapter 4, Section 4.3.2, page 4-26.






Post your Comments and Discuss ISACA CRISC exam dumps with other Community members:

Join the CRISC Discussion