Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCRISCDomainsRisk and Control Monitoring and Reporting
CRISCFree — No Signup

Risk and Control Monitoring and Reporting

Practice CRISC Risk and Control Monitoring and Reporting questions with full explanations on every answer.

175questions

Start practicing

Risk and Control Monitoring and Reporting — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CRISC Domains

IT Risk IdentificationRisk Response and MitigationRisk and Control Monitoring and ReportingIT Risk Assessment

Practice Risk and Control Monitoring and Reporting questions

10Q20Q30Q50Q

All CRISC Risk and Control Monitoring and Reporting questions (175)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?

2

A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?

3

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

4

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

5

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

6

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

7

A risk officer is evaluating the effectiveness of a control that prevents unauthorized changes to configuration files. The control has not detected any unauthorized changes in the past year. What does this indicate?

8

A large organization is implementing a continuous monitoring program for its critical systems. Which of the following is the MOST important factor for the program's success?

9

A control owner reports that a preventive control is operating as designed, but the risk owner is concerned that residual risk remains high. What should the risk practitioner do NEXT?

10

A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?

11

A risk practitioner is reviewing the results of a control self-assessment (CSA) and finds that the control owner rated a control as 'effective' but an independent audit found control weaknesses. What is the BEST explanation for this discrepancy?

12

Which TWO of the following are primary objectives of control monitoring?

13

Which THREE of the following are key components of an effective risk reporting framework?

14

Which TWO of the following are examples of detective controls?

15

Which THREE of the following are characteristics of leading key risk indicators (KRIs)?

16

Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?

17

Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?

18

Refer to the exhibit. What action should the risk practitioner recommend FIRST?

19

A multinational financial services company has implemented a continuous monitoring program for its trading systems. The program uses automated scripts to check system configurations against a baseline every hour. Recently, the company experienced a significant security incident where a malicious actor exploited a misconfigured firewall rule to exfiltrate sensitive customer data. Post-incident analysis revealed that the misconfiguration had been present for 72 hours before detection. The monitoring scripts did not detect the change because the baseline had been updated two weeks prior to include the misconfiguration as part of a planned change that was later reversed without updating the baseline. The company's change management process requires that all configuration changes be approved and documented, but the reversal of the change was not documented. The incident response team was only alerted when a customer reported suspicious activity. The risk practitioner is tasked with recommending improvements to prevent recurrence. Which of the following is the BEST course of action?

20

A retail company has a risk monitoring program that tracks key risk indicators (KRIs) for its e-commerce platform. One KRI measures the number of failed payment transactions as a percentage of total transactions. The threshold is set at 2%. Over the past quarter, the KRI has been fluctuating between 1.8% and 2.5%, breaching the threshold several times. Each time the KRI exceeded the threshold, the risk owner performed a manual investigation and found that the failures were due to transient network issues that resolved on their own. The risk owner has now requested that the threshold be raised to 3% to avoid unnecessary investigations. The risk practitioner is evaluating this request. What should the risk practitioner do?

21

An organization has implemented a new key risk indicator (KRI) for vendor management that measures the percentage of vendors without a signed contract. The current value is 15%, exceeding the risk appetite threshold of 10%. The risk owner wants to know the most appropriate action to take based on this KRI. What should the risk practitioner recommend?

22

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

23

A company has implemented a key risk indicator (KRI) for system availability, with a threshold of 99.5%. The monitoring team observes that availability has dropped to 99.2% for two consecutive months. What is the most appropriate next step?

24

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

25

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

26

A risk practitioner is reviewing the monitoring reports for a critical business process. The report shows that a key control has a 95% effectiveness rate, but the risk appetite for the associated risk is 98%. What should the practitioner do?

27

Which of the following is the primary purpose of a risk and control monitoring program?

28

A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?

29

A risk practitioner is designing a monitoring dashboard for operational risk. Which of the following is the most important consideration?

30

An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?

31

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

32

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

33

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

34

A global financial services firm has implemented a risk monitoring system that aggregates data from 50+ systems across three regions (Americas, EMEA, APAC). The system uses a centralized data lake and provides dashboards to regional risk committees. Recently, the APAC committee reported that their dashboard shows a spike in cyber risk indicators, but the Americas and EMEA dashboards show no change. The data source for the spike is a single system in APAC that tracks failed VPN logins. The risk owner for that system believes the spike is due to a misconfiguration during a recent patch. However, the APAC risk committee is concerned that this indicates a coordinated attack. The Chief Risk Officer (CRO) wants a clear assessment. Which course of action is most appropriate?

35

A medium-sized e-commerce company has a risk monitoring program that tracks key risk indicators (KRIs) monthly. One KRI is the percentage of orders with failed payment transactions. The threshold is 2%, but for the past three months, the KRI has been 2.5%, 3.1%, and 2.8%. The risk owner says this is due to a seasonal increase in fraudulent transactions and expects it to return to normal next month. The company has a compensating control that manually reviews flagged transactions. The internal audit team recently tested the compensating control and found it to be 100% effective. The risk committee wants to know if the KRI breach requires action. What should the risk practitioner recommend?

36

A financial institution has implemented a continuous monitoring solution for its core banking application. The monitoring team receives an alert indicating that the average response time for a critical transaction has exceeded the threshold for the past 15 minutes. The transaction volume during this period is within normal range. What should be the FIRST step in the incident response process?

37

A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?

38

An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?

39

Which TWO of the following are essential components of an effective control monitoring program?

40

You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?

41

An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?

42

You are the risk manager at a financial institution that processes online transactions. The organization relies on a legacy system for transaction authorization, which is monitored via manual log reviews performed weekly by a junior analyst. Recently, the internal audit team identified that several unauthorized transactions were not detected for over two weeks. The logs showed that the authorization control failed intermittently due to a known software bug, but the bug had been documented in the risk register with a low residual risk rating. The CRO asks you to recommend the most effective improvement to the control monitoring process. Which of the following would be the BEST course of action?

43

Sequence the steps for conducting a business impact analysis (BIA).

44

Arrange the steps for performing a vulnerability assessment.

45

Match each risk assessment method to its characteristic.

46

Match each information security objective to its description.

47

A risk manager notices that a key risk indicator (KRI) for network downtime has been steadily increasing over the past three months. The current value is 15% above the risk tolerance threshold. Which of the following is the BEST immediate action?

48

A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?

49

An organization uses a risk appetite statement that limits operational losses to $2 million per quarter. A new risk reporting dashboard shows that current operational losses are $1.8 million with two weeks remaining in the quarter. The head of risk management wants to ensure that losses remain within appetite. Which of the following control monitoring reports would be MOST useful for proactive decision-making?

50

Which of the following is the BEST practice for determining the frequency of control monitoring activities?

51

A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?

52

A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?

53

An organization uses control self-assessments (CSAs) as part of its monitoring program. The results from the latest CSA show that the majority of controls are rated as effective, but an internal audit reveals several control failures in those same areas. What is the MOST likely reason for this discrepancy?

54

A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?

55

A multinational organization uses multiple risk management systems that do not integrate with each other. The risk team manually consolidates data into a spreadsheet for reporting. This process is error-prone and time-consuming. Which of the following is the BEST long-term solution to improve risk monitoring and reporting?

56

A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?

57

An organization is designing a control monitoring program. Which THREE of the following are types of control monitoring activities that should be included?

58

Which TWO of the following are best practices for risk reporting to senior management?

59

The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?

60

The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?

61

The exhibit shows a control monitoring configuration in JSON format. Which of the following is the MOST critical gap in this monitoring setup?

62

A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?

63

A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?

64

During a control self-assessment, an operational manager reports that a manual review control is performed quarterly instead of monthly as documented. What should the risk practitioner do?

65

A risk practitioner notices that a key control is tested only once a year, but the associated risk has a high velocity of change. What is the BEST recommendation?

66

A board member asks for a summary of the top five risks. The risk practitioner has 10 risks with current residual risk levels. Which approach BEST supports board-level reporting?

67

A control test reveals a 100% pass rate for a detective control. What does this indicate?

68

An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?

69

A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?

70

An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?

71

Which TWO of the following are appropriate criteria for selecting key risk indicators (KRIs)?

72

Which THREE of the following control monitoring techniques are considered continuous monitoring?

73

Which TWO of the following are key attributes of effective risk reporting?

74

An S3 bucket policy is configured as shown. During a monitoring review, the risk practitioner notices that the 'DenyAll' policy is never evaluated because of an explicit allow? What is the MOST likely monitoring gap?

75

A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?

76

A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?

77

A financial institution monitors the number of unauthorized access attempts to its core banking system. The risk owner recommends increasing the monitoring frequency from daily to hourly because a recent attack exploited a delayed detection. Which of the following is the PRIMARY benefit of this change?

78

A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?

79

A company's risk management team is evaluating the effectiveness of its control monitoring program. They find that many controls are tested at the same time each year, leading to a resource bottleneck. Which of the following approaches would BEST address this issue?

80

A risk analyst is reviewing control monitoring results and notices that a detective control has a high false positive rate. What is the BEST action to improve the control's efficiency?

81

After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?

82

An organization uses a risk register that includes inherent risk, control effectiveness, and residual risk. During a quarterly review, the risk owner updates control effectiveness from 'partially effective' to 'effective'. What effect does this have on the residual risk rating?

83

A company implements a new automated control to monitor user access rights. The control sends a daily report of any users with excessive privileges. What is the PRIMARY benefit of this control?

84

During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?

85

A company monitors key risk indicators (KRIs) using a dashboard. The risk manager notices that a KRI has a green status but the underlying control testing shows a high failure rate. What action should the risk manager take FIRST?

86

A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?

87

A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?

88

A multinational corporation is implementing continuous monitoring of its compliance with data privacy regulations across multiple jurisdictions. Which TWO of the following are significant challenges to this approach?

89

Refer to the exhibit. Based on the KRI data for the current week, what action should the risk manager take FIRST?

90

Refer to the exhibit. What does this log entry indicate about the monitoring process?

91

Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?

92

A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?

93

An organization is designing a risk and control monitoring program for a new cloud-based application. Which of the following is the MOST important factor to consider when selecting Key Risk Indicators (KRIs)?

94

A company's internal audit function reports that a detective control (manual review of transactions) is operating effectively based on a sample of 50 transactions showing no issues. However, the continuous monitoring system shows that 100 suspicious transactions were not reviewed during the same period. The control owner argues the control is effective. What is the BEST conclusion?

95

A risk owner wants to implement continuous monitoring for a set of critical controls. Which of the following is the PRIMARY benefit of continuous monitoring over periodic testing?

96

After a security incident, a company implements a new control and begins monitoring its effectiveness. Which of the following metrics would BEST indicate that the control is achieving its objective?

97

A bank's risk committee reviews a monthly risk report that includes KRIs. One KRI shows that the number of failed transactions due to system errors is trending upward. The control owner states that the trend is within the risk appetite. However, the report also shows that the number of customer complaints is stable. What should the risk manager do FIRST?

98

A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)

99

An organization uses a risk and control monitoring system that generates weekly reports. The reports show a key control as 'effective' for the past three months. However, during a recent audit, a significant control failure was discovered. Which TWO of the following are MOST likely root causes for this discrepancy? (Choose two.)

100

A risk manager is designing monthly risk reports for senior management. Which THREE of the following should be included in an effective risk report? (Choose three.)

101

Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?

102

Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?

103

Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?

104

A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?

105

A manufacturing company's board of directors receives a monthly risk report. Which key performance indicator (KPI) is MOST relevant for the board to assess the effectiveness of internal controls?

106

An organization is implementing a new cloud-based customer relationship management (CRM) system. The risk practitioner is designing the control monitoring plan. Which approach BEST ensures continuous monitoring of controls across both the application and infrastructure layers?

107

During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?

108

A risk practitioner is designing a risk dashboard for the executive team. The organization has a high risk appetite for revenue-generating activities but a low risk appetite for regulatory compliance. Which combination of metrics should be prominently displayed?

109

After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?

110

A risk practitioner discovers that a critical control deficiency has been open for six months beyond the agreed remediation date. What is the MOST appropriate reporting action?

111

An organization uses a third-party vendor for payment processing. The vendor's latest SOC 2 report shows a significant control exception in logical access. What is the BEST way to monitor the effectiveness of the compensating controls the vendor has implemented?

112

A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?

113

Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?

114

Which THREE of the following should be included in a board-level risk report to effectively communicate the organization's risk profile?

115

Which TWO of the following are examples of control monitoring activities?

116

Based on the exhibit, which aspect of risk monitoring is MOST concerning?

117

Based on the exhibit, what control monitoring deficiency is evident in the DLP policy?

118

Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?

119

A risk manager notices that a key risk indicator (KRI) for failed login attempts has exceeded the threshold for three consecutive weeks. Which of the following should be the FIRST action?

120

An organization deployed a new intrusion detection system (IDS) that generates many alerts. The security team is overwhelmed and has started ignoring some alerts. What is the BEST way to address this issue?

121

A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?

122

When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?

123

An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?

124

A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?

125

An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?

126

A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?

127

An organization is considering moving from periodic control testing to continuous monitoring for its critical financial controls. What is the PRIMARY benefit of this transition?

128

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

129

Which THREE of the following are best practices for reporting risk and control monitoring results to stakeholders?

130

Which TWO of the following factors should be considered when determining the frequency of control monitoring?

131

Refer to the exhibit. A security analyst reviews firewall logs and sees repeated authentication failures for VPN tunnel attempts between two IP addresses. What is the MOST appropriate action?

132

Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?

133

Refer to the exhibit. A SIEM correlation rule 'Brute_Force_SSH' has fired excessively due to traffic from internal monitoring servers. What is the BEST course of action?

134

A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?

135

After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?

136

Which of the following is the PRIMARY benefit of using a risk register for monitoring?

137

A control owner reports that a control is operating effectively, but the internal audit found a deficiency. What should the risk manager do?

138

During a quarterly risk review, it is discovered that a previously accepted risk has materialized due to a change in the external environment. What is the MOST appropriate response?

139

What is the primary purpose of a control self-assessment (CSA)?

140

A bank's fraud detection system generates an alert for a transaction, but subsequent investigation finds it false. What should be done?

141

A company uses a dashboard to monitor KRIs. One KRI shows a warning level, but the data is two months old. What is the primary concern?

142

Which of the following is an example of a leading indicator?

143

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

144

Which THREE of the following are common challenges in risk reporting?

145

Which THREE are best practices for control monitoring?

146

Refer to the exhibit. What is the most appropriate immediate action for the control failure?

147

A large financial institution has implemented a risk monitoring framework that includes KRIs for operational risk. Recently, a critical KRI related to trade settlement errors has been showing an upward trend, but it remains within the approved threshold. The risk manager is concerned because the trend indicates potential control degradation. The control owner argues that since the KRI is still within threshold, no action is needed. The risk manager wants to determine the best course of action to address the trend before it breaches the threshold. The organization's risk policy requires proactive monitoring. What should the risk manager do?

148

A retail company uses a third-party vendor for payment processing. The vendor's service level agreement (SLA) requires 99.9% uptime. Recently, there were two incidents of downtime totaling 0.2% in a month, still within the SLA. However, the company's internal risk monitoring detected a pattern of increasing minor incidents. The vendor insists the SLA is met. The risk manager must decide on monitoring and reporting. The company's board wants to understand the risk. What is the best course of action?

149

A risk manager notices that a key risk indicator (KRI) for system downtime has exceeded the threshold for two consecutive months. What is the MOST appropriate immediate action?

150

An organization has implemented a continuous monitoring solution for its critical applications. The IT team reports that the monitoring tool generates a high volume of false positives. What is the BEST course of action?

151

A company uses a risk control self-assessment (RCSA) process that is conducted annually. During a quarterly review, management discovers that several high-risk controls are no longer effective due to changes in the business environment. Which of the following is the BEST way to enhance the monitoring of these controls?

152

A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?

153

An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?

154

A financial institution has a control that manually reviews all wire transfers over $10,000. During an audit, it was found that the review is completed within 24 hours for 95% of transactions, but the target is 99%. The process owner wants to improve the control's effectiveness. Which of the following would be the MOST effective remediation?

155

During a control monitoring review, a risk analyst discovers that the control owner has not been performing the required monthly reconciliations. What should the analyst do FIRST?

156

A company is implementing a new continuous monitoring tool for its network security controls. Which of the following is the MOST important step to ensure the tool provides meaningful risk information?

157

Which TWO of the following are primary purposes of risk and control monitoring? (Choose two.)

158

Which THREE of the following are key considerations when designing a risk reporting framework? (Choose three.)

159

Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)

160

You are the risk manager for a multinational corporation that relies heavily on a cloud-based ERP system. The system is critical for financial reporting and supply chain management. Recently, the company experienced a significant increase in the number of failed user authentication attempts, which were traced to a misconfiguration in the identity management module. The misconfiguration was detected by the security operations center (SOC) through log analysis, but it took three days to identify and resolve. The root cause was a change made by a cloud administrator without following the change management process. The incident resulted in a temporary denial of service for external users. The company's risk appetite for system availability is low, with a tolerance for downtime of no more than one hour per month. The current monitoring controls include quarterly access reviews and SOC monitoring of logs with a 24-hour review cycle. The board has requested a report on the incident and recommendations to prevent recurrence. What is the MOST effective recommendation to improve monitoring and reduce the likelihood of similar incidents?

161

A retail company uses a manual control to verify that all credit card transactions are processed by authorized payment terminals. The control requires a store manager to compare a daily transaction log against a list of approved terminal IDs. The company processes an average of 10,000 transactions per day across 200 stores. During a recent internal audit, it was found that 15% of stores had not completed the reconciliation for the past month. The audit also revealed that several unauthorized terminals had been used to process transactions, resulting in a data breach of customer payment information. The company's risk appetite for payment card data security is very low. The current monitoring approach includes a quarterly review of control performance by the internal audit team. The risk manager needs to recommend improvements to the monitoring of this control. Which of the following is the BEST recommendation?

162

A technology company has implemented a risk and control monitoring program for its software development lifecycle. The program includes key risk indicators (KRIs) such as number of critical bugs found in production, code review coverage, and time to patch vulnerabilities. After six months, the risk committee noticed that the KRI for code review coverage is consistently green (within threshold), but the number of critical bugs in production remains high. The risk manager suspects a disconnect between the KRI and actual risk. What should the risk manager do FIRST?

163

A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?

164

A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?

165

An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?

166

A mid-sized retail company processes over 1 million credit card transactions daily. It uses an automated monitoring system with static thresholds to flag potential fraud. Recently, the fraud detection team has been overwhelmed by a 40% increase in false positive alerts, causing legitimate transactions to be delayed and customer service complaints to rise. The risk manager is tasked with improving the situation. After reviewing the alert logs, it is clear that the thresholds have not been updated in 18 months, and transaction patterns have shifted due to seasonal promotions and new payment methods. The team has limited resources and cannot handle the current alert volume. What should the risk manager recommend as the most effective course of action?

167

A healthcare organization operates a legacy electronic health record (EHR) system that is manually monitored for access anomalies by a small IT team. The organization is planning to migrate to a new cloud-based EHR with integrated logging and monitoring. However, due to budget constraints, the migration will take two years. In the interim, the risk manager wants to improve monitoring for unauthorized access to patient data. The current manual process involves weekly log reviews, but recent audits have identified instances of delayed detection (up to two weeks) and missed incidents. The IT team can dedicate only 10 additional hours per week for monitoring. What is the best approach to enhance monitoring during the transition period?

168

A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?

169

A manufacturing company uses Internet of Things (IoT) sensors to monitor equipment temperature and vibration on the production floor. The sensor data is automatically sent to a central system, but there is a manual log maintained by operators that records their visual inspections. Recently, there have been instances where the sensor data indicated abnormal readings, but the operator logs showed normal conditions, leading to delayed maintenance actions and two equipment breakdowns. The risk manager investigates and finds that operators sometimes forget to update logs or misinterpret sensor alerts. The company wants to improve the reliability of the monitoring process. What should be the primary action?

170

A large financial services firm recently deployed a new security information and event management (SIEM) system to monitor thousands of servers, network devices, and applications. The system is generating over 1,000 alerts per hour, of which 80% are false positives. The security operations center (SOC) team is overwhelmed and has started ignoring all but the most critical alerts. As a result, a real attack recently went undetected for 48 hours. The risk manager is asked to recommend improvements. The SOC team has 12 analysts working in shifts. The SIEM is properly configured but the correlation rules are broad and noisy. The firm cannot add more staff due to budget freeze. What should the risk manager prioritize?

171

A small online retailer with 15 employees sells handmade crafts through its e-commerce website. The company processes payments via a third-party gateway. The owner manually reviews transaction logs once a week for fraud indicators, but recently discovered three chargebacks due to unauthorized transactions. The retailer has limited IT budget and no dedicated security staff. The owner wants to improve detection of fraudulent transactions without significant investment. The current manual process takes about two hours per week and often results in delayed detection. The payment gateway offers basic fraud detection features such as IP geolocation and velocity checks, but these are not enabled. What is the most practical first step?

172

A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?

173

A risk manager is designing a monitoring and reporting framework. Which THREE of the following are essential components of an effective risk and control monitoring program?

174

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

175

A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?

Practice all 175 Risk and Control Monitoring and Reporting questions

Other CRISC exam domains

IT Risk IdentificationRisk Response and MitigationIT Risk Assessment

Frequently asked questions

What does the Risk and Control Monitoring and Reporting domain cover on the CRISC exam?

The Risk and Control Monitoring and Reporting domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.

How many Risk and Control Monitoring and Reporting questions are in the CRISC question bank?

The Courseiva CRISC question bank contains 175 questions in the Risk and Control Monitoring and Reporting domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Risk and Control Monitoring and Reporting for CRISC?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Risk and Control Monitoring and Reporting questions for CRISC?

Yes — the session launcher on this page draws questions exclusively from the Risk and Control Monitoring and Reporting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CRISC domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CISMCISA