Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Risk and Control Monitoring and Reporting practice sets

CRISC Risk and Control Monitoring and Reporting • Complete Question Bank

CRISC Risk and Control Monitoring and Reporting — All Questions With Answers

Complete CRISC Risk and Control Monitoring and Reporting question bank — all 0 questions with answers and detailed explanations.

175
Questions
Free
No signup
Certifications/CRISC/Practice Test/Risk and Control Monitoring and Reporting/All Questions
Question 1mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?

Question 2hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?

Question 3easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

Question 4mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

Question 5hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

Question 6easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

Question 7mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk officer is evaluating the effectiveness of a control that prevents unauthorized changes to configuration files. The control has not detected any unauthorized changes in the past year. What does this indicate?

Question 8hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A large organization is implementing a continuous monitoring program for its critical systems. Which of the following is the MOST important factor for the program's success?

Question 9easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A control owner reports that a preventive control is operating as designed, but the risk owner is concerned that residual risk remains high. What should the risk practitioner do NEXT?

Question 10mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?

Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A risk practitioner is reviewing the results of a control self-assessment (CSA) and finds that the control owner rated a control as 'effective' but an independent audit found control weaknesses. What is the BEST explanation for this discrepancy?

Question 12mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are primary objectives of control monitoring?

Question 13hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are key components of an effective risk reporting framework?

Question 14easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are examples of detective controls?

Question 15mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are characteristics of leading key risk indicators (KRIs)?

Question 16mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?

Exhibit

Refer to the exhibit.

```
SIEM Alert: High Severity
Rule: Multiple Failed Logins
Threshold: 10 failures in 5 minutes
Triggered at: 2024-03-15 14:23:45
Source IP: 192.168.1.100
Target: DC01
Event Count: 15 failures in 4 minutes
```
Question 17hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?

Exhibit

Refer to the exhibit.

```
Control Test Result: Access Control Review
Control ID: AC-01
Test Date: 2024-03-20
Expected Result: No unauthorized access attempts
Actual Result: 3 unauthorized access attempts detected
Status: Failed
Remediation: Implement additional logging
```
Question 18easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. What action should the risk practitioner recommend FIRST?

Exhibit

Refer to the exhibit.

```
Risk Monitoring Dashboard
KRI: Percentage of systems with critical patches not applied
Threshold: <5%
Current value: 8%
Trend: Increasing
Status: Red
```
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A multinational financial services company has implemented a continuous monitoring program for its trading systems. The program uses automated scripts to check system configurations against a baseline every hour. Recently, the company experienced a significant security incident where a malicious actor exploited a misconfigured firewall rule to exfiltrate sensitive customer data. Post-incident analysis revealed that the misconfiguration had been present for 72 hours before detection. The monitoring scripts did not detect the change because the baseline had been updated two weeks prior to include the misconfiguration as part of a planned change that was later reversed without updating the baseline. The company's change management process requires that all configuration changes be approved and documented, but the reversal of the change was not documented. The incident response team was only alerted when a customer reported suspicious activity. The risk practitioner is tasked with recommending improvements to prevent recurrence. Which of the following is the BEST course of action?

Question 20mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A retail company has a risk monitoring program that tracks key risk indicators (KRIs) for its e-commerce platform. One KRI measures the number of failed payment transactions as a percentage of total transactions. The threshold is set at 2%. Over the past quarter, the KRI has been fluctuating between 1.8% and 2.5%, breaching the threshold several times. Each time the KRI exceeded the threshold, the risk owner performed a manual investigation and found that the failures were due to transient network issues that resolved on their own. The risk owner has now requested that the threshold be raised to 3% to avoid unnecessary investigations. The risk practitioner is evaluating this request. What should the risk practitioner do?

Question 21mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization has implemented a new key risk indicator (KRI) for vendor management that measures the percentage of vendors without a signed contract. The current value is 15%, exceeding the risk appetite threshold of 10%. The risk owner wants to know the most appropriate action to take based on this KRI. What should the risk practitioner recommend?

Question 22hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

Exhibit

Refer to the exhibit.

Control Self-Assessment (CSA) Results for Access Management:
- User access recertification completed within 90 days: 92% (target: 95%)
- Terminated employee accounts disabled within 24 hours: 98% (target: 99%)
- Privileged access reviews completed quarterly: 100% (target: 100%)
- Segregation of duties conflicts resolved within 30 days: 85% (target: 90%)
Question 23mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company has implemented a key risk indicator (KRI) for system availability, with a threshold of 99.5%. The monitoring team observes that availability has dropped to 99.2% for two consecutive months. What is the most appropriate next step?

Question 24easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

Question 25hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

Question 26mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner is reviewing the monitoring reports for a critical business process. The report shows that a key control has a 95% effectiveness rate, but the risk appetite for the associated risk is 98%. What should the practitioner do?

Question 27easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Which of the following is the primary purpose of a risk and control monitoring program?

Question 28hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?

Question 29mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner is designing a monitoring dashboard for operational risk. Which of the following is the most important consideration?

Question 30easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?

Question 31mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

Question 32hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

Question 33mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

Question 34hardmultiple choice
Read the full VPN explanation →

A global financial services firm has implemented a risk monitoring system that aggregates data from 50+ systems across three regions (Americas, EMEA, APAC). The system uses a centralized data lake and provides dashboards to regional risk committees. Recently, the APAC committee reported that their dashboard shows a spike in cyber risk indicators, but the Americas and EMEA dashboards show no change. The data source for the spike is a single system in APAC that tracks failed VPN logins. The risk owner for that system believes the spike is due to a misconfiguration during a recent patch. However, the APAC risk committee is concerned that this indicates a coordinated attack. The Chief Risk Officer (CRO) wants a clear assessment. Which course of action is most appropriate?

Question 35mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A medium-sized e-commerce company has a risk monitoring program that tracks key risk indicators (KRIs) monthly. One KRI is the percentage of orders with failed payment transactions. The threshold is 2%, but for the past three months, the KRI has been 2.5%, 3.1%, and 2.8%. The risk owner says this is due to a seasonal increase in fraudulent transactions and expects it to return to normal next month. The company has a compensating control that manually reviews flagged transactions. The internal audit team recently tested the compensating control and found it to be 100% effective. The risk committee wants to know if the KRI breach requires action. What should the risk practitioner recommend?

Question 36mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution has implemented a continuous monitoring solution for its core banking application. The monitoring team receives an alert indicating that the average response time for a critical transaction has exceeded the threshold for the past 15 minutes. The transaction volume during this period is within normal range. What should be the FIRST step in the incident response process?

Question 37hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?

Question 38easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?

Question 39mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are essential components of an effective control monitoring program?

Question 40mediummultiple choice
Read the full NAT/PAT explanation →

You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?

Question 41mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?

Question 42easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

You are the risk manager at a financial institution that processes online transactions. The organization relies on a legacy system for transaction authorization, which is monitored via manual log reviews performed weekly by a junior analyst. Recently, the internal audit team identified that several unauthorized transactions were not detected for over two weeks. The logs showed that the authorization control failed intermittently due to a known software bug, but the bug had been documented in the risk register with a low residual risk rating. The CRO asks you to recommend the most effective improvement to the control monitoring process. Which of the following would be the BEST course of action?

Question 43mediumdrag order
Read the full Risk and Control Monitoring and Reporting explanation →

Sequence the steps for conducting a business impact analysis (BIA).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 44mediumdrag order
Read the full Risk and Control Monitoring and Reporting explanation →

Arrange the steps for performing a vulnerability assessment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 45mediummatching
Read the full Risk and Control Monitoring and Reporting explanation →

Match each risk assessment method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses numerical values like ALE and SLE

Uses ordinal scales like high/medium/low

Combines numeric values with qualitative scales

Evaluates risks based on hypothetical events

Question 46mediummatching
Read the full Risk and Control Monitoring and Reporting explanation →

Match each information security objective to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is accessible only to authorized parties

Data is accurate and complete

Data is accessible when needed

Actions can be traced to individuals

Question 47easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager notices that a key risk indicator (KRI) for network downtime has been steadily increasing over the past three months. The current value is 15% above the risk tolerance threshold. Which of the following is the BEST immediate action?

Question 48mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?

Question 49hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization uses a risk appetite statement that limits operational losses to $2 million per quarter. A new risk reporting dashboard shows that current operational losses are $1.8 million with two weeks remaining in the quarter. The head of risk management wants to ensure that losses remain within appetite. Which of the following control monitoring reports would be MOST useful for proactive decision-making?

Question 50easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Which of the following is the BEST practice for determining the frequency of control monitoring activities?

Question 51mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?

Question 52hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?

Question 53easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization uses control self-assessments (CSAs) as part of its monitoring program. The results from the latest CSA show that the majority of controls are rated as effective, but an internal audit reveals several control failures in those same areas. What is the MOST likely reason for this discrepancy?

Question 54mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?

Question 55hardmultiple choice
Read the full NAT/PAT explanation →

A multinational organization uses multiple risk management systems that do not integrate with each other. The risk team manually consolidates data into a spreadsheet for reporting. This process is error-prone and time-consuming. Which of the following is the BEST long-term solution to improve risk monitoring and reporting?

Question 56mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?

Question 57hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is designing a control monitoring program. Which THREE of the following are types of control monitoring activities that should be included?

Question 58easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are best practices for risk reporting to senior management?

Question 59mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?

Exhibit

Refer to the exhibit.

```
GRC System Log - Risk Score Update
Timestamp: 2024-09-15 14:30:22
Update type: Batch
Risk ID: R-1042
Previous inherent risk score: 12 (High)
Current inherent risk score: 9 (Medium)
Control effectiveness status: Not updated
Risk owner: JSmith
Comment: Change due to mitigation project completion.
```
Question 60hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?

Exhibit

Refer to the exhibit.

```
Syslog Alert from Monitoring Tool
Sep 15 10:23:45 server01 monitor[1234]: WARNING: ControlID C-0451 - Transaction Approval Limit exceeded.
Threshold: 50000 USD
Actual: 52300 USD
User: user_id=jsmith, department=Finance
Approver: not assigned
Timestamp: 2024-09-15 10:23:45
```
Question 61mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

The exhibit shows a control monitoring configuration in JSON format. Which of the following is the MOST critical gap in this monitoring setup?

Exhibit

Refer to the exhibit.

```
JSON Policy - Control Monitoring Configuration
{
  "controlId": "C-102",
  "monitoringType": "automated",
  "frequency": "daily",
  "dataSource": "transaction_log",
  "threshold": 1000,
  "alertRecipients": ["riskteam@company.com"],
  "escalationLevels": [
    {"level": 1, "condition": "breach_duration > 1 hour", "action": "email"},
    {"level": 2, "condition": "breach_duration > 4 hours", "action": "sms"}
  ],
  "lastTested": "2024-08-15",
  "owner": "Risk Owner"
}
```
Question 62mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?

Question 63hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?

Question 64easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a control self-assessment, an operational manager reports that a manual review control is performed quarterly instead of monthly as documented. What should the risk practitioner do?

Question 65mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner notices that a key control is tested only once a year, but the associated risk has a high velocity of change. What is the BEST recommendation?

Question 66hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A board member asks for a summary of the top five risks. The risk practitioner has 10 risks with current residual risk levels. Which approach BEST supports board-level reporting?

Question 67easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A control test reveals a 100% pass rate for a detective control. What does this indicate?

Question 68mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?

Question 69hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?

Question 70easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?

Question 71mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are appropriate criteria for selecting key risk indicators (KRIs)?

Question 72hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following control monitoring techniques are considered continuous monitoring?

Question 73easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are key attributes of effective risk reporting?

Question 74mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An S3 bucket policy is configured as shown. During a monitoring review, the risk practitioner notices that the 'DenyAll' policy is never evaluated because of an explicit allow? What is the MOST likely monitoring gap?

Exhibit

Refer to the exhibit.
{
  "policies": [
    {"sid": "AllowRead", "effect": "Allow", "principal": "*", "action": ["s3:GetObject"], "resource": "arn:aws:s3:::critical-data/*", "condition": {"IpAddress": {"aws:SourceIp": "10.0.0.0/8"}}},
    {"sid": "DenyAll", "effect": "Deny", "principal": "*", "action": ["s3:*"], "resource": "arn:aws:s3:::critical-data/*"}
  ]
}
Question 75hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?

Exhibit

Refer to the exhibit.
CLI output from SIEM:
Event Time: 2024-03-15 08:23:45 UTC
Source IP: 203.0.113.5
User: svc-backup
Action: Failed login (password)
Target: db-admin@company.com
Count: 15 (last 5 minutes)
Event Time: 2024-03-15 08:24:12 UTC
Source IP: 203.0.113.5
User: svc-backup
Action: Successful login (password)
Target: db-admin@company.com
Question 76easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?

Exhibit

Refer to the exhibit.
Error Log (excerpt):
[2024-03-20 14:32:10] ERROR: ORA-01017: invalid username/password; logon denied
At: JDBC Thin Client connection from 192.168.1.100
[2024-03-20 14:32:15] ERROR: ORA-01017: invalid username/password; logon denied
At: JDBC Thin Client connection from 192.168.1.100
[2024-03-20 14:32:20] ERROR: ORA-01017: invalid username/password; logon denied
At: JDBC Thin Client connection from 192.168.1.100
[2024-03-20 14:32:25] ERROR: ORA-01017: invalid username/password; logon denied
At: JDBC Thin Client connection from 192.168.1.100
[2024-03-20 14:32:30] INFO: User 'app_user' authenticated successfully from 192.168.1.100
Question 77easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution monitors the number of unauthorized access attempts to its core banking system. The risk owner recommends increasing the monitoring frequency from daily to hourly because a recent attack exploited a delayed detection. Which of the following is the PRIMARY benefit of this change?

Question 78mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?

Question 79hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's risk management team is evaluating the effectiveness of its control monitoring program. They find that many controls are tested at the same time each year, leading to a resource bottleneck. Which of the following approaches would BEST address this issue?

Question 80easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk analyst is reviewing control monitoring results and notices that a detective control has a high false positive rate. What is the BEST action to improve the control's efficiency?

Question 81mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?

Question 82hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization uses a risk register that includes inherent risk, control effectiveness, and residual risk. During a quarterly review, the risk owner updates control effectiveness from 'partially effective' to 'effective'. What effect does this have on the residual risk rating?

Question 83easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company implements a new automated control to monitor user access rights. The control sends a daily report of any users with excessive privileges. What is the PRIMARY benefit of this control?

Question 84mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?

Question 85hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company monitors key risk indicators (KRIs) using a dashboard. The risk manager notices that a KRI has a green status but the underlying control testing shows a high failure rate. What action should the risk manager take FIRST?

Question 86easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?

Question 87mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?

Question 88hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is implementing continuous monitoring of its compliance with data privacy regulations across multiple jurisdictions. Which TWO of the following are significant challenges to this approach?

Question 89easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. Based on the KRI data for the current week, what action should the risk manager take FIRST?

Exhibit

KRI: Unauthorized Access Attempts
Threshold: 10 per day (Green), 10-20 (Amber), >20 (Red)
Current Week Data: Mon:5, Tue:8, Wed:12, Thu:15, Fri:9
Question 90mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. What does this log entry indicate about the monitoring process?

Exhibit

ALERT: SQL Injection Attempt detected from IP 10.0.0.5 to server DB01 at 14:23:45
Action: Blocked by WAF. Alert escalated to SOC. SOC analyst reviewed and determined false positive. Alert closed.
Question 91hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?

Exhibit

{
  "PolicyName": "S3BucketAccessMonitor",
  "Rules": [
    {
      "Effect": "Deny",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::critical-data/*",
      "Condition": {"IpAddress": {"aws:SourceIp": "10.0.0.0/8"}}
    },
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::critical-data/*",
      "Condition": {"IpAddress": {"aws:SourceIp": "10.0.0.0/8"}}
    }
  ]
}
Question 92easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?

Question 93mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is designing a risk and control monitoring program for a new cloud-based application. Which of the following is the MOST important factor to consider when selecting Key Risk Indicators (KRIs)?

Question 94hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's internal audit function reports that a detective control (manual review of transactions) is operating effectively based on a sample of 50 transactions showing no issues. However, the continuous monitoring system shows that 100 suspicious transactions were not reviewed during the same period. The control owner argues the control is effective. What is the BEST conclusion?

Question 95easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk owner wants to implement continuous monitoring for a set of critical controls. Which of the following is the PRIMARY benefit of continuous monitoring over periodic testing?

Question 96mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

After a security incident, a company implements a new control and begins monitoring its effectiveness. Which of the following metrics would BEST indicate that the control is achieving its objective?

Question 97hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A bank's risk committee reviews a monthly risk report that includes KRIs. One KRI shows that the number of failed transactions due to system errors is trending upward. The control owner states that the trend is within the risk appetite. However, the report also shows that the number of customer complaints is stable. What should the risk manager do FIRST?

Question 98mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)

Question 99hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

An organization uses a risk and control monitoring system that generates weekly reports. The reports show a key control as 'effective' for the past three months. However, during a recent audit, a significant control failure was discovered. Which TWO of the following are MOST likely root causes for this discrepancy? (Choose two.)

Question 100easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager is designing monthly risk reports for senior management. Which THREE of the following should be included in an effective risk report? (Choose three.)

Question 101mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?

Exhibit

{
  "controlTest": {
    "controlId": "AC-01",
    "testId": "T12345",
    "testDate": "2023-06-15",
    "testResult": "pass",
    "notes": "Sample of 30 logins; all authenticated via MFA."
  }
}
Question 102hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?

Exhibit

[Critical] 2023-07-10 08:15:00 - Intrusion Prevention System Alert: 
  Source IP: 10.0.1.15 (Internal)
  Destination: external malicious IP
  Rule: Outbound Malware Traffic
  Action: Blocked
  Control: Outbound Web Filtering (OWF)
  Prior alerts: 3 in past hour
  Threshold: 5 alerts within 1 hour triggers investigation
Question 103easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?

Exhibit

control_monitoring_config:
  control_id: CR-02
  monitoring_type: automated
  kpi: "Percentage of transactions reviewed"
  target: 90% (should be 95% per policy)
  current: 94.5%
  trend: stable
Question 104mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?

Question 105easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A manufacturing company's board of directors receives a monthly risk report. Which key performance indicator (KPI) is MOST relevant for the board to assess the effectiveness of internal controls?

Question 106hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is implementing a new cloud-based customer relationship management (CRM) system. The risk practitioner is designing the control monitoring plan. Which approach BEST ensures continuous monitoring of controls across both the application and infrastructure layers?

Question 107easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?

Question 108mediummultiple choice
Read the full NAT/PAT explanation →

A risk practitioner is designing a risk dashboard for the executive team. The organization has a high risk appetite for revenue-generating activities but a low risk appetite for regulatory compliance. Which combination of metrics should be prominently displayed?

Question 109hardmultiple choice
Read the full NAT/PAT explanation →

After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?

Question 110easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk practitioner discovers that a critical control deficiency has been open for six months beyond the agreed remediation date. What is the MOST appropriate reporting action?

Question 111mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization uses a third-party vendor for payment processing. The vendor's latest SOC 2 report shows a significant control exception in logical access. What is the BEST way to monitor the effectiveness of the compensating controls the vendor has implemented?

Question 112hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?

Question 113mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?

Question 114hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following should be included in a board-level risk report to effectively communicate the organization's risk profile?

Question 115easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are examples of control monitoring activities?

Question 116mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Based on the exhibit, which aspect of risk monitoring is MOST concerning?

Exhibit

Refer to the exhibit.

---
Vulnerability Scan Report Excerpt
Target: 192.168.1.100
Vulnerability: CVE-2023-XXXX
Severity: Critical
Status: Open (first detected: 2024-01-15)
Last scan: 2024-04-10
Patches available: Yes
Risk accepted: Yes (by system owner on 2024-02-01)
---
Question 117hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Based on the exhibit, what control monitoring deficiency is evident in the DLP policy?

Exhibit

Refer to the exhibit.

---
Data Loss Prevention Policy (JSON snippet)
{
  "policyName": "PCI-DSS Policy",
  "rules": [
    {
      "ruleId": 1,
      "condition": "data.type == 'credit_card' && data.destination == 'external_email'",
      "action": "block",
      "alert": true
    },
    {
      "ruleId": 2,
      "condition": "data.type == 'credit_card' && data.size > 1000",
      "action": "block",
      "alert": true
    }
  ],
  "monitoring": {
    "alertDestination": "security_team@company.com",
    "logRetentionDays": 90
  }
}
---
Question 118easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?

Exhibit

Refer to the exhibit.

---
Syslog Message:
Mar 15 09:45:23 auth-server sshd[1234]: Failed password for admin from 10.0.0.5 port 22 ssh2
Mar 15 09:46:10 auth-server sshd[1234]: Failed password for admin from 10.0.0.5 port 22 ssh2
Mar 15 09:46:55 auth-server sshd[1234]: Failed password for admin from 10.0.0.5 port 22 ssh2
---
Question 119easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager notices that a key risk indicator (KRI) for failed login attempts has exceeded the threshold for three consecutive weeks. Which of the following should be the FIRST action?

Question 120mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization deployed a new intrusion detection system (IDS) that generates many alerts. The security team is overwhelmed and has started ignoring some alerts. What is the BEST way to address this issue?

Question 121hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?

Question 122easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?

Question 123mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?

Question 124hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?

Question 125easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?

Question 126mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?

Question 127hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is considering moving from periodic control testing to continuous monitoring for its critical financial controls. What is the PRIMARY benefit of this transition?

Question 128mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Question 129hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are best practices for reporting risk and control monitoring results to stakeholders?

Question 130easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following factors should be considered when determining the frequency of control monitoring?

Question 131mediummultiple choice
Read the full VPN explanation →

Refer to the exhibit. A security analyst reviews firewall logs and sees repeated authentication failures for VPN tunnel attempts between two IP addresses. What is the MOST appropriate action?

Exhibit

Feb 15 09:23:45 fw01 %ASA-4-722041: Tunnel negotiation failed to/from IP 203.0.113.5 to 198.51.100.20 due to authentication failure.
Feb 15 09:24:12 fw01 %ASA-4-722041: Tunnel negotiation failed to/from IP 203.0.113.5 to 198.51.100.20 due to authentication failure.
Feb 15 09:24:50 fw01 %ASA-4-722041: Tunnel negotiation failed to/from IP 203.0.113.5 to 198.51.100.20 due to authentication failure.
Question 132hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?

Exhibit

{
  "AccessControlPolicy": {
    "Version": "1.0",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": ["s3:GetObject"],
        "Resource": "arn:aws:s3:::critical-data/*",
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": "10.0.0.0/8"
          }
        }
      },
      {
        "Effect": "Deny",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::critical-data/*",
        "Condition": {
          "Bool": {
            "aws:SecureTransport": "false"
          }
        }
      }
    ]
  }
}
Question 133easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. A SIEM correlation rule 'Brute_Force_SSH' has fired excessively due to traffic from internal monitoring servers. What is the BEST course of action?

Exhibit

2024-03-01 10:15:23 ERROR [SIEM] Correlation rule 'Brute_Force_SSH' triggered 1500 times in the last hour. Source IPs: 10.0.0.34, 10.0.0.56, 10.0.0.78. Investigation reveals these are internal monitoring servers.
Question 134mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?

Question 135hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?

Question 136easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Which of the following is the PRIMARY benefit of using a risk register for monitoring?

Question 137mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A control owner reports that a control is operating effectively, but the internal audit found a deficiency. What should the risk manager do?

Question 138hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a quarterly risk review, it is discovered that a previously accepted risk has materialized due to a change in the external environment. What is the MOST appropriate response?

Question 139easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

What is the primary purpose of a control self-assessment (CSA)?

Question 140mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A bank's fraud detection system generates an alert for a transaction, but subsequent investigation finds it false. What should be done?

Question 141hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company uses a dashboard to monitor KRIs. One KRI shows a warning level, but the data is two months old. What is the primary concern?

Question 142easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Which of the following is an example of a leading indicator?

Question 143mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Question 144hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are common challenges in risk reporting?

Question 145mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE are best practices for control monitoring?

Question 146mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. What is the most appropriate immediate action for the control failure?

Exhibit

2025-03-15 14:23:45 ERROR [compliance.monitor] Control ID: CTRL-042 status: FAILURE. Expected: PASS. Action: Manual review required.
2025-03-15 14:25:10 INFO [compliance.monitor] Control ID: CTRL-042 status: PASS. Action: None.
2025-03-15 14:30:00 WARN [risk.engine] KRI: KR-007 value: 78.5 (Threshold: 50-75). Alert level: HIGH.
Question 147hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A large financial institution has implemented a risk monitoring framework that includes KRIs for operational risk. Recently, a critical KRI related to trade settlement errors has been showing an upward trend, but it remains within the approved threshold. The risk manager is concerned because the trend indicates potential control degradation. The control owner argues that since the KRI is still within threshold, no action is needed. The risk manager wants to determine the best course of action to address the trend before it breaches the threshold. The organization's risk policy requires proactive monitoring. What should the risk manager do?

Question 148mediummultiple choice
Read the full NAT/PAT explanation →

A retail company uses a third-party vendor for payment processing. The vendor's service level agreement (SLA) requires 99.9% uptime. Recently, there were two incidents of downtime totaling 0.2% in a month, still within the SLA. However, the company's internal risk monitoring detected a pattern of increasing minor incidents. The vendor insists the SLA is met. The risk manager must decide on monitoring and reporting. The company's board wants to understand the risk. What is the best course of action?

Question 149easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager notices that a key risk indicator (KRI) for system downtime has exceeded the threshold for two consecutive months. What is the MOST appropriate immediate action?

Question 150mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization has implemented a continuous monitoring solution for its critical applications. The IT team reports that the monitoring tool generates a high volume of false positives. What is the BEST course of action?

Question 151hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company uses a risk control self-assessment (RCSA) process that is conducted annually. During a quarterly review, management discovers that several high-risk controls are no longer effective due to changes in the business environment. Which of the following is the BEST way to enhance the monitoring of these controls?

Question 152easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?

Question 153mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?

Question 154hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution has a control that manually reviews all wire transfers over $10,000. During an audit, it was found that the review is completed within 24 hours for 95% of transactions, but the target is 99%. The process owner wants to improve the control's effectiveness. Which of the following would be the MOST effective remediation?

Question 155easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

During a control monitoring review, a risk analyst discovers that the control owner has not been performing the required monthly reconciliations. What should the analyst do FIRST?

Question 156mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A company is implementing a new continuous monitoring tool for its network security controls. Which of the following is the MOST important step to ensure the tool provides meaningful risk information?

Question 157mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are primary purposes of risk and control monitoring? (Choose two.)

Question 158hardmulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which THREE of the following are key considerations when designing a risk reporting framework? (Choose three.)

Question 159easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)

Question 160hardmultiple choice
Read the full NAT/PAT explanation →

You are the risk manager for a multinational corporation that relies heavily on a cloud-based ERP system. The system is critical for financial reporting and supply chain management. Recently, the company experienced a significant increase in the number of failed user authentication attempts, which were traced to a misconfiguration in the identity management module. The misconfiguration was detected by the security operations center (SOC) through log analysis, but it took three days to identify and resolve. The root cause was a change made by a cloud administrator without following the change management process. The incident resulted in a temporary denial of service for external users. The company's risk appetite for system availability is low, with a tolerance for downtime of no more than one hour per month. The current monitoring controls include quarterly access reviews and SOC monitoring of logs with a 24-hour review cycle. The board has requested a report on the incident and recommendations to prevent recurrence. What is the MOST effective recommendation to improve monitoring and reduce the likelihood of similar incidents?

Question 161mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A retail company uses a manual control to verify that all credit card transactions are processed by authorized payment terminals. The control requires a store manager to compare a daily transaction log against a list of approved terminal IDs. The company processes an average of 10,000 transactions per day across 200 stores. During a recent internal audit, it was found that 15% of stores had not completed the reconciliation for the past month. The audit also revealed that several unauthorized terminals had been used to process transactions, resulting in a data breach of customer payment information. The company's risk appetite for payment card data security is very low. The current monitoring approach includes a quarterly review of control performance by the internal audit team. The risk manager needs to recommend improvements to the monitoring of this control. Which of the following is the BEST recommendation?

Question 162easymultiple choice
Read the full NAT/PAT explanation →

A technology company has implemented a risk and control monitoring program for its software development lifecycle. The program includes key risk indicators (KRIs) such as number of critical bugs found in production, code review coverage, and time to patch vulnerabilities. After six months, the risk committee noticed that the KRI for code review coverage is consistently green (within threshold), but the number of critical bugs in production remains high. The risk manager suspects a disconnect between the KRI and actual risk. What should the risk manager do FIRST?

Question 163mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?

Question 164easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?

Question 165mediummulti select
Read the full Risk and Control Monitoring and Reporting explanation →

An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?

Question 166easymultiple choice
Read the full NAT/PAT explanation →

A mid-sized retail company processes over 1 million credit card transactions daily. It uses an automated monitoring system with static thresholds to flag potential fraud. Recently, the fraud detection team has been overwhelmed by a 40% increase in false positive alerts, causing legitimate transactions to be delayed and customer service complaints to rise. The risk manager is tasked with improving the situation. After reviewing the alert logs, it is clear that the thresholds have not been updated in 18 months, and transaction patterns have shifted due to seasonal promotions and new payment methods. The team has limited resources and cannot handle the current alert volume. What should the risk manager recommend as the most effective course of action?

Question 167mediummultiple choice
Read the full NAT/PAT explanation →

A healthcare organization operates a legacy electronic health record (EHR) system that is manually monitored for access anomalies by a small IT team. The organization is planning to migrate to a new cloud-based EHR with integrated logging and monitoring. However, due to budget constraints, the migration will take two years. In the interim, the risk manager wants to improve monitoring for unauthorized access to patient data. The current manual process involves weekly log reviews, but recent audits have identified instances of delayed detection (up to two weeks) and missed incidents. The IT team can dedicate only 10 additional hours per week for monitoring. What is the best approach to enhance monitoring during the transition period?

Question 168hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?

Question 169mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A manufacturing company uses Internet of Things (IoT) sensors to monitor equipment temperature and vibration on the production floor. The sensor data is automatically sent to a central system, but there is a manual log maintained by operators that records their visual inspections. Recently, there have been instances where the sensor data indicated abnormal readings, but the operator logs showed normal conditions, leading to delayed maintenance actions and two equipment breakdowns. The risk manager investigates and finds that operators sometimes forget to update logs or misinterpret sensor alerts. The company wants to improve the reliability of the monitoring process. What should be the primary action?

Question 170hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A large financial services firm recently deployed a new security information and event management (SIEM) system to monitor thousands of servers, network devices, and applications. The system is generating over 1,000 alerts per hour, of which 80% are false positives. The security operations center (SOC) team is overwhelmed and has started ignoring all but the most critical alerts. As a result, a real attack recently went undetected for 48 hours. The risk manager is asked to recommend improvements. The SOC team has 12 analysts working in shifts. The SIEM is properly configured but the correlation rules are broad and noisy. The firm cannot add more staff due to budget freeze. What should the risk manager prioritize?

Question 171easymultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A small online retailer with 15 employees sells handmade crafts through its e-commerce website. The company processes payments via a third-party gateway. The owner manually reviews transaction logs once a week for fraud indicators, but recently discovered three chargebacks due to unauthorized transactions. The retailer has limited IT budget and no dedicated security staff. The owner wants to improve detection of fraudulent transactions without significant investment. The current manual process takes about two hours per week and often results in delayed detection. The payment gateway offers basic fraud detection features such as IP geolocation and velocity checks, but these are not enabled. What is the most practical first step?

Question 172hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?

Question 173easymulti select
Read the full Risk and Control Monitoring and Reporting explanation →

A risk manager is designing a monitoring and reporting framework. Which THREE of the following are essential components of an effective risk and control monitoring program?

Question 174hardmultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

Exhibit

Risk Control Matrix (RCM) Extract - Control Test Results
Date: 2024-11-20
Process: Order-to-Cash
Test ID: OTC-001
Control Description: Segregation of duties between order entry and credit approval.
Test Result: FAIL
Finding: User ID 'jdoe' performed both order entry and credit approval on transaction ID 78965.
Test ID: OTC-002
Control Description: Automatic validation of credit limit within ERP.
Test Result: PASS
Test ID: OTC-003
Control Description: Monthly reconciliation of accounts receivable.
Test Result: NOT TESTED
Question 175mediummultiple choice
Read the full Risk and Control Monitoring and Reporting explanation →

A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CRISC Practice Test 1 — 10 Questions→CRISC Practice Test 2 — 10 Questions→CRISC Practice Test 3 — 10 Questions→CRISC Practice Test 4 — 10 Questions→CRISC Practice Test 5 — 10 Questions→CRISC Practice Exam 1 — 20 Questions→CRISC Practice Exam 2 — 20 Questions→CRISC Practice Exam 3 — 20 Questions→CRISC Practice Exam 4 — 20 Questions→Free CRISC Practice Test 1 — 30 Questions→Free CRISC Practice Test 2 — 30 Questions→Free CRISC Practice Test 3 — 30 Questions→CRISC Practice Questions 1 — 50 Questions→CRISC Practice Questions 2 — 50 Questions→CRISC Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

IT Risk IdentificationRisk Response and MitigationRisk and Control Monitoring and ReportingIT Risk Assessment

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Risk and Control Monitoring and Reporting setsAll Risk and Control Monitoring and Reporting questionsCRISC Practice Hub