CCNA Risk and Control Monitoring and Reporting Questions

75 of 175 questions · Page 2/3 · Risk and Control Monitoring and Reporting · Answers revealed

76
MCQmedium

A company is implementing a new continuous monitoring tool for its network security controls. Which of the following is the MOST important step to ensure the tool provides meaningful risk information?

A.Configure the tool to generate real-time alerts for all events.
B.Provide training to all users on how to interpret the tool's output.
C.Ensure the tool is integrated with the existing SIEM system.
D.Align the tool's monitoring parameters with key risk indicators and critical controls.
AnswerD

Alignment ensures the tool focuses on what matters for risk management.

Why this answer

Option C is correct because the tool must be configured to monitor the key controls that address high-risk areas to be effective. Option A is wrong real-time alerts are useful but not the most important if they monitor irrelevant controls. Option B is wrong integration with SIEM is operational, not a prerequisite for meaningful risk info.

Option D is wrong training is important but secondary to proper configuration.

77
MCQmedium

A risk practitioner is reviewing the monitoring reports for a critical business process. The report shows that a key control has a 95% effectiveness rate, but the risk appetite for the associated risk is 98%. What should the practitioner do?

A.Accept the current effectiveness as it is close to the target.
B.Immediately escalate to senior management.
C.Recommend enhancements to the control to improve effectiveness.
D.Reduce the risk appetite to 95%.
AnswerC

Aligns control with risk appetite.

Why this answer

Option C is correct because the control effectiveness (95%) is below the risk appetite threshold (98%), meaning the residual risk exceeds the acceptable level. The practitioner should recommend enhancements to close this gap, as accepting the current state would violate risk appetite. This aligns with the principle that controls must be improved when monitoring shows performance below the defined tolerance.

Exam trap

The trap here is that candidates may think 'close enough' (Option A) is acceptable, but CRISC requires strict adherence to risk appetite thresholds, not approximations.

How to eliminate wrong answers

Option A is wrong because accepting a 95% effectiveness when the risk appetite is 98% means the residual risk is above the acceptable threshold, which is not permissible; 'close to the target' is not sufficient in risk management. Option B is wrong because immediate escalation to senior management is premature; the practitioner should first analyze the gap and recommend control improvements, as escalation is reserved for critical failures or when remediation is beyond the practitioner's authority. Option D is wrong because reducing the risk appetite to match the current control performance is a reactive and inappropriate approach; risk appetite is set by the board and should drive control improvement, not be lowered to accommodate weak controls.

78
Multi-Selecthard

Which THREE of the following are best practices for reporting risk and control monitoring results to stakeholders?

Select 3 answers
A.Tailor the report to the audience's level of understanding.
B.Include trend analysis and comparisons to thresholds.
C.Include detailed technical logs for each control.
D.Provide reports only when issues occur.
E.Highlight changes in risk exposure and control effectiveness.
AnswersA, B, E

Customization improves comprehension.

Why this answer

Option B, D, and E are correct. Option A is wrong because detailed technical information may not be appropriate for all. Option C is wrong because reporting should be consistent, not ad hoc.

79
MCQmedium

A retail company uses a third-party vendor for payment processing. The vendor's service level agreement (SLA) requires 99.9% uptime. Recently, there were two incidents of downtime totaling 0.2% in a month, still within the SLA. However, the company's internal risk monitoring detected a pattern of increasing minor incidents. The vendor insists the SLA is met. The risk manager must decide on monitoring and reporting. The company's board wants to understand the risk. What is the best course of action?

A.Request a root cause analysis from the vendor and monitor trend more closely, reporting to board if trend worsens.
B.Terminate the vendor contract.
C.Increase the SLA penalty.
D.Accept the vendor's assurance as SLA is met.
AnswerA

Proactive management of increasing incidents aligns with risk monitoring best practices.

Why this answer

The increasing trend of incidents indicates potential risk even though the SLA is met. Requesting root cause analysis and monitoring the trend allows proactive management. Option B is correct.

Option A ignores the trend. Option C is drastic. Option D may not address the root cause.

80
MCQmedium

The exhibit shows a control monitoring configuration in JSON format. Which of the following is the MOST critical gap in this monitoring setup?

A.The control was last tested over a month ago
B.The data source 'transaction_log' is not specific enough
C.The monitoring frequency is set to daily, which may miss real-time breaches
D.There is no action defined for when the threshold is first breached
AnswerD

The escalation levels only trigger after 1 and 4 hours, but no action on initial breach.

Why this answer

Option D is correct because the configuration lacks a defined breach action for the initial alert (when threshold is first exceeded), only escalation actions. Option A is wrong because the test date is recent. Option B is wrong because the frequency is daily.

Option C is wrong because the data source is specified.

81
Multi-Selectmedium

Which TWO of the following are appropriate actions when a control deficiency is identified during monitoring? (Select exactly two.)

Select 2 answers
A.Increase the risk appetite
B.Document the deficiency and its impact
C.Assign a remediation plan with deadlines
D.Ignore if the deficiency is minor
E.Immediately terminate the control owner
AnswersB, C

Proper documentation is essential.

Why this answer

Option B is correct because documenting the deficiency and its impact is a fundamental step in the risk and control monitoring process. It ensures that the nature, severity, and potential consequences of the control failure are formally recorded, which is essential for risk assessment, reporting, and audit trails. Without this documentation, the organization cannot properly evaluate the risk exposure or justify remediation efforts.

Exam trap

The trap here is that candidates may confuse 'immediate termination' (Option E) with accountability, but CRISC emphasizes corrective and preventive actions over punitive measures, and ignoring minor deficiencies (Option D) violates the principle of continuous monitoring.

82
MCQhard

A company's control monitoring shows that a detective control has been 100% effective for the past year. However, a recent incident revealed that a data breach went undetected for three months. What is the MOST likely cause?

A.The control failure occurred but was not recorded.
B.The monitoring frequency was insufficient to detect the breach.
C.The control was not designed to detect the type of breach that occurred.
D.The control monitoring logs were tampered with.
AnswerC

Control scope may be narrow.

Why this answer

Option D is correct because the control may not have covered the specific scenario of the breach. Option A is wrong if no logs. Option B is wrong because 100% suggests no failures.

Option C is wrong because if monitoring was correct, it would have caught.

83
MCQmedium

An organization has implemented a new key risk indicator (KRI) for vendor management that measures the percentage of vendors without a signed contract. The current value is 15%, exceeding the risk appetite threshold of 10%. The risk owner wants to know the most appropriate action to take based on this KRI. What should the risk practitioner recommend?

A.Increase the frequency of KRI reporting from monthly to weekly to monitor the trend.
B.Update the risk appetite threshold to 15% to align with the current value.
C.Immediately communicate the KRI breach to the board of directors.
D.Analyze the root cause of the high percentage and develop a remediation plan.
AnswerD

Root cause analysis and remediation are the correct first steps when a KRI exceeds threshold.

Why this answer

Option D is correct because when a KRI exceeds the risk appetite threshold, the immediate priority is to understand why the breach occurred and to implement corrective actions. Analyzing the root cause and developing a remediation plan directly addresses the underlying issue—vendors without signed contracts—rather than merely monitoring or adjusting thresholds. This aligns with the CRISC principle that KRIs are leading indicators that should trigger risk response, not just reporting changes.

Exam trap

The trap here is that candidates often confuse monitoring actions (like increasing reporting frequency) with risk response actions, or they mistakenly believe that adjusting the threshold to match the current value is a valid risk treatment instead of recognizing it as risk acceptance without proper analysis.

How to eliminate wrong answers

Option A is wrong because increasing reporting frequency from monthly to weekly only monitors the trend without addressing the root cause or reducing the percentage; it is a monitoring action, not a risk treatment action. Option B is wrong because updating the risk appetite threshold to match the current value eliminates the KRI's purpose as an early warning indicator and effectively accepts the risk without analysis or remediation. Option C is wrong because immediate communication to the board is premature before root cause analysis and remediation planning; escalation is appropriate only after the risk owner has assessed the situation and determined the severity.

84
MCQmedium

A risk officer is evaluating the effectiveness of a control that prevents unauthorized changes to configuration files. The control has not detected any unauthorized changes in the past year. What does this indicate?

A.The control is unnecessary because no changes occurred.
B.The control is not configured correctly to detect changes.
C.The control is operating effectively and no violations occurred.
D.Further testing is needed to determine control effectiveness.
AnswerD

Requires validation to confirm.

Why this answer

The absence of detected unauthorized changes does not automatically confirm control effectiveness; it could also indicate that the control is not properly configured to detect changes (e.g., missing file integrity monitoring rules, incorrect baseline, or disabled logging). Further testing—such as manually introducing a test change or reviewing audit logs—is required to verify that the control can actually detect violations. This aligns with CRISC best practices for validating control effectiveness through testing rather than relying solely on absence of alerts.

Exam trap

The trap here is that candidates assume 'no detected violations' equals 'control is effective,' but CRISC emphasizes that absence of evidence is not evidence of absence—further testing is required to rule out detection failures.

How to eliminate wrong answers

Option A is wrong because the control's purpose is to detect unauthorized changes, and the fact that no changes were detected does not prove no changes occurred—it could mean the control missed them. Option B is wrong because while misconfiguration is a possible cause, it is not the only explanation; the control could be correctly configured but simply not have been triggered due to a lack of violations, so concluding misconfiguration without evidence is premature. Option C is wrong because the absence of detected violations does not confirm control effectiveness; it only indicates that no violations were recorded, which could be due to the control failing to detect them (e.g., a false negative scenario).

85
MCQeasy

An organization uses control self-assessments (CSAs) as part of its monitoring program. The results from the latest CSA show that the majority of controls are rated as effective, but an internal audit reveals several control failures in those same areas. What is the MOST likely reason for this discrepancy?

A.The CSA scope was narrower than the audit scope
B.The CSA questionnaire contained documentation errors
C.The inherent risk level of the processes decreased after the CSA
D.CSA respondents may have a bias toward reporting favorable results
AnswerD

Self-assessment can lead to overly optimistic ratings.

Why this answer

Option A is correct because CSAs may be biased if self-assessed by control owners. Option B is wrong because documentation errors would affect both. Option C is wrong because inherent risk changes would not affect control effectiveness assessment.

Option D is wrong because the scope of CSA is typically broader, not narrower.

86
MCQhard

A company's risk management team is evaluating the effectiveness of its control monitoring program. They find that many controls are tested at the same time each year, leading to a resource bottleneck. Which of the following approaches would BEST address this issue?

A.Increase the testing team size
B.Stagger testing cycles across the year
C.Implement continuous monitoring automation
D.Reduce the number of controls tested
AnswerB

Spreading testing evenly throughout the year reduces peak loads and optimizes resource use.

Why this answer

Option D is correct because staggering testing cycles spreads workload throughout the year. Option A reduces coverage, potentially increasing risk. Option B is a good practice but implementing continuous monitoring may be costly and does not directly address the existing bottleneck.

Option C is a temporary fix and does not address the root cause of scheduling.

87
MCQeasy

Refer to the exhibit. Based on the KRI data for the current week, what action should the risk manager take FIRST?

A.Adjust the KRI threshold to 15 per day to reduce false positives.
B.Continue monitoring as all days are within Green or Amber.
C.Investigate Wednesday and Thursday spikes as they are above the Green threshold.
D.Escalate to the risk committee because the threshold was breached.
AnswerC

Amber days should be analyzed to understand root causes and prevent escalation to Red.

Why this answer

Option C is correct. Wednesday (12) and Thursday (15) are in the Amber zone (10-20), indicating a need for investigation. Option A is premature because the threshold for Red (>20) was not breached.

Option B ignores the amber days. Option D suggests adjusting the threshold without understanding the cause of the spikes.

88
MCQhard

An organization is designing a control monitoring program. Which THREE of the following are types of control monitoring activities that should be included?

A.Periodic internal audits of control processes
B.Defining risk appetite statements
C.Continuous automated monitoring of transactions
D.Penetration testing of critical systems
E.Control self-assessments performed by process owners
AnswerA, C, E

Internal audits provide independent assurance on control effectiveness.

Why this answer

Options A, C, and D are correct. Control monitoring includes continuous monitoring (A), periodic audits (C), and control self-assessments (D). Option B is wrong because penetration testing is a point-in-time assessment, not a distinct type of monitoring activity.

Option E is wrong because risk appetite is a boundary, not a monitoring activity.

89
Multi-Selectmedium

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Select 2 answers
A.Based on historical data only.
B.Predictive in nature.
C.Quantifiable.
D.Static.
E.Subjective.
AnswersB, C

A predictive KRI provides early warning of increasing risk.

Why this answer

Effective KRIs are predictive and quantifiable. Options A and B are correct. Options C, D, and E are not characteristics of effective KRIs.

90
Multi-Selecthard

An organization uses a risk and control monitoring system that generates weekly reports. The reports show a key control as 'effective' for the past three months. However, during a recent audit, a significant control failure was discovered. Which TWO of the following are MOST likely root causes for this discrepancy? (Choose two.)

Select 2 answers
A.The reporting system had a data integrity issue.
B.The control owner was not reporting accurately.
C.The monitoring frequency was too low.
D.The control test sample was not representative.
E.The KRI thresholds were set too high.
AnswersD, E

A non-representative sample can miss failures.

Why this answer

Options B and D are correct. KRI thresholds set too high would prevent alerts even when failures occur, and a non-representative test sample would miss failures in the rest of the population. Option A is possible but less likely if the system reported objectively.

Option C is possible but three months of effective reporting suggests frequency might not be the issue. Option E could be a cause but is less specific than B and D.

91
MCQmedium

An organization uses a third-party vendor for payment processing. The vendor's latest SOC 2 report shows a significant control exception in logical access. What is the BEST way to monitor the effectiveness of the compensating controls the vendor has implemented?

A.Accept the risk and apply a monetary penalty to the vendor.
B.Immediately terminate the vendor contract and switch to a new payment processor.
C.Request the vendor to include a clause in the contract that holds them liable for any breaches.
D.Obtain the vendor's remediation plan and schedule a follow-up assessment to verify the compensating controls.
AnswerD

Proactive monitoring of the vendor's corrective actions.

Why this answer

Option D is correct because reviewing the vendor's remediation plan and conducting a follow-up assessment verifies the effectiveness of compensating controls. Option A is wrong because switching vendors may not be feasible immediately. Option B is wrong because a clause is contractual, not monitoring.

Option C is wrong because a penalty does not ensure control effectiveness.

92
Multi-Selectmedium

Which TWO of the following are appropriate criteria for selecting key risk indicators (KRIs)?

Select 2 answers
A.Indicators that are quantifiable and reliable
B.Indicators that only cover financial risks
C.Indicators that provide early warning of potential risk events
D.Indicators that measure historical losses
E.Indicators that are easy to collect regardless of relevance
AnswersA, C

Essential for effective monitoring.

Why this answer

Option A is correct because key risk indicators (KRIs) must be quantifiable and reliable to provide objective, measurable data that can be consistently tracked over time. Quantifiable indicators allow for trend analysis and threshold setting, while reliability ensures the data source is accurate and repeatable, which is essential for effective risk monitoring in IT environments such as network security or system availability.

Exam trap

ISACA often tests the distinction between leading and lagging indicators, and the trap here is that candidates confuse historical loss metrics (lagging) with KRIs (leading), or assume that any easy-to-collect metric is automatically a valid KRI.

93
MCQeasy

A technology company has implemented a risk and control monitoring program for its software development lifecycle. The program includes key risk indicators (KRIs) such as number of critical bugs found in production, code review coverage, and time to patch vulnerabilities. After six months, the risk committee noticed that the KRI for code review coverage is consistently green (within threshold), but the number of critical bugs in production remains high. The risk manager suspects a disconnect between the KRI and actual risk. What should the risk manager do FIRST?

A.Implement additional testing controls to catch bugs before production.
B.Reduce the code review coverage target to lower the risk appetite.
C.Review the KRI definition and data source to ensure it reflects effective code review.
D.Adjust the code review coverage threshold to a higher percentage.
AnswerC

The KRI may be measuring review quantity, not quality.

Why this answer

Option C is correct because the KRI may not be accurately measuring risk; reviewing the KRI definition and data source will identify if it is measuring the right thing. Option A is wrong immediately modifying the threshold does not address the underlying measurement issue. Option B is wrong reducing coverage would likely increase risk.

Option D is wrong additional testing is a separate issue; the KRI itself needs investigation.

94
Drag & Dropmedium

Arrange the steps for performing a vulnerability assessment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Vulnerability assessment starts with scope, scanning, analysis, prioritization, and reporting.

95
MCQhard

Based on the exhibit, what control monitoring deficiency is evident in the DLP policy?

A.The policy does not monitor or block credit card data exfiltration via cloud storage applications (e.g., Dropbox, OneDrive).
B.Alerts are not sent to the appropriate team.
C.Log retention is insufficient for forensic analysis.
D.The rules are too broadly defined and may cause false positives.
AnswerA

Missing coverage for common data loss vectors.

Why this answer

Option B is correct because the policy has no rule to block credit card data being uploaded to cloud storage or other file-sharing services; it only blocks external email and large files, leaving a gap. Option A is wrong because alerts are already sent to the security team. Option C is wrong because the policy is specific to PCI-DSS and the rules are narrowly defined.

Option D is wrong because logging is configured.

96
Multi-Selecteasy

A risk manager is designing a monitoring and reporting framework. Which THREE of the following are essential components of an effective risk and control monitoring program?

Select 3 answers
A.Control self-assessments (CSAs)
B.Key performance indicators (KPIs)
C.Risk reporting dashboards
D.Key risk indicators (KRIs)
E.Risk response plans
AnswersA, C, D

CSAs involve business owners evaluating control effectiveness, which is essential for monitoring.

Why this answer

Control self-assessments (CSAs) are essential because they empower process owners to evaluate the design and operating effectiveness of internal controls, providing firsthand evidence for the monitoring program. This bottom-up approach complements top-down testing by identifying control gaps and remediation needs directly from those who execute the controls, which is critical for a comprehensive risk and control monitoring framework.

Exam trap

ISACA often tests the distinction between KPIs and KRIs, where candidates mistakenly select KPIs because they confuse operational performance metrics with risk indicators, but KPIs do not directly measure risk exposure or control effectiveness.

97
MCQeasy

A mid-sized retail company processes over 1 million credit card transactions daily. It uses an automated monitoring system with static thresholds to flag potential fraud. Recently, the fraud detection team has been overwhelmed by a 40% increase in false positive alerts, causing legitimate transactions to be delayed and customer service complaints to rise. The risk manager is tasked with improving the situation. After reviewing the alert logs, it is clear that the thresholds have not been updated in 18 months, and transaction patterns have shifted due to seasonal promotions and new payment methods. The team has limited resources and cannot handle the current alert volume. What should the risk manager recommend as the most effective course of action?

A.Perform a root cause analysis on the false positives to refine the detection rules and thresholds.
B.Deploy an additional monitoring tool with machine learning capabilities.
C.Engage an external fraud detection consultant to review the system.
D.Immediately increase the alert thresholds to reduce the volume of alerts.
AnswerA

This directly addresses why false positives are high and enables data-driven adjustments.

Why this answer

Performing root cause analysis to refine detection rules addresses the core issue of outdated thresholds causing false positives. Option A (increasing thresholds) might reduce alerts but could miss true positives. Option B (engaging consultants) is costly and not immediate.

Option D (deploying more tools) adds complexity without fixing the root cause.

98
MCQmedium

A company has implemented a key risk indicator (KRI) for system availability, with a threshold of 99.5%. The monitoring team observes that availability has dropped to 99.2% for two consecutive months. What is the most appropriate next step?

A.Implement additional redundancy to improve availability.
B.Increase the threshold to 99.0% to avoid false alarms.
C.Notify the risk owner and initiate a root cause analysis.
D.Escalate immediately to the board of directors.
AnswerC

Standard practice for threshold breaches.

Why this answer

Option C is correct because a sustained breach of a KRI threshold (99.2% vs. 99.5%) for two consecutive months indicates a systemic issue that requires formal risk management action. The risk owner must be notified to assess the impact, and a root cause analysis (RCA) should be initiated to identify underlying failures—such as network congestion, hardware faults, or software bugs—before any remediation is planned.

Exam trap

The trap here is that candidates often jump to immediate remediation (Option A) or threshold adjustment (Option B), failing to recognize that the CRISC framework mandates a structured risk response starting with notification and analysis before any control changes.

How to eliminate wrong answers

Option A is wrong because implementing additional redundancy without first understanding the root cause could waste resources on the wrong fix (e.g., adding servers when the issue is a misconfigured load balancer or a DDoS attack). Option B is wrong because lowering the threshold to 99.0% is a form of risk acceptance without analysis, which violates the principle of maintaining objective KRIs and could mask a deteriorating service level agreement (SLA). Option D is wrong because immediate escalation to the board is premature; the board should be informed only after the risk owner has assessed the situation and determined that the risk exceeds the enterprise risk appetite, not for a single KRI breach.

99
MCQmedium

An organization is designing a risk and control monitoring program for a new cloud-based application. Which of the following is the MOST important factor to consider when selecting Key Risk Indicators (KRIs)?

A.Historical loss data availability.
B.Ease of automated data collection.
C.Industry best practices.
D.Alignment with strategic objectives.
AnswerD

KRIs should reflect the organization's risk appetite and objectives to be meaningful.

Why this answer

Option A is correct because KRIs must be aligned with risk appetite and business objectives to ensure they measure what matters. Option B is wrong because ease of collection is secondary to relevance. Option C is wrong because historical data may not exist for new applications.

Option D is wrong because industry best practices are guidelines, not a primary factor.

100
MCQhard

A global financial services firm has implemented a risk monitoring system that aggregates data from 50+ systems across three regions (Americas, EMEA, APAC). The system uses a centralized data lake and provides dashboards to regional risk committees. Recently, the APAC committee reported that their dashboard shows a spike in cyber risk indicators, but the Americas and EMEA dashboards show no change. The data source for the spike is a single system in APAC that tracks failed VPN logins. The risk owner for that system believes the spike is due to a misconfiguration during a recent patch. However, the APAC risk committee is concerned that this indicates a coordinated attack. The Chief Risk Officer (CRO) wants a clear assessment. Which course of action is most appropriate?

A.Recommend implementing additional monitoring controls across all regions to detect similar spikes.
B.Advise the CRO that the spike is likely a false positive due to the recent patch and recommend the system owner confirm and fix the misconfiguration.
C.Suggest the APAC committee accept the risk based on the system owner's opinion.
D.Immediately escalate to the board and activate the incident response team.
AnswerB

Addresses the likely cause directly.

Why this answer

Option B is correct because the spike originates from a single system in APAC tracking failed VPN logins, and the risk owner has identified a misconfiguration from a recent patch as the cause. This is a classic false positive scenario where a technical anomaly (e.g., a patch altering authentication timeout or lockout thresholds) generates an alert spike without evidence of lateral movement or other indicators. The CRO needs a clear assessment, and the most appropriate action is to confirm the misconfiguration and fix it, rather than escalating or adding controls prematurely.

Exam trap

The trap here is that candidates may overreact to a spike in risk indicators and choose escalation (Option D) or broad control additions (Option A), failing to recognize that a single-system anomaly with a plausible technical explanation (patch misconfiguration) should first be investigated and confirmed before any further action.

How to eliminate wrong answers

Option A is wrong because implementing additional monitoring controls across all regions would be a reactive, resource-intensive response to a single-system anomaly that is likely a false positive, and it does not address the root cause (the misconfiguration). Option C is wrong because suggesting the APAC committee accept the risk based solely on the system owner's opinion bypasses the need for verification and documentation, which is critical in a regulated financial services environment. Option D is wrong because immediately escalating to the board and activating the incident response team is a severe overreaction to a single-system spike with a known probable cause (patch misconfiguration), and it would waste resources and cause unnecessary alarm.

101
MCQhard

A multinational corporation has deployed a centralized log management system that collects security events from all subsidiaries. The CRO notices that the number of critical alerts from the Asia-Pacific region has dropped significantly over the past week. Upon investigation, the log source status shows that 30% of the devices in that region have not sent any logs in 48 hours. What is the MOST likely cause?

A.The security team applied a new log suppression rule that filters out low-severity events.
B.The region experienced a distributed denial-of-service (DDoS) attack that overwhelmed the log collection infrastructure.
C.A configuration change was made to the log forwarder agent on the affected devices, causing it to stop sending logs.
D.The network team recently implemented a segmentation change that blocked log traffic from those devices.
AnswerC

Misconfigured log forwarders are a common cause of log loss.

Why this answer

Option C is correct because a configuration change to the log forwarder agent (e.g., syslog-ng, rsyslog, or a proprietary agent) is the most plausible cause for a sudden, sustained drop in log volume from a subset of devices. Unlike network segmentation (Option D), which would affect all traffic, or a DDoS (Option B), which would cause intermittent or total loss, an agent misconfiguration selectively stops log generation while the device remains online. The 48-hour window and 30% device impact align with a staged or partial rollout of a faulty agent configuration.

Exam trap

The trap here is that candidates confuse a reduction in alerts (Option A) with a loss of raw logs, or assume a network change (Option D) is the root cause without considering that a configuration change to the log forwarder agent is a more targeted and common failure mode in centralized logging architectures.

How to eliminate wrong answers

Option A is wrong because a new log suppression rule filtering low-severity events would reduce alert volume but not stop log transmission entirely; the log source status would still show recent heartbeats or connectivity. Option B is wrong because a DDoS attack overwhelming the log collection infrastructure would cause a widespread, not regional, loss of logs, and the log source status would likely show intermittent connectivity or timeouts, not a clean 48-hour gap. Option D is wrong because a network segmentation change blocking log traffic (e.g., UDP 514 or TCP 6514) would affect all devices in the affected subnet, not a specific 30% subset, and would typically be detected by network monitoring tools.

102
Multi-Selectmedium

An organization is implementing a continuous monitoring program for its critical IT processes. Which TWO of the following are key indicators that should be included to effectively monitor control performance?

Select 2 answers
A.Key performance indicators (KPIs)
B.Audit findings
C.Key control indicators (KCIs)
D.Service level agreements (SLAs)
E.Key risk indicators (KRIs)
AnswersA, E

KPIs measure process effectiveness and efficiency.

Why this answer

KPIs are correct because they measure the efficiency and effectiveness of control operations over time, directly indicating whether a control is performing as intended. In continuous monitoring, KPIs such as processing error rates or system uptime percentages provide real-time visibility into control health.

Exam trap

The trap here is that candidates confuse KRIs (which measure risk exposure) with KPIs (which measure control performance), or they mistakenly think audit findings or SLAs are suitable for real-time monitoring when they are retrospective or contractual in nature.

103
MCQhard

The exhibit shows a warning from a control monitoring system. Based on the log, which of the following is the MOST likely control deficiency?

A.There is no approver assigned for transactions exceeding the limit
B.The threshold of 50000 USD is set too high
C.The monitoring system is generating false positives
D.The user JSmith should not have authority to initiate such transactions
AnswerA

The 'Approver: not assigned' indicates a control failure in the approval process.

Why this answer

Option C is correct because the warning indicates that a transaction exceeded the approval limit without an assigned approver, meaning the control is not being executed. Option A is wrong because the threshold was set at 50000. Option B is wrong because the log shows the user, but the control deficiency is lack of approval.

Option D is wrong because the system is working by generating the alert.

104
MCQmedium

A healthcare organization is subject to strict regulatory requirements regarding patient data privacy. The organization has a control that requires all access to patient records to be logged and reviewed weekly by the compliance team. The review is currently performed manually by sampling 10% of the logs. The compliance team reports that the review takes 20 hours per week and they are often unable to complete it on time. As a result, some suspicious access patterns are detected weeks after they occur. The risk manager needs to propose an improvement to the monitoring process. The organization's risk appetite for undetected unauthorized access is very low. Which of the following is the MOST effective recommendation?

A.Reduce the review frequency to bi-weekly to free up time.
B.Hire additional staff to perform the manual reviews.
C.Deploy user behavior analytics (UBA) tools for automated anomaly detection.
D.Increase the sample size to 50% of logs for better coverage.
AnswerC

UBA provides continuous, automated monitoring and immediate alerts.

Why this answer

Option B is correct because implementing user behavior analytics (UBA) automates the detection of anomalous access patterns, reducing manual effort and improving detection speed. Option A is wrong increasing sample size does not address the timeliness issue. Option C is wrong hiring more staff is costly and may not scale.

Option D is wrong reducing frequency would delay detection further, increasing risk.

105
MCQmedium

A large e-commerce company uses several key risk indicators (KRIs) to monitor credit card fraud. The risk committee noticed that one KRI has been trending above the threshold for three consecutive months, yet no risk response was initiated. Which of the following is the MOST likely root cause?

A.The KRI was not validated for accuracy
B.The risk response workflow was not triggered automatically
C.The KRI threshold was set too lenient
D.The monitoring tool failed to capture data
AnswerB

Without automated triggering, the breach may go unnoticed despite being detected.

Why this answer

Option A is correct because if the risk response workflow was not triggered automatically, the breach may not have been escalated. Option B is wrong because KRI validation addresses accuracy, not action. Option C is wrong if threshold too lenient it would not be breached.

Option D is wrong because a monitoring tool failure would likely show no data or alerts.

106
MCQhard

After a control self-assessment (CSA) workshop, business units reported that 80% of controls are operating effectively. However, internal audit's recent testing indicates a 30% control failure rate. What is the BEST explanation for this discrepancy?

A.The audit was conducted three months after the CSA, and controls may have degraded.
B.CSA participants may have a biased perception of control effectiveness, while audit uses objective evidence.
C.CSA participants lacked adequate training on what constitutes a control failure.
D.The CSA covered a different scope of controls than the audit.
AnswerB

Subjective bias and objective testing commonly cause such discrepancies.

Why this answer

Option B is correct because CSA participants often overestimate control effectiveness due to subjective assessment, while audit applies objective testing. Option A is wrong because the scope difference (all controls vs. sample) could contribute but is less likely to cause such a large gap. Option C is wrong because timeliness might explain small differences, not a 50% gap.

Option D is wrong because training alone rarely causes such a large discrepancy.

107
MCQhard

A global organization is consolidating risk data from multiple business units into a single enterprise risk management (ERM) system. The risk practitioner notices that KRIs for the same risk type (e.g., cybersecurity) are calculated differently across units. What is the BEST approach to ensure consistent and reliable risk monitoring and reporting?

A.Require all units to adopt a common set of key performance indicators for their control environment.
B.Allow each business unit to maintain its own KRI definitions but report explanations for variances.
C.Establish a common definition and calculation methodology for each KRI across all business units.
D.Implement automated data feeds from each unit's system to the ERM system without changing the KRI definitions.
AnswerC

Standardization is key to reliable aggregation.

Why this answer

Option A is correct because defining standardized KRI definitions and calculation formulas ensures consistency across units, enabling accurate consolidation. Option B is wrong because accepting unit-specific KRIs prevents meaningful aggregation. Option C is wrong because using automated data feeds does not address the definition inconsistency.

Option D is wrong because a common KPI set for controls does not solve the risk metric inconsistency.

108
MCQhard

Refer to the exhibit. A risk analyst is reviewing an AWS S3 bucket policy. What is the MOST significant control monitoring gap in this policy?

A.The policy does not restrict access to specific internal IPs.
B.The policy allows HTTPS access from any internal IP.
C.The policy denies non-HTTPS access but does not enforce encryption for allowed access.
D.The policy lacks auditing or logging of access attempts.
AnswerD

Monitoring requires logs to detect violations.

Why this answer

Option D is correct because the policy only restricts to internal IP range and requires HTTPS, but it does not log access attempts. Without logging, unauthorized attempts cannot be monitored. Option A is wrong because HTTPS is required.

Option B is wrong because internal IP range is allowed. Option C is wrong because Deny for non-HTTPS is present, but logging is missing.

109
Multi-Selecthard

Which THREE of the following are key components of an effective risk reporting framework?

Select 3 answers
A.Automated collection of risk data from all sources.
B.Consistent risk metrics across the organization.
C.Clear definition of risk appetite and tolerance levels.
D.Defined escalation paths for exceeding thresholds.
E.Statistical models for predicting future risks.
AnswersB, C, D

Enables aggregation and comparison.

Why this answer

Consistent risk metrics across the organization (Option B) are a key component of an effective risk reporting framework because they ensure that risk data is comparable and aggregated meaningfully across different business units and systems. Without standardized metrics, reports would be inconsistent, making it impossible to assess overall risk posture or identify trends reliably.

Exam trap

The trap here is that candidates often mistake operational enablers (like automated data collection or predictive models) for core framework components, but the CRISC exam emphasizes that the framework must define what is measured, how it is compared, and how responses are triggered, not just how data is gathered or analyzed.

110
Multi-Selecteasy

Which TWO of the following are examples of detective controls?

Select 2 answers
A.Review of access logs for unauthorized access.
B.Backup and recovery procedures.
C.Firewall rules blocking unauthorized traffic.
D.Separation of duties in financial systems.
E.Intrusion detection system (IDS) alerts.
AnswersA, E

Detects unauthorized access after the fact.

Why this answer

A is correct because reviewing access logs for unauthorized access is a detective control. It involves examining historical records of system access events to identify security incidents or policy violations after they have occurred. This is a classic example of monitoring and analysis, not prevention or correction.

Exam trap

ISACA often tests the distinction between preventive and detective controls by presenting security technologies that have both capabilities (e.g., a firewall with logging), but the trap here is that candidates confuse the control's primary function (e.g., firewall rules are preventive, even if logs are used for detection).

111
Multi-Selectmedium

An organization recently experienced a significant security incident that was not detected by existing monitoring controls. The risk team is reviewing the effectiveness of the control monitoring framework. Which THREE of the following are key factors that should be evaluated to improve detection capabilities?

Select 3 answers
A.The correlation rules between different monitoring tools
B.The existence of an incident response plan
C.The timeliness of data collection from sources
D.The level of automation in incident response
E.The coverage of monitoring across all high-risk assets
AnswersA, C, E

Correlation reduces false positives and identifies complex patterns.

Why this answer

Timely data collection, correlation rules, and coverage across high-risk assets are critical. Automation level and incident response plans, while important, are not primary detection factors.

112
MCQhard

A large bank has implemented a sophisticated risk and control monitoring system with multiple dashboards and automated reporting for key risk indicators (KRIs). However, the board of directors has been receiving conflicting KRI reports from different business units (e.g., retail banking, corporate lending, and wealth management). For example, the fraud KRI shows a high risk in retail but low risk in wealth management, yet both units use the same underlying data source. The chief risk officer (CRO) is concerned that the board is losing confidence in the risk reporting. An investigation reveals that each business unit defines and calculates KRIs differently, uses different thresholds, and reports on different schedules. What is the most likely root cause and the best remediation?

A.The reporting frequency is inadequate; monthly reports should be weekly.
B.The data sources for KRIs are inconsistent across business units.
C.The board members are misinterpreting the KRI reports due to lack of training.
D.The KRI definitions and calculation methods are not standardized across business units.
AnswerD

Standardizing definitions and calculation methods will produce consistent reports and restore board confidence.

Why this answer

The root cause is that KRI definitions are not standardized across business units, causing inconsistent reporting. Standardizing KRI definitions and calculation methods ensures comparability. Options A (data sources) is not the issue since they use the same source; B (board interpretation) is secondary; C (reporting frequency) is not the core problem.

113
MCQeasy

Which of the following is the primary purpose of a risk and control monitoring program?

A.To identify new risks as they emerge.
B.To provide ongoing assurance that controls are operating effectively.
C.To reduce the frequency of internal audits.
D.To calculate key risk indicators.
AnswerB

Core objective of monitoring.

Why this answer

The primary purpose of a risk and control monitoring program is to provide ongoing assurance that controls are operating effectively. This is achieved through continuous or periodic testing, observation, and analysis of control activities to confirm they are designed correctly and functioning as intended to mitigate risks. Without this ongoing assurance, an organization cannot reliably know whether its risk responses remain effective over time.

Exam trap

The trap here is that candidates often confuse the primary purpose of a monitoring program (ongoing assurance) with its components or secondary benefits, such as identifying new risks (A) or calculating KRIs (D), leading them to select a narrower or derivative function instead of the core objective.

How to eliminate wrong answers

Option A is wrong because identifying new risks as they emerge is the purpose of a risk identification process or a risk assessment, not the primary goal of a control monitoring program; monitoring focuses on existing controls, not discovering new risks. Option C is wrong because reducing the frequency of internal audits is a potential secondary benefit of a strong monitoring program, but it is not the primary purpose; the core objective is assurance on control effectiveness, not audit reduction. Option D is wrong because calculating key risk indicators (KRIs) is a specific monitoring technique that may be used within a monitoring program, but it is not the primary purpose; the program's goal is broader assurance, not just the calculation of metrics.

114
MCQhard

Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?

A.The control is effective because the traffic was blocked.
B.The control is ineffective because alerts indicate potential malware.
C.The control should be reviewed because the alert frequency is approaching the threshold.
D.No action is needed because the threshold has not been reached.
AnswerC

Proactive review can prevent reaching the threshold and identify root causes.

Why this answer

Option C is correct because the alert frequency is approaching the threshold (4 alerts in the past hour), which indicates a potential issue that should be reviewed before it escalates. Option A is wrong because while the block was successful, the increasing trend is concerning. Option B is wrong because the control blocked the traffic, so it is effective in blocking, but the frequency warrants investigation.

Option D is wrong because being below threshold does not mean no action is needed; proactive review is better.

115
MCQeasy

What is the primary purpose of a control self-assessment (CSA)?

A.To involve process owners in evaluating control effectiveness.
B.To replace external audits.
C.To automate monitoring.
D.To generate compliance reports.
AnswerA

CSA empowers process owners to assess and improve controls.

Why this answer

CSA involves process owners in evaluating control effectiveness, increasing ownership and awareness. Option B is correct. Options A, C, and D are not primary purposes.

116
MCQmedium

A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?

A.Immediately enhance the fraud detection controls.
B.Report the KRI breach to the board and recommend risk acceptance.
C.Adjust the KRI threshold to align with current control performance.
D.Investigate the data source of the KRI to ensure accuracy and timeliness.
AnswerD

Verifying data integrity is the logical first step before any other action.

Why this answer

Option A is correct because the discrepancy between the KRI and control performance indicates a potential data integrity issue or misalignment; verifying the KRI data source is the first step. Option B is wrong because adjusting the threshold without investigation could mask a real risk. Option C is wrong because enhancing controls before understanding the root cause may be premature.

Option D is wrong because ignoring the KRI violates monitoring principles.

117
MCQeasy

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

A.To provide evidence for regulatory audits.
B.To reduce the number of unauthorized access attempts.
C.To confirm the control is working effectively.
D.To calculate the residual risk level.
AnswerC

Ensures the control functions as designed.

Why this answer

The primary purpose of monitoring a detective control, such as one that detects unauthorized access attempts, is to confirm that the control is operating effectively as designed. Monitoring provides ongoing assurance that the control is correctly identifying and logging unauthorized access events, which is essential for maintaining the security posture and for timely incident response.

Exam trap

The trap here is confusing the purpose of monitoring a control (verifying its effectiveness) with the purpose of the control itself (detecting or preventing incidents), leading candidates to choose a benefit like audit evidence or risk calculation instead.

How to eliminate wrong answers

Option A is wrong because while monitoring logs can provide evidence for audits, that is a secondary benefit, not the primary purpose of monitoring a detective control. Option B is wrong because a detective control does not reduce the number of unauthorized access attempts; it only detects them after they occur. Option D is wrong because calculating residual risk is a risk assessment activity that uses control effectiveness data, but the immediate purpose of monitoring is to verify control operation, not to compute risk levels.

118
MCQeasy

A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?

A.Account lockout policy is not enforced
B.No multi-factor authentication
C.Insufficient failed login monitoring
D.Weak password policy
AnswerA

Account should have been locked after a few failures.

Why this answer

The correct answer is D. The pattern suggests a brute force attack that succeeded because the account lockout threshold was not configured (or too high). Option A is possible but less direct; B is about failed attempts detection, but the control failure is the lack of lockout.

C is about password complexity, not the cause of multiple attempts.

119
MCQmedium

The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?

A.The control effectiveness status was not updated alongside the risk score
B.The inherent risk score decreased without any change in the business environment
C.The comment does not provide sufficient detail on the mitigation project
D.The risk owner was not notified of the change
AnswerA

Without updating control effectiveness, residual risk cannot be accurately assessed.

Why this answer

Option B is correct because the control effectiveness status was not updated, which is critical for accurate residual risk calculation. Option A is wrong because inherent risk can change due to mitigation. Option C is wrong because the comment provides a plausible reason.

Option D is wrong because the risk owner is identified.

120
MCQmedium

A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?

A.Recalculate the residual risk level and update the risk register
B.Escalate the issue to the board of directors
C.Apply a patch to the database system immediately
D.Perform a root cause analysis on the control failure
AnswerA

Control failure changes residual risk; must reassess and document.

Why this answer

The correct answer is B. After a control failure, the risk practitioner should first assess the impact on the risk level by recalculating residual risk, then update the risk register. A is wrong because immediate patching may introduce new vulnerabilities without analysis.

C is wrong because escalation to senior management is premature before impact assessment. D is wrong because control testing is done after risk assessment.

121
MCQeasy

An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?

A.Immediately change the risk appetite to tolerate two incidents per year.
B.Review the incident to determine if risk appetite needs adjustment.
C.Report the breach to the board of directors.
D.Accept the incident and continue with current controls.
AnswerB

Appropriate escalation and review.

Why this answer

Option C is correct because the risk committee should review the incident and consider whether to adjust risk appetite or implement additional controls. Option A is wrong because reporting to board is premature without analysis. Option B is wrong because accepting without analysis is passive.

Option D is wrong because change may not be needed; appetite may be reaffirmed.

122
MCQhard

After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?

A.Replace the control with a manual one.
B.Perform a root cause analysis before deeming it effective.
C.Increase frequency of monitoring.
D.Accept the risk and document the finding.
AnswerB

Root cause analysis helps determine if the failure is transient or indicative of a systemic issue.

Why this answer

Intermittent failures require root cause analysis to determine if the control is truly effective. Option B is correct. Option A accepts risk prematurely.

Option C replaces without analysis. Option D increases frequency but does not address the failure.

123
MCQmedium

After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?

A.List all controls and their test results
B.Show the number of vulnerabilities patched
C.Provide a summary of the incident timeline
D.Compare control test results against defined KRIs and risk appetite
AnswerD

This links control outcomes to risk tolerance, demonstrating effectiveness.

Why this answer

Option C is correct because comparing test results against KRIs and risk appetite shows how well controls mitigate risks. Option A is too granular and lacks context. Option B focuses on the incident rather than controls.

Option D shows a metric but not control effectiveness.

124
MCQmedium

A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?

A.Adjust the threshold to a higher value.
B.Implement additional controls immediately.
C.Review the KRI definition and data source for accuracy.
D.Escalate to senior management immediately.
AnswerC

Ensuring the KRI is correctly measured and sourced is fundamental before any action.

Why this answer

Before escalating, it is important to verify the accuracy of the KRI data and definition. Option B is correct because data integrity issues are a common cause of false alarms. Option A is premature without verification.

Option C incorrectly adjusts the threshold. Option D is reactive without understanding the root cause.

125
MCQmedium

A company relies on a third-party cloud provider for critical data processing. As part of its vendor risk management program, the company wants to implement continuous monitoring of the provider's controls. Which of the following is the BEST approach?

A.Monitor the provider's service level agreements (SLAs) for uptime
B.Conduct monthly manual attestation surveys with the provider
C.Require the provider to perform quarterly penetration tests
D.Obtain and review the provider's SOC 2 Type II report on an ongoing basis
AnswerD

SOC 2 reports provide continuous assurance over relevant controls.

Why this answer

Option C is correct because SOC 2 reports provide independent assurance over controls like security and availability. Option A is wrong because annual penetration tests do not cover all controls continuously. Option B is wrong because SLAs typically measure performance, not control effectiveness.

Option D is wrong because manual attestation is less reliable and not continuous.

126
MCQhard

Based on the exhibit, which control is most critical to address first to reduce the risk of unauthorized access?

A.Segregation of duties conflict resolution timeliness.
B.Privileged access review frequency.
C.User access recertification completion rate.
D.Terminated employee account disabling timeliness.
AnswerA

At 85% vs target 90%, unresolved SoD conflicts pose a significant risk of unauthorized transactions.

Why this answer

Option A is correct because segregation of duties (SoD) conflict resolution timeliness directly addresses the risk that unresolved conflicts could allow a single user to execute unauthorized actions across multiple systems. If SoD conflicts are not resolved promptly, a user might retain incompatible roles (e.g., both creating and approving purchase orders), enabling fraud or unauthorized access without detection. This control is foundational because it prevents the accumulation of excessive privileges that bypass other access controls.

Exam trap

ISACA often tests the misconception that reactive controls like access reviews or account disabling are more critical than proactive controls like SoD conflict resolution, but the question specifically targets the root cause of unauthorized access—accumulation of incompatible privileges—which only timeliness of SoD resolution can prevent in real time.

How to eliminate wrong answers

Option B is wrong because privileged access review frequency, while important, is a detective control that identifies excessive privileges after they have been granted; it does not prevent the initial accumulation of incompatible roles that enable unauthorized access. Option C is wrong because user access recertification completion rate focuses on periodic validation of existing access, but it does not address the real-time risk of unresolved SoD conflicts that can be exploited immediately. Option D is wrong because terminated employee account disabling timeliness is a critical control for removing access of ex-employees, but it does not mitigate the risk of current employees with conflicting roles that allow unauthorized actions within their legitimate sessions.

127
Multi-Selectmedium

Which TWO of the following are primary objectives of control monitoring?

Select 2 answers
A.To calculate the financial impact of control failures.
B.To provide assurance to stakeholders that controls are functioning.
C.To determine the design adequacy of controls.
D.To verify that controls are operating effectively.
E.To identify new risks that were not previously assessed.
AnswersB, D

Monitoring provides ongoing assurance.

Why this answer

Control monitoring's primary objectives are to provide assurance to stakeholders that controls are functioning as intended and to verify that controls are operating effectively on an ongoing basis. This aligns with the CRISC framework's emphasis on continuous assurance over control performance, not just periodic assessment.

Exam trap

The trap here is confusing the objectives of control monitoring with those of risk assessment or control design, leading candidates to select options about identifying new risks or calculating financial impact, which belong to separate CRISC domains.

128
MCQmedium

A risk practitioner is designing a monitoring dashboard for senior management. Which key performance indicator (KPI) would be MOST useful for tracking control effectiveness over time?

A.Number of security incidents reported.
B.Number of transactions processed per hour.
C.Value at Risk (VaR) for operational risk.
D.Percentage of controls passing automated tests.
AnswerD

Directly indicates control effectiveness.

Why this answer

Option D is correct because the percentage of controls passing automated tests directly measures the effectiveness of controls over time. A trend of increasing or stable high percentages indicates that controls are functioning as intended, while a decline signals degradation. This KPI is specifically designed for control monitoring, unlike metrics that measure activity or outcomes.

Exam trap

The trap here is that candidates confuse outcome-based metrics (like incident counts) with control effectiveness metrics, failing to recognize that a KPI for control effectiveness must directly measure control performance, not the consequences of control failure.

How to eliminate wrong answers

Option A is wrong because the number of security incidents reported is a lagging indicator of control failure, not a direct measure of control effectiveness; a low incident count could result from poor detection rather than strong controls. Option B is wrong because transactions processed per hour is a throughput metric for operational efficiency, not a measure of control effectiveness; it does not indicate whether controls on those transactions are working. Option C is wrong because Value at Risk (VaR) for operational risk is a statistical estimate of potential loss, not a real-time or trendable indicator of individual control performance; it aggregates risk rather than measuring control pass/fail rates.

129
MCQhard

Refer to the exhibit. Based on the control test results, which of the following is the most immediate risk?

A.Material misstatement in financial statements
B.Non-compliance with credit policy
C.Inefficient order processing
D.Fraud due to lack of segregation of duties
AnswerD

The failed control directly indicates that a user can both enter and approve orders, increasing the risk of fraudulent transactions.

Why this answer

The control test results show that the same individual can both create purchase orders and approve invoices, which violates segregation of duties. This lack of segregation creates an immediate risk of fraud because the employee could create fictitious orders and approve payments to themselves or accomplices without detection.

Exam trap

The trap here is that candidates often focus on the financial reporting impact (Option A) as the most immediate risk, but CRISC emphasizes that the control deficiency itself—the lack of segregation of duties—creates an immediate fraud exposure before any financial misstatement can occur.

How to eliminate wrong answers

Option A is wrong because material misstatement in financial statements is a downstream consequence that would occur only if fraudulent transactions are actually processed and recorded, not an immediate risk from the control weakness itself. Option B is wrong because non-compliance with credit policy relates to extending credit to customers, which is not directly impacted by the purchase-to-pay segregation issue described. Option C is wrong because inefficient order processing refers to operational delays or bottlenecks, whereas the control failure here is a deliberate fraud opportunity, not a process speed issue.

130
Multi-Selecthard

Which THREE of the following control monitoring techniques are considered continuous monitoring?

Select 3 answers
A.Quarterly internal control self-assessments
B.Automated logging and alerting from SIEM tools
C.Real-time validation of input data in applications
D.Annual penetration testing
E.Automated reconciliation of transactions at day end
AnswersB, C, E

Continuous real-time monitoring.

Why this answer

The correct options are A, C, and E. Continuous monitoring involves automated, ongoing techniques. Internal control self-assessments (B) are periodic, not continuous.

Penetration testing (D) is periodic/ad hoc.

131
MCQmedium

A regional bank uses a centralized GRC platform to monitor key risk indicators (KRIs) for operational risk. The chief risk officer (CRO) reviews the monthly risk report and notices that the KRI 'number of system outages exceeding 4 hours' has been consistently reported as 0 for the past six months. However, the IT incident log shows three such outages in the same period. The CRO suspects the KRI is not being accurately reported. What should the risk manager do next?

A.Add additional controls to reduce the likelihood of system outages
B.Update the risk register to reflect the recent outage incidents
C.Investigate the KRI calculation and data feed to identify why outages are not being captured
D.Increase the KRI threshold to 2 outages to align with historical data
AnswerC

Understanding the data integrity issue is the first step to ensure accurate monitoring and reporting.

Why this answer

The correct answer is C because the risk manager must first investigate the KRI calculation and data feed to determine why the IT incident log shows three outages but the KRI reports zero. Without understanding the root cause of the reporting discrepancy—whether it is a data integration error, a threshold misconfiguration, or a failure in the GRC platform's automated data collection—any subsequent action would be premature and could mask the underlying control monitoring failure.

Exam trap

The trap here is that candidates may confuse the need to remediate the reporting failure with the need to remediate the risk itself, leading them to choose an option that addresses the outages directly (like adding controls or updating the register) rather than first diagnosing the KRI data pipeline.

How to eliminate wrong answers

Option A is wrong because adding additional controls does not address the immediate issue of inaccurate KRI reporting; it assumes the problem is a lack of controls rather than a data integrity or calculation error. Option B is wrong because updating the risk register with the outage incidents is a record-keeping step that does not resolve the root cause of why the KRI failed to capture them; the risk register should reflect accurate data, but the priority is to fix the reporting mechanism. Option D is wrong because increasing the KRI threshold to 2 outages would simply hide the discrepancy by aligning the threshold with the observed data, thereby undermining the KRI's purpose as an early warning indicator and failing to correct the underlying reporting failure.

132
MCQmedium

An organization is designing a risk dashboard for senior management. Which of the following is the MOST important characteristic of the key risk indicators (KRIs) displayed?

A.They are updated in real-time.
B.They are directly linked to the risk appetite thresholds.
C.They are based on accurate historical data.
D.They are cost-effective to collect and maintain.
AnswerB

KRIs must reflect risk appetite so management can quickly assess risk status.

Why this answer

Option C is correct because KRIs should be aligned to the risk appetite to effectively communicate risk levels to management. Option A is wrong while timeliness is important, it is not the most important characteristic for management decision-making. Option B is wrong accuracy is crucial, but KRIs must first be relevant to risk appetite.

Option D is wrong cost-effectiveness is a consideration but not the primary characteristic for a management dashboard.

133
MCQmedium

A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?

A.Employees have learned to bypass the monitoring system
B.The control effectiveness has improved significantly
C.The data feed from transaction systems has degraded, causing missing data
D.The thresholds were automatically adjusted to be more restrictive
AnswerC

Degraded data reduces input, resulting in fewer alerts despite constant failures.

Why this answer

Option B is correct because degradation of data feeds could cause the system to miss transactions, leading to fewer alerts. Option A is wrong because increased automation typically increases detection. Option C is wrong because if controls were improved, actual failures would decrease.

Option D is wrong because employees gaming the system would likely increase failures, not keep them constant.

134
MCQmedium

You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?

A.Storing logs on the same server as the EHR application exposes them to alteration or deletion if the server is compromised.
B.The 30-day log retention period is too short to detect long-term patterns of unauthorized access.
C.Manual review of logs is ineffective and may miss critical events; automated monitoring should be implemented.
D.The audit log does not capture failed access attempts, which could indicate brute-force attacks or unauthorized access attempts.
AnswerA

Log integrity is compromised, which is a critical risk for monitoring and forensics.

Why this answer

Storing audit logs on the same server as the EHR application violates the principle of log segregation. If the server is compromised, an attacker can alter or delete the logs to cover their tracks, making detection impossible. This is the most significant risk because it directly undermines the integrity and availability of the evidence needed to investigate unauthorized access.

Exam trap

The trap here is that candidates focus on the operational deficiencies (short retention, manual review, missing failed attempts) rather than the foundational security control failure of log segregation, which is the most critical risk because it compromises the entire audit trail.

How to eliminate wrong answers

Option B is wrong because while a 30-day retention period may be suboptimal for long-term pattern analysis, it is not the most significant risk given that the logs are already vulnerable to tampering and the current manual review process would likely miss patterns regardless. Option C is wrong because although manual review is inefficient, the core issue is that even with automated monitoring, the logs stored on the same server could be destroyed or altered before any alert is triggered. Option D is wrong because while missing failed access attempts is a gap, the lack of logging for failed attempts is less critical than the complete loss of log integrity if the server is compromised.

135
MCQeasy

A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?

A.Report the failure in the next risk report to management.
B.Perform a root cause analysis of the control failure.
C.Update the risk register with a higher inherent risk rating.
D.Escalate the failure to the risk committee immediately.
AnswerB

Root cause analysis is essential before taking further action.

Why this answer

Option A is correct because understanding the root cause helps determine whether the failure is due to a control design issue or an operational lapse. Option B is wrong because escalating without analysis may cause unnecessary alarm. Option C is wrong because reporting to management without context is incomplete.

Option D is wrong because updating the risk register should follow root cause analysis.

136
Multi-Selectmedium

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

Select 2 answers
A.Control testing schedules
B.Risk appetite statements
C.Defined key risk indicators (KRIs)
D.Quarterly board reporting
E.Annual risk assessment updates
AnswersA, C

Ensures controls are tested regularly.

Why this answer

Control testing schedules (A) are a key component because they define the frequency and scope of evaluating whether controls are operating effectively. Without a structured schedule, control failures may go undetected for extended periods, increasing risk exposure. Defined key risk indicators (KRIs) (C) are also essential because they provide leading metrics that signal potential risk events before they materialize, enabling proactive monitoring and timely corrective actions.

Exam trap

The trap here is that candidates confuse governance artifacts (like risk appetite statements and board reporting) with operational monitoring components, leading them to select options that are important for risk management but not part of the monitoring program's core structure.

137
MCQhard

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

A.Develop and mandate a standardized risk assessment methodology.
B.Aggregate risks at the enterprise level using a common taxonomy.
C.Require each business unit to adopt the same risk scoring scale.
D.Create a centralized reporting template with predefined fields.
AnswerA

Ensures consistent risk identification and evaluation.

Why this answer

Option A is correct because mandating a standardized risk assessment methodology ensures that all business units apply the same criteria, scales, and processes for identifying, analyzing, and evaluating risks. This eliminates methodological inconsistencies at the source, enabling the risk committee to produce truly comparable and reliable monitoring reports across the enterprise.

Exam trap

The trap here is that candidates confuse output consistency (templates, scales, or taxonomies) with input consistency (the methodology itself), leading them to choose options that only address surface-level uniformity rather than the root cause of inconsistent risk assessments.

How to eliminate wrong answers

Option B is wrong because aggregating risks using a common taxonomy only standardizes the classification of risks, not the underlying assessment methodology; different scoring and evaluation approaches would still produce incompatible results. Option C is wrong because requiring the same risk scoring scale does not address differences in how risks are identified, analyzed, or prioritized—two units using the same scale but different methodologies can still generate inconsistent risk levels for similar exposures. Option D is wrong because a centralized reporting template with predefined fields only standardizes the output format, not the input data or assessment process; if business units use different methodologies, the data entered into the template will remain inconsistent and non-comparable.

138
Multi-Selecteasy

A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?

Select 2 answers
A.Cost of the monitoring solution
B.Historical transaction patterns and baseline deviations
C.Vendor reputation for support
D.Number of employees in the monitoring team
E.The risk appetite of the organization
AnswersB, E

Baselining ensures thresholds reflect normal behavior.

Why this answer

Alert thresholds should align with historical transaction patterns and risk appetite. Cost and vendor reputation are relevant but not essential for threshold definition; reducing thresholds increases false positives.

139
Multi-Selectmedium

A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?

Select 3 answers
A.The control was not executed as per procedure.
B.The control failed during peak load testing.
C.The control design does not address the risk.
D.The control was tested once and passed.
E.The control owner was not available during the test.
AnswersA, B, C

Deviating from procedure compromises control effectiveness.

Why this answer

Options B, C, and D are correct. B: Failure under peak load indicates the control cannot handle real conditions. C: If the design does not address the risk, the control cannot mitigate it.

D: Non-execution per procedure means the control was not performed correctly. A is wrong because a single pass does not prove ineffectiveness. E is wrong because owner availability is not a control attribute.

140
MCQmedium

A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?

A.The vendor's monitoring is accurate; the anomalies are false positives.
B.The anomalies may indicate a control gap in the vendor's environment.
C.The internal monitoring should be disabled to avoid confusion.
D.The vendor's monitoring is more reliable than internal monitoring.
AnswerB

Internal monitoring provides independent validation.

Why this answer

Option D is correct because the internal monitoring may have detected a control weakness not covered by vendor reports. Option A is wrong because response time anomaly is a signal. Option B is wrong because vendor reports may be incomplete.

Option C is wrong because external monitoring is equally important.

141
MCQhard

A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?

A.Validate the KRI data and investigate the root cause
B.Implement additional controls to reduce failed logins
C.Revert the firewall change immediately
D.Increase the KRI threshold to eliminate false positives
AnswerA

Data integrity check is essential before any action.

Why this answer

The correct answer is C. The first step is to verify the KRI data and confirm whether the threshold breach is real or due to a configuration issue. Option A is premature because the threshold breach may be invalid.

Option B is corrective action without confirmation. Option D is too drastic without understanding the root cause.

142
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)

Select 2 answers
A.Number of IT projects in progress.
B.Number of critical security vulnerabilities unresolved for more than 30 days.
C.Number of employees in the IT department.
D.System uptime percentage.
E.Annual IT budget variance.
AnswersB, D

Unresolved vulnerabilities indicate security risk.

Why this answer

Options A and C are correct. System uptime percentage and number of unresolved critical vulnerabilities are direct measures of IT risk. Option B is wrong number of employees is a people metric, not a risk indicator.

Option D is wrong budget variance is a financial metric, not a KRI specifically. Option E is wrong number of IT projects is a workload metric, not a risk indicator.

143
Drag & Dropmedium

Sequence the steps for conducting a business impact analysis (BIA).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA involves identifying critical processes, outage tolerance, dependencies, impact estimation, and prioritization.

144
Multi-Selectmedium

Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?

Select 2 answers
A.Provides an early warning signal of increasing risk exposure.
B.Is actionable, meaning it can trigger predefined responses when thresholds are breached.
C.Is derived from the organization's risk appetite statement.
D.Uses smoothed data to avoid alert fatigue.
E.Measures historical loss events.
AnswersA, B

Predictive nature is key for proactive risk management.

Why this answer

Options B and E are correct. An effective KRI should be predictive (leading) and actionable. Option A is wrong because lagging indicators (e.g., loss events) are not predictive.

Option C is wrong because risk appetite thresholds should be set based on the KRI, not the other way around. Option D is wrong because a KRI should be sensitive, not smoothed.

145
MCQmedium

During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?

A.The audit tested different samples
B.The control environment changed
C.The CSA participants lacked objectivity
D.The CSA was conducted too recently
AnswerC

Self-assessments can be biased, leading to overestimation of effectiveness.

Why this answer

Option B is correct because CSA participants may lack objectivity due to bias or lack of independence. Option A is less likely if the CSA is recent. Option C is possible but not the most likely cause of systematic discrepancy.

Option D is possible but not specific to CSA vs audit.

146
MCQeasy

A control test reveals a 100% pass rate for a detective control. What does this indicate?

A.The control is operating effectively
B.The control is too expensive to maintain
C.The control is compensating for other weaknesses
D.The associated risk has been fully mitigated
AnswerA

Pass rate indicates effective detection.

Why this answer

The correct answer is B. A 100% pass rate for a detective control suggests the control is effective at detecting issues, but it does not guarantee that no issues existed (since detection only happens if an issue occurs). Option A is irrelevant; options C and D are possible but not indicated by the pass rate alone.

147
Multi-Selecthard

Which THREE of the following are common challenges in risk reporting?

Select 3 answers
A.Timeliness of information.
B.Over-reliance on automated tools.
C.Data accuracy issues.
D.Too much detail.
E.Lack of board support.
AnswersA, C, D

Outdated information reduces the value of risk reports.

Why this answer

Common challenges include data accuracy, timeliness, and information overload (too much detail). Options A, B, and D are correct. Over-reliance on automation (C) is not typically a challenge, and lack of board support (E) is more of a governance issue.

148
MCQhard

A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?

A.Include a comprehensive list of all key risk indicators (KRIs)
B.Provide a separate section on recent audit findings
C.Overlay control deficiency impact ratings onto the residual risk heat map
D.Add a timeline of when each control deficiency was first identified
AnswerC

This visualization directly links control weaknesses to resulting risk levels, aiding prioritization.

Why this answer

Option D is correct because combining control deficiency impact ratings with residual risk ratings directly shows the effect on risk levels. Option A is wrong because adding all KRIs may overload the report. Option B is wrong because past audit findings may be outdated.

Option C is wrong because a chronological log does not prioritize by risk impact.

149
MCQeasy

When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?

A.Narrative reports describing findings in paragraphs.
B.Visual dashboards with key metrics and trend indicators.
C.Oral summary without supporting documentation.
D.Detailed spreadsheets with raw data for each control.
AnswerB

Effective for quick understanding.

Why this answer

Option C is correct because visual dashboards with trend lines and color coding quickly convey risk status. Option A is wrong because raw data is overwhelming. Option B is wrong because narrative only lacks context.

Option D is wrong because verbal only may not be retained.

150
MCQeasy

Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?

A.The control is effective but the monitoring configuration is incorrect.
B.The control is failing and needs immediate remediation.
C.The control is close to target but requires attention.
D.The control is meeting its target.
AnswerA

The target threshold should align with policy; the configuration error might cause false sense of effectiveness.

Why this answer

Option D is correct because the target is set to 90% while the policy requires 95%, so the monitoring configuration is incorrect. The control appears to meet the target (94.5% > 90%), but it fails to meet the policy requirement. Option A is wrong because the control meets the configured target but not the policy.

Option B is wrong because the current value is above the configured target. Option C is wrong because the control is not failing relative to the target; it is a configuration issue.

← PreviousPage 2 of 3 · 175 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Risk and Control Monitoring and Reporting questions.