Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. ISACA
  5. CRISC

ISACA CRISC Exam
Certified in Risk and Information Systems Control (Page 63 )

Updated On: 1-Feb-2026
Page 63 of 380
PDF with 1895 Questions

A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
Which of the following control weaknesses could have contributed MOST to this problem?

  1. The user requirements were not documented.
  2. Payroll files were not under the control of a librarian.
  3. The programmer had access to the production programs.
  4. The programmer did not involve the user in testing.

Answer(s): C

Explanation:

A payroll manager discovers that fields in certain payroll reports have been modified without authorization. This indicates that there is a risk of unauthorized access, use, disclosure, modification, or destruction of sensitive data, such as employee information, payroll records, tax returns, etc.
A control weakness that could have contributed most to this problem is that the programmer had access to the production programs. This means that the programmer could potentially alter the source code or configuration of the payroll software without proper authorization or approval.
The other options are not control weaknesses that could have contributed most to this problem. They are either irrelevant or less likely to cause unauthorized changes in the payroll software.
The references for this answer are:
Risk IT Framework, page 12
Information Technology & Security, page 6
Risk Scenarios Starter Pack, page 4



Which of the following is the ULTIMATE goal of conducting a privacy impact analysis (PIA)?

  1. To identify gaps in data protection controls
  2. To develop a customer notification plan
  3. To identify personally identifiable information (Pll)
  4. To determine gaps in data identification processes

Answer(s): A

Explanation:

The ultimate goal of conducting a privacy impact analysis (PIA) is to identify gaps in data protection controls, as it involves assessing the privacy risks and impacts of collecting, using,

storing, and disclosing personally identifiable information (PII), and determining the adequacy and effectiveness of the existing or proposed controls to mitigate those risks and impacts. Developing a customer notification plan, identifying PII, and determining gaps in data identification processes are possible steps or outcomes of conducting a PIA, but they are not the ultimate goal, as they do not address the root cause or solution of the privacy issues. References = CRISC Review Manual, 7th Edition, page 155.



An organization has outsourced its backup and recovery procedures to a third-party cloud provider.
Which of the following is the risk practitioner s BEST course of action?

  1. Accept the risk and document contingency plans for data disruption.
  2. Remove the associated risk scenario from the risk register due to avoidance.
  3. Mitigate the risk with compensating controls enforced by the third-party cloud provider.
  4. Validate the transfer of risk and update the register to reflect the change.

Answer(s): D

Explanation:

The risk practitioner's BEST course of action is to validate the transfer of risk and update the register to reflect the change, because outsourcing the backup and recovery procedures to a third-party cloud provider does not eliminate the risk, but rather transfers it to the service provider. The risk practitioner should verify that the service provider has adequate controls and capabilities to handle the backup and recovery procedures, and that the contractual agreement specifies the roles and responsibilities of both parties. The risk practitioner should also update the risk register to reflect the new risk owner and the residual risk level. The other options are not the best course of action, because:
Option A: Accepting the risk and documenting contingency plans for data disruption is not the best course of action, because it implies that the risk practitioner is still responsible for the risk, even though it has been transferred to the service provider. Contingency plans are also reactive measures, rather than proactive ones. Option B: Removing the associated risk scenario from the risk register due to avoidance is not the best course of action, because it implies that the risk has been eliminated, which is not the case. The risk still exists, but it has been transferred to the service provider. The risk register should reflect the current risk status and ownership. Option C: Mitigating the risk with compensating controls enforced by the third-party cloud provider is not the best course of action, because it implies that the risk practitioner is still involved in the risk management process, even though the risk has been transferred to the service provider. The risk practitioner should rely on the service provider's controls and capabilities, andmonitor their performance and compliance. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 196.



When updating the risk register after a risk assessment, which of the following is MOST important to include?

  1. Historical losses due to past risk events
  2. Cost to reduce the impact and likelihood
  3. Likelihood and impact of the risk scenario
  4. Actor and threat type of the risk scenario

Answer(s): C

Explanation:

A risk register is a document that records and tracks the information about the risks that may affect the organization's objectives, such as the risk description, category, source, cause, impact, probability, status, owner, response, etc.
When updating the risk register after a risk assessment, the most important information to include is the likelihood and impact of the risk scenario. This means that the risk registershouldreflect the current or updated estimates of the probability and consequence of the risk scenario, based on the risk analysis and evaluation methods and criteria. The likelihood and impact of the risk scenario helps to determine the risk level and priority, select the most appropriate risk response, allocate the resources and budget for risk management, and monitor and report the risk performance and outcomes. The other options are not the most important information to include when updating the risk register after a risk assessment. They are either secondary or not essential for risk management.
The references for this answer are:
Risk IT Framework, page 29
Information Technology & Security, page 23
Risk Scenarios Starter Pack, page 21



Which of the following provides the BEST evidence that a selected risk treatment plan is effective?

  1. Identifying key risk indicators (KRIs)
  2. Evaluating the return on investment (ROI)
  3. Evaluating the residual risk level
  4. Performing a cost-benefit analysis

Answer(s): C

Explanation:

A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response for a specific risk scenario. A risk response can be to accept, avoid, transfer, or mitigate the risk. The effectiveness of a risk treatment plan can be measured by how well it reduces the risk exposure and achieves the desired outcomes. The best evidence that a selected risk treatment plan is effective is to evaluate the residual risk level, which is the remaining risk after the risk treatment plan has been implemented. The residual risk level should be within the organization's risk appetite and tolerance, and should reflect the actual risk reduction and value creation of the risk treatment plan. Evaluating the residual risk level can also help to identify any gaps or issues that need to be addressed, and to monitor and report on the risk performance and improvement. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109



Viewing page 63 of 380
Viewing questions 311 - 315 out of 1895 questions



Post your Comments and Discuss ISACA CRISC exam prep with other Community members:

Join the CRISC Discussion