Practice CRISC Risk and Control Monitoring and Reporting questions with full explanations on every answer.
Start practicing
Risk and Control Monitoring and Reporting — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?
2A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?
3A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?
4A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?
5A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?
6During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?
7A risk officer is evaluating the effectiveness of a control that prevents unauthorized changes to configuration files. The control has not detected any unauthorized changes in the past year. What does this indicate?
8A large organization is implementing a continuous monitoring program for its critical systems. Which of the following is the MOST important factor for the program's success?
9A control owner reports that a preventive control is operating as designed, but the risk owner is concerned that residual risk remains high. What should the risk practitioner do NEXT?
10A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?
11A risk practitioner is reviewing the results of a control self-assessment (CSA) and finds that the control owner rated a control as 'effective' but an independent audit found control weaknesses. What is the BEST explanation for this discrepancy?
12Which TWO of the following are primary objectives of control monitoring?
13Which THREE of the following are key components of an effective risk reporting framework?
14Which TWO of the following are examples of detective controls?
15Which THREE of the following are characteristics of leading key risk indicators (KRIs)?
16Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?
17Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?
18Refer to the exhibit. What action should the risk practitioner recommend FIRST?
19A multinational financial services company has implemented a continuous monitoring program for its trading systems. The program uses automated scripts to check system configurations against a baseline every hour. Recently, the company experienced a significant security incident where a malicious actor exploited a misconfigured firewall rule to exfiltrate sensitive customer data. Post-incident analysis revealed that the misconfiguration had been present for 72 hours before detection. The monitoring scripts did not detect the change because the baseline had been updated two weeks prior to include the misconfiguration as part of a planned change that was later reversed without updating the baseline. The company's change management process requires that all configuration changes be approved and documented, but the reversal of the change was not documented. The incident response team was only alerted when a customer reported suspicious activity. The risk practitioner is tasked with recommending improvements to prevent recurrence. Which of the following is the BEST course of action?
20A retail company has a risk monitoring program that tracks key risk indicators (KRIs) for its e-commerce platform. One KRI measures the number of failed payment transactions as a percentage of total transactions. The threshold is set at 2%. Over the past quarter, the KRI has been fluctuating between 1.8% and 2.5%, breaching the threshold several times. Each time the KRI exceeded the threshold, the risk owner performed a manual investigation and found that the failures were due to transient network issues that resolved on their own. The risk owner has now requested that the threshold be raised to 3% to avoid unnecessary investigations. The risk practitioner is evaluating this request. What should the risk practitioner do?
21An organization has implemented a new key risk indicator (KRI) for vendor management that measures the percentage of vendors without a signed contract. The current value is 15%, exceeding the risk appetite threshold of 10%. The risk owner wants to know the most appropriate action to take based on this KRI. What should the risk practitioner recommend?
22Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?
23A company has implemented a key risk indicator (KRI) for system availability, with a threshold of 99.5%. The monitoring team observes that availability has dropped to 99.2% for two consecutive months. What is the most appropriate next step?
24During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?
25A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?
26A risk practitioner is reviewing the monitoring reports for a critical business process. The report shows that a key control has a 95% effectiveness rate, but the risk appetite for the associated risk is 98%. What should the practitioner do?
27Which of the following is the primary purpose of a risk and control monitoring program?
28A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?
29A risk practitioner is designing a monitoring dashboard for operational risk. Which of the following is the most important consideration?
30An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?
31Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)
32Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)
33Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)
34A global financial services firm has implemented a risk monitoring system that aggregates data from 50+ systems across three regions (Americas, EMEA, APAC). The system uses a centralized data lake and provides dashboards to regional risk committees. Recently, the APAC committee reported that their dashboard shows a spike in cyber risk indicators, but the Americas and EMEA dashboards show no change. The data source for the spike is a single system in APAC that tracks failed VPN logins. The risk owner for that system believes the spike is due to a misconfiguration during a recent patch. However, the APAC risk committee is concerned that this indicates a coordinated attack. The Chief Risk Officer (CRO) wants a clear assessment. Which course of action is most appropriate?
35A medium-sized e-commerce company has a risk monitoring program that tracks key risk indicators (KRIs) monthly. One KRI is the percentage of orders with failed payment transactions. The threshold is 2%, but for the past three months, the KRI has been 2.5%, 3.1%, and 2.8%. The risk owner says this is due to a seasonal increase in fraudulent transactions and expects it to return to normal next month. The company has a compensating control that manually reviews flagged transactions. The internal audit team recently tested the compensating control and found it to be 100% effective. The risk committee wants to know if the KRI breach requires action. What should the risk practitioner recommend?
36A financial institution has implemented a continuous monitoring solution for its core banking application. The monitoring team receives an alert indicating that the average response time for a critical transaction has exceeded the threshold for the past 15 minutes. The transaction volume during this period is within normal range. What should be the FIRST step in the incident response process?
37A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?
38An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?
39Which TWO of the following are essential components of an effective control monitoring program?
40You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?
41An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?
42You are the risk manager at a financial institution that processes online transactions. The organization relies on a legacy system for transaction authorization, which is monitored via manual log reviews performed weekly by a junior analyst. Recently, the internal audit team identified that several unauthorized transactions were not detected for over two weeks. The logs showed that the authorization control failed intermittently due to a known software bug, but the bug had been documented in the risk register with a low residual risk rating. The CRO asks you to recommend the most effective improvement to the control monitoring process. Which of the following would be the BEST course of action?
43Sequence the steps for conducting a business impact analysis (BIA).
44Arrange the steps for performing a vulnerability assessment.
45Match each risk assessment method to its characteristic.
46Match each information security objective to its description.
47A risk manager notices that a key risk indicator (KRI) for network downtime has been steadily increasing over the past three months. The current value is 15% above the risk tolerance threshold. Which of the following is the BEST immediate action?
48A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?
49An organization uses a risk appetite statement that limits operational losses to $2 million per quarter. A new risk reporting dashboard shows that current operational losses are $1.8 million with two weeks remaining in the quarter. The head of risk management wants to ensure that losses remain within appetite. Which of the following control monitoring reports would be MOST useful for proactive decision-making?
50Which of the following is the BEST practice for determining the frequency of control monitoring activities?
51A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?
52A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?
53An organization uses control self-assessments (CSAs) as part of its monitoring program. The results from the latest CSA show that the majority of controls are rated as effective, but an internal audit reveals several control failures in those same areas. What is the MOST likely reason for this discrepancy?
54A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?
55A multinational organization uses multiple risk management systems that do not integrate with each other. The risk team manually consolidates data into a spreadsheet for reporting. This process is error-prone and time-consuming. Which of the following is the BEST long-term solution to improve risk monitoring and reporting?
56A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?
57An organization is designing a control monitoring program. Which THREE of the following are types of control monitoring activities that should be included?
58Which TWO of the following are best practices for risk reporting to senior management?
59The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?
60The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?
61The exhibit shows a control monitoring configuration in JSON format. Which of the following is the MOST critical gap in this monitoring setup?
62A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?
63A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?
64During a control self-assessment, an operational manager reports that a manual review control is performed quarterly instead of monthly as documented. What should the risk practitioner do?
65A risk practitioner notices that a key control is tested only once a year, but the associated risk has a high velocity of change. What is the BEST recommendation?
66A board member asks for a summary of the top five risks. The risk practitioner has 10 risks with current residual risk levels. Which approach BEST supports board-level reporting?
67A control test reveals a 100% pass rate for a detective control. What does this indicate?
68An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?
69A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?
70An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?
71Which TWO of the following are appropriate criteria for selecting key risk indicators (KRIs)?
72Which THREE of the following control monitoring techniques are considered continuous monitoring?
73Which TWO of the following are key attributes of effective risk reporting?
74An S3 bucket policy is configured as shown. During a monitoring review, the risk practitioner notices that the 'DenyAll' policy is never evaluated because of an explicit allow? What is the MOST likely monitoring gap?
75A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?
76A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?
77A financial institution monitors the number of unauthorized access attempts to its core banking system. The risk owner recommends increasing the monitoring frequency from daily to hourly because a recent attack exploited a delayed detection. Which of the following is the PRIMARY benefit of this change?
78A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?
79A company's risk management team is evaluating the effectiveness of its control monitoring program. They find that many controls are tested at the same time each year, leading to a resource bottleneck. Which of the following approaches would BEST address this issue?
80A risk analyst is reviewing control monitoring results and notices that a detective control has a high false positive rate. What is the BEST action to improve the control's efficiency?
81After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?
82An organization uses a risk register that includes inherent risk, control effectiveness, and residual risk. During a quarterly review, the risk owner updates control effectiveness from 'partially effective' to 'effective'. What effect does this have on the residual risk rating?
83A company implements a new automated control to monitor user access rights. The control sends a daily report of any users with excessive privileges. What is the PRIMARY benefit of this control?
84During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?
85A company monitors key risk indicators (KRIs) using a dashboard. The risk manager notices that a KRI has a green status but the underlying control testing shows a high failure rate. What action should the risk manager take FIRST?
86A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?
87A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?
88A multinational corporation is implementing continuous monitoring of its compliance with data privacy regulations across multiple jurisdictions. Which TWO of the following are significant challenges to this approach?
89Refer to the exhibit. Based on the KRI data for the current week, what action should the risk manager take FIRST?
90Refer to the exhibit. What does this log entry indicate about the monitoring process?
91Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?
92A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?
93An organization is designing a risk and control monitoring program for a new cloud-based application. Which of the following is the MOST important factor to consider when selecting Key Risk Indicators (KRIs)?
94A company's internal audit function reports that a detective control (manual review of transactions) is operating effectively based on a sample of 50 transactions showing no issues. However, the continuous monitoring system shows that 100 suspicious transactions were not reviewed during the same period. The control owner argues the control is effective. What is the BEST conclusion?
95A risk owner wants to implement continuous monitoring for a set of critical controls. Which of the following is the PRIMARY benefit of continuous monitoring over periodic testing?
96After a security incident, a company implements a new control and begins monitoring its effectiveness. Which of the following metrics would BEST indicate that the control is achieving its objective?
97A bank's risk committee reviews a monthly risk report that includes KRIs. One KRI shows that the number of failed transactions due to system errors is trending upward. The control owner states that the trend is within the risk appetite. However, the report also shows that the number of customer complaints is stable. What should the risk manager do FIRST?
98A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)
99An organization uses a risk and control monitoring system that generates weekly reports. The reports show a key control as 'effective' for the past three months. However, during a recent audit, a significant control failure was discovered. Which TWO of the following are MOST likely root causes for this discrepancy? (Choose two.)
100A risk manager is designing monthly risk reports for senior management. Which THREE of the following should be included in an effective risk report? (Choose three.)
101Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?
102Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?
103Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?
104A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?
105A manufacturing company's board of directors receives a monthly risk report. Which key performance indicator (KPI) is MOST relevant for the board to assess the effectiveness of internal controls?
106An organization is implementing a new cloud-based customer relationship management (CRM) system. The risk practitioner is designing the control monitoring plan. Which approach BEST ensures continuous monitoring of controls across both the application and infrastructure layers?
107During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?
108A risk practitioner is designing a risk dashboard for the executive team. The organization has a high risk appetite for revenue-generating activities but a low risk appetite for regulatory compliance. Which combination of metrics should be prominently displayed?
109After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?
110A risk practitioner discovers that a critical control deficiency has been open for six months beyond the agreed remediation date. What is the MOST appropriate reporting action?
111An organization uses a third-party vendor for payment processing. The vendor's latest SOC 2 report shows a significant control exception in logical access. What is the BEST way to monitor the effectiveness of the compensating controls the vendor has implemented?
112A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?
113Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?
114Which THREE of the following should be included in a board-level risk report to effectively communicate the organization's risk profile?
115Which TWO of the following are examples of control monitoring activities?
116Based on the exhibit, which aspect of risk monitoring is MOST concerning?
117Based on the exhibit, what control monitoring deficiency is evident in the DLP policy?
118Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?
119A risk manager notices that a key risk indicator (KRI) for failed login attempts has exceeded the threshold for three consecutive weeks. Which of the following should be the FIRST action?
120An organization deployed a new intrusion detection system (IDS) that generates many alerts. The security team is overwhelmed and has started ignoring some alerts. What is the BEST way to address this issue?
121A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?
122When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?
123An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?
124A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?
125An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?
126A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?
127An organization is considering moving from periodic control testing to continuous monitoring for its critical financial controls. What is the PRIMARY benefit of this transition?
128Which TWO of the following are characteristics of an effective key risk indicator (KRI)?
129Which THREE of the following are best practices for reporting risk and control monitoring results to stakeholders?
130Which TWO of the following factors should be considered when determining the frequency of control monitoring?
131Refer to the exhibit. A security analyst reviews firewall logs and sees repeated authentication failures for VPN tunnel attempts between two IP addresses. What is the MOST appropriate action?
132Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?
133Refer to the exhibit. A SIEM correlation rule 'Brute_Force_SSH' has fired excessively due to traffic from internal monitoring servers. What is the BEST course of action?
134A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?
135After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?
136Which of the following is the PRIMARY benefit of using a risk register for monitoring?
137A control owner reports that a control is operating effectively, but the internal audit found a deficiency. What should the risk manager do?
138During a quarterly risk review, it is discovered that a previously accepted risk has materialized due to a change in the external environment. What is the MOST appropriate response?
139What is the primary purpose of a control self-assessment (CSA)?
140A bank's fraud detection system generates an alert for a transaction, but subsequent investigation finds it false. What should be done?
141A company uses a dashboard to monitor KRIs. One KRI shows a warning level, but the data is two months old. What is the primary concern?
142Which of the following is an example of a leading indicator?
143Which TWO of the following are characteristics of an effective key risk indicator (KRI)?
144Which THREE of the following are common challenges in risk reporting?
145Which THREE are best practices for control monitoring?
146Refer to the exhibit. What is the most appropriate immediate action for the control failure?
147A large financial institution has implemented a risk monitoring framework that includes KRIs for operational risk. Recently, a critical KRI related to trade settlement errors has been showing an upward trend, but it remains within the approved threshold. The risk manager is concerned because the trend indicates potential control degradation. The control owner argues that since the KRI is still within threshold, no action is needed. The risk manager wants to determine the best course of action to address the trend before it breaches the threshold. The organization's risk policy requires proactive monitoring. What should the risk manager do?
148A retail company uses a third-party vendor for payment processing. The vendor's service level agreement (SLA) requires 99.9% uptime. Recently, there were two incidents of downtime totaling 0.2% in a month, still within the SLA. However, the company's internal risk monitoring detected a pattern of increasing minor incidents. The vendor insists the SLA is met. The risk manager must decide on monitoring and reporting. The company's board wants to understand the risk. What is the best course of action?
149A risk manager notices that a key risk indicator (KRI) for system downtime has exceeded the threshold for two consecutive months. What is the MOST appropriate immediate action?
150An organization has implemented a continuous monitoring solution for its critical applications. The IT team reports that the monitoring tool generates a high volume of false positives. What is the BEST course of action?
151A company uses a risk control self-assessment (RCSA) process that is conducted annually. During a quarterly review, management discovers that several high-risk controls are no longer effective due to changes in the business environment. Which of the following is the BEST way to enhance the monitoring of these controls?
152A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?
153An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?
154A financial institution has a control that manually reviews all wire transfers over $10,000. During an audit, it was found that the review is completed within 24 hours for 95% of transactions, but the target is 99%. The process owner wants to improve the control's effectiveness. Which of the following would be the MOST effective remediation?
155During a control monitoring review, a risk analyst discovers that the control owner has not been performing the required monthly reconciliations. What should the analyst do FIRST?
156A company is implementing a new continuous monitoring tool for its network security controls. Which of the following is the MOST important step to ensure the tool provides meaningful risk information?
157Which TWO of the following are primary purposes of risk and control monitoring? (Choose two.)
158Which THREE of the following are key considerations when designing a risk reporting framework? (Choose three.)
159Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)
160You are the risk manager for a multinational corporation that relies heavily on a cloud-based ERP system. The system is critical for financial reporting and supply chain management. Recently, the company experienced a significant increase in the number of failed user authentication attempts, which were traced to a misconfiguration in the identity management module. The misconfiguration was detected by the security operations center (SOC) through log analysis, but it took three days to identify and resolve. The root cause was a change made by a cloud administrator without following the change management process. The incident resulted in a temporary denial of service for external users. The company's risk appetite for system availability is low, with a tolerance for downtime of no more than one hour per month. The current monitoring controls include quarterly access reviews and SOC monitoring of logs with a 24-hour review cycle. The board has requested a report on the incident and recommendations to prevent recurrence. What is the MOST effective recommendation to improve monitoring and reduce the likelihood of similar incidents?
161A retail company uses a manual control to verify that all credit card transactions are processed by authorized payment terminals. The control requires a store manager to compare a daily transaction log against a list of approved terminal IDs. The company processes an average of 10,000 transactions per day across 200 stores. During a recent internal audit, it was found that 15% of stores had not completed the reconciliation for the past month. The audit also revealed that several unauthorized terminals had been used to process transactions, resulting in a data breach of customer payment information. The company's risk appetite for payment card data security is very low. The current monitoring approach includes a quarterly review of control performance by the internal audit team. The risk manager needs to recommend improvements to the monitoring of this control. Which of the following is the BEST recommendation?
162A technology company has implemented a risk and control monitoring program for its software development lifecycle. The program includes key risk indicators (KRIs) such as number of critical bugs found in production, code review coverage, and time to patch vulnerabilities. After six months, the risk committee noticed that the KRI for code review coverage is consistently green (within threshold), but the number of critical bugs in production remains high. The risk manager suspects a disconnect between the KRI and actual risk. What should the risk manager do FIRST?
163A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?
164A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?
165An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?
166A mid-sized retail company processes over 1 million credit card transactions daily. It uses an automated monitoring system with static thresholds to flag potential fraud. Recently, the fraud detection team has been overwhelmed by a 40% increase in false positive alerts, causing legitimate transactions to be delayed and customer service complaints to rise. The risk manager is tasked with improving the situation. After reviewing the alert logs, it is clear that the thresholds have not been updated in 18 months, and transaction patterns have shifted due to seasonal promotions and new payment methods. The team has limited resources and cannot handle the current alert volume. What should the risk manager recommend as the most effective course of action?
167A healthcare organization operates a legacy electronic health record (EHR) system that is manually monitored for access anomalies by a small IT team. The organization is planning to migrate to a new cloud-based EHR with integrated logging and monitoring. However, due to budget constraints, the migration will take two years. In the interim, the risk manager wants to improve monitoring for unauthorized access to patient data. The current manual process involves weekly log reviews, but recent audits have identified instances of delayed detection (up to two weeks) and missed incidents. The IT team can dedicate only 10 additional hours per week for monitoring. What is the best approach to enhance monitoring during the transition period?
168A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?
169A manufacturing company uses Internet of Things (IoT) sensors to monitor equipment temperature and vibration on the production floor. The sensor data is automatically sent to a central system, but there is a manual log maintained by operators that records their visual inspections. Recently, there have been instances where the sensor data indicated abnormal readings, but the operator logs showed normal conditions, leading to delayed maintenance actions and two equipment breakdowns. The risk manager investigates and finds that operators sometimes forget to update logs or misinterpret sensor alerts. The company wants to improve the reliability of the monitoring process. What should be the primary action?
170A large financial services firm recently deployed a new security information and event management (SIEM) system to monitor thousands of servers, network devices, and applications. The system is generating over 1,000 alerts per hour, of which 80% are false positives. The security operations center (SOC) team is overwhelmed and has started ignoring all but the most critical alerts. As a result, a real attack recently went undetected for 48 hours. The risk manager is asked to recommend improvements. The SOC team has 12 analysts working in shifts. The SIEM is properly configured but the correlation rules are broad and noisy. The firm cannot add more staff due to budget freeze. What should the risk manager prioritize?
171A small online retailer with 15 employees sells handmade crafts through its e-commerce website. The company processes payments via a third-party gateway. The owner manually reviews transaction logs once a week for fraud indicators, but recently discovered three chargebacks due to unauthorized transactions. The retailer has limited IT budget and no dedicated security staff. The owner wants to improve detection of fraudulent transactions without significant investment. The current manual process takes about two hours per week and often results in delayed detection. The payment gateway offers basic fraud detection features such as IP geolocation and velocity checks, but these are not enabled. What is the most practical first step?
172A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?
173A risk manager is designing a monitoring and reporting framework. Which THREE of the following are essential components of an effective risk and control monitoring program?
174Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?
175A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?
The Risk and Control Monitoring and Reporting domain covers the key concepts tested in this area of the CRISC exam blueprint published by ISACA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CRISC domains — no account required.
The Courseiva CRISC question bank contains 175 questions in the Risk and Control Monitoring and Reporting domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Risk and Control Monitoring and Reporting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included