CCNA Risk and Control Monitoring and Reporting Questions

25 of 175 questions · Page 3/3 · Risk and Control Monitoring and Reporting · Answers revealed

151
MCQmedium

An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?

A.Insufficient control monitoring and verification
B.Inadequate risk assessment methodology
C.Poorly designed controls
D.Lack of management support for risk management
AnswerA

Control operation was not verified against documentation.

Why this answer

The correct answer is D. The discrepancy between documentation and reality indicates a failure in control monitoring. Option A is too narrow; option B is unrelated; option C is possible but less direct.

152
MCQeasy

During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?

A.Restore the original control process immediately.
B.Conduct a root cause analysis to determine why the bypass occurred.
C.Update the risk register to reflect the increased residual risk.
D.Escalate to senior management with a recommendation for disciplinary action.
AnswerB

Root cause analysis informs the most effective remediation.

Why this answer

Option D is correct because understanding the root cause of the bypass is essential before deciding on corrective actions. Option A is wrong because restoring the control without analysis may not address the underlying process change. Option B is wrong because escalating without analysis may not provide sufficient context.

Option C is wrong because updating the risk register is important but not the first action.

153
MCQhard

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

A.Modify the dashboard to display each source's local time separately.
B.Ask each source to adjust their time zone to the corporate headquarters time zone.
C.Standardize all timestamps to Coordinated Universal Time (UTC) during data ingestion.
D.Use the time zone of the majority of sources and convert others.
AnswerC

Best practice for time normalization.

Why this answer

Option C is correct because standardizing all timestamps to Coordinated Universal Time (UTC) during data ingestion ensures a single, unambiguous reference point for all aggregated data. This eliminates the root cause of inconsistency—differing local time zones—at the point of data entry, allowing the real-time dashboards to display consistent, comparable metrics regardless of the source's geographic location. This approach aligns with the principle of normalizing data at the earliest stage of the data pipeline, which is a fundamental practice in risk monitoring and reporting.

Exam trap

The trap here is that candidates often choose Option A, thinking that displaying local times separately is a 'user-friendly' solution, but they fail to recognize that the core requirement is consistent, comparable data for risk committees, not individual source readability.

How to eliminate wrong answers

Option A is wrong because displaying each source's local time separately does not resolve the inconsistency; it merely exposes the problem, making it impossible for risk committees to compare data across sources in a unified, real-time view. Option B is wrong because asking each source to adjust their time zone to corporate headquarters time is impractical, error-prone, and introduces a single point of failure; it also fails to account for daylight saving time changes and does not scale across multiple time zones. Option D is wrong because using the time zone of the majority of sources and converting others introduces bias and still leaves a subset of data with potential conversion errors, especially during daylight saving transitions, and does not guarantee consistency across all sources.

154
MCQeasy

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

A.Document the lack of alerts as evidence of effectiveness.
B.Redesign the control with different parameters.
C.Test the control to ensure it is functioning correctly.
D.Increase the frequency of monitoring.
AnswerC

Verifies control effectiveness.

Why this answer

The absence of alerts does not automatically confirm that the control is working; it could indicate that the control has failed silently or that the detection logic is misconfigured. The risk practitioner must first test the control (e.g., by simulating an unauthorized access attempt) to verify that it can actually detect and alert on violations. Only after confirming correct functionality can the lack of alerts be interpreted as evidence of effectiveness.

Exam trap

The trap here is that candidates assume a lack of alerts equals a lack of incidents, rather than recognizing that it could indicate a control failure, and they jump to redesign or increase monitoring without first validating the control's operational state.

How to eliminate wrong answers

Option A is wrong because documenting the lack of alerts as evidence of effectiveness assumes the control is operational without verification, which ignores the possibility of a silent failure (e.g., a broken SIEM rule or a disabled detection agent). Option B is wrong because redesigning the control with different parameters is premature and wasteful; the issue may be a simple configuration error or a false negative, not a fundamental design flaw. Option D is wrong because increasing monitoring frequency does not address the root cause—if the control is not detecting unauthorized access, more frequent checks will only produce more false negatives or miss the same failures.

155
Multi-Selecteasy

A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?

Select 2 answers
A.All controls should be monitored at the same frequency.
B.Monitoring should only be performed by external auditors.
C.Monitoring results should be communicated to stakeholders.
D.Monitoring should be independent of the control owner.
E.Monitoring frequency should be determined by control criticality.
AnswersC, E

Communication enables informed decision-making.

Why this answer

Options A and C are correct. A: Monitoring frequency should be risk-based (critical controls more frequent). C: Results must be communicated to stakeholders to drive action.

B is wrong because not all controls need same frequency. D is wrong because internal teams can monitor. E is wrong because monitoring can be performed by control owners if properly designed.

156
Multi-Selecteasy

Which TWO of the following factors should be considered when determining the frequency of control monitoring?

Select 2 answers
A.The cost of monitoring relative to control cost.
B.The number of IT projects in progress.
C.The preferences of the external auditor.
D.The criticality of the control to risk mitigation.
E.The inherent risk level of the process.
AnswersD, E

Critical controls need more frequent monitoring.

Why this answer

Option A and C are correct because risk level and control criticality drive frequency. Option B is wrong because monitoring frequency should align with risk, not necessarily cost savings. Option D is wrong because it's about control, not IT projects.

Option E is wrong because auditor recommendations are secondary.

157
MCQhard

A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?

A.Use manual reviews of high-risk transactions by compliance officers within 24 hours.
B.Implement a real-time monitoring solution that only processes transactions flagged as high-risk based on predefined criteria.
C.Replace batch processing with a fully real-time system for all transactions.
D.Increase batch processing frequency from daily to hourly.
AnswerB

Targeted real-time monitoring meets requirement efficiently.

Why this answer

Option A is correct because implementing a parallel real-time stream for high-risk transactions directly meets the requirement without affecting existing batch processing. Option B is wrong because increasing batch frequency may still not be real-time. Option C is wrong because replacing batch with real-time for all transactions is costly and risky.

Option D is wrong because manual review is not near-real-time.

158
MCQmedium

Refer to the exhibit. What does this log entry indicate about the monitoring process?

A.The monitoring process lacks manual validation.
B.The monitoring process has a high false positive rate.
C.The monitoring process includes appropriate categorization and response.
D.The monitoring process is effective because the alert was automatically blocked.
AnswerC

The process steps indicate proper triage, escalation, and forensic analysis.

Why this answer

Option C is correct. The log shows automated detection, blocking, escalation to SOC, and analyst review, indicating a well-defined process. Option A is not complete because blocking alone does not confirm process effectiveness.

Option B is not supported because one false positive does not indicate a high rate. Option D is wrong because manual validation occurred.

159
MCQmedium

A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?

A.Conduct a root cause analysis and implement corrective actions.
B.Wait for the KRI to return to normal on its own.
C.Raise the threshold to avoid future breaches.
D.Implement temporary manual controls.
AnswerA

Addresses the cause of the KRI breach.

Why this answer

A KRI that has exceeded its threshold for three consecutive months indicates a persistent risk condition, not a transient anomaly. The most appropriate action is to conduct a root cause analysis to identify the underlying issue and implement corrective actions to bring the risk back within acceptable levels. This aligns with the CRISC domain of Risk and Control Monitoring and Reporting, which emphasizes proactive remediation over passive observation or threshold manipulation.

Exam trap

The trap here is that candidates may confuse a persistent KRI breach with a temporary spike and choose to wait (Option B) or adjust the threshold (Option C), failing to recognize that the CRISC framework mandates investigation and corrective action for sustained deviations.

How to eliminate wrong answers

Option B is wrong because waiting for the KRI to return to normal on its own ignores the persistent nature of the breach and assumes a self-correcting mechanism, which is not a valid risk management strategy. Option C is wrong because raising the threshold to avoid future breaches is a form of risk acceptance without justification and undermines the integrity of the KRI as an early warning indicator. Option D is wrong because implementing temporary manual controls without first understanding the root cause may address symptoms but not the underlying risk, and manual controls often introduce operational inefficiencies and are not sustainable.

160
Multi-Selectmedium

A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)

Select 2 answers
A.Integration with performance management.
B.Periodic review of KRI thresholds.
C.Use of statistical sampling for all tests.
D.Automated alerts for all control failures.
E.Clearly defined roles and responsibilities.
AnswersB, E

Thresholds must be reviewed to remain aligned with risk appetite.

Why this answer

Options A and C are correct. Clearly defined roles and responsibilities ensure accountability, and periodic review of KRI thresholds ensures the monitoring remains relevant. Option B is wrong because not all failures need automated alerts; some may be manual.

Option D is wrong because integration with performance management is not a core element. Option E is wrong because statistical sampling is just one method and not always appropriate.

161
Matchingmedium

Match each information security objective to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is accessible only to authorized parties

Data is accurate and complete

Data is accessible when needed

Actions can be traced to individuals

Why these pairings

The CIA triad plus accountability are core security principles.

162
MCQmedium

A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?

A.They are complex and difficult to measure
B.They are quantifiable and based on reliable data
C.They are lagging indicators that reflect past events
D.They are leading indicators that provide early warning of potential risk events
E.They focus on a very narrow aspect of risk
AnswerB, D

Quantifiable KRIs with reliable data ensure objective monitoring.

Why this answer

Options B and D are correct. Effective KRIs should be predictive (leading) and quantifiable. Option A is wrong because lagging indicators are less useful for proactive management.

Option C is wrong because complex KRIs are difficult to communicate and monitor. Option E is wrong because narrow scope may miss broader risks.

163
MCQeasy

Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?

A.Number of failed authentication attempts per hour.
B.Percentage of successful user logins.
C.Percentage of system uptime.
D.Number of unauthorized changes to system configurations.
AnswerA

Directly derived from failed login events.

Why this answer

Option C is correct because the log shows multiple failed login attempts from a single IP address, which is a direct indicator of possible brute force attacks. Option A is wrong because successful logins are not shown. Option B is wrong because the log does not show change activity.

Option D is wrong because it does not show system downtime.

164
MCQhard

A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?

A.KRIs that have been consistently below threshold for two years
B.KRIs that are not directly mapped to any risk in the risk register
C.KRIs that require manual data collection
D.KRIs that have high volatility
AnswerB

Unmapped KRIs lack context and decision support.

Why this answer

The correct answer is B. KRIs that do not directly link to a risk in the risk register are likely not providing actionable information. Options A, C, and D describe KRIs that are useful for monitoring.

165
MCQmedium

Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?

A.The control is ineffective because only 30 logins were sampled.
B.The control is fully effective.
C.The control is effective only if MFA is required for all users.
D.The control is effective for the sample but may not be for the population.
AnswerD

Test results apply only to the sample tested.

Why this answer

Option B is correct because the test result is based on a sample of 30 logins, so it indicates effectiveness for that sample but cannot guarantee effectiveness for the entire population. Option A is wrong because a single sample cannot prove full effectiveness. Option C is wrong because the sample size may be adequate statistically, but the result is limited.

Option D is wrong because the test does not assess the design requirement for all users; it tests operation.

166
MCQeasy

A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?

A.The KRI thresholds were set incorrectly.
B.The control was not tested during the period.
C.The monitoring frequency was too low.
D.The control owner was not trained.
AnswerA

Incorrect thresholds can prevent detection of control failures, leading to a false effective status.

Why this answer

Option C is correct because if KRI thresholds are set too high, the monitoring system may not trigger alerts even when the control is failing, giving a false sense of effectiveness. Option A is wrong because the control was likely tested during the period. Option B is wrong because frequency is not the primary issue if thresholds are misaligned.

Option D is wrong because training affects operation, not monitoring thresholds.

167
MCQhard

A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?

A.Create a policy requiring regional risk teams to follow the same KRI definitions and reporting schedule.
B.Implement a centralized risk and control monitoring platform that aggregates data and enforces common reporting standards.
C.Standardize monitoring tools across all regions globally.
D.Increase the frequency of board risk committee meetings to twice per month.
AnswerB

Provides global visibility while allowing local input; addresses root cause of inconsistency.

Why this answer

A centralized risk and control monitoring platform standardizes data and reporting while allowing local customization via configurable thresholds. Global standardization (A) might ignore local nuances; policy alone (C) doesn't enforce consistency; increasing meeting frequency (D) does not address data inconsistency.

168
MCQmedium

An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?

A.Accept the bypass rate as within acceptable tolerance.
B.Document that the control is 95% effective and close the finding.
C.Investigate why bypasses occur and implement compensating controls.
D.Re-classify the control as a detective control instead of preventive.
AnswerC

Root cause analysis is needed.

Why this answer

Option B is correct because the root cause of bypasses must be addressed to ensure control reliability. Option A is wrong because accepting the bypass rate may increase risk. Option C is wrong because 95% effectiveness may not meet policy.

Option D is wrong because re-classifying is not addressing the issue.

169
Multi-Selecteasy

Which TWO of the following are key attributes of effective risk reporting?

Select 2 answers
A.Includes full risk register details
B.Only issued when a risk incident occurs
C.Provides actionable information for decision-makers
D.Tailored to the specific needs of the audience
E.Sent to all employees by email
AnswersC, D

Purpose of reporting.

Why this answer

The correct options are B and D. Risk reporting should be tailored to the audience (B) and actionable (D). A is incorrect because reporting should be regular, not only on incident.

C is too generic; E is about distribution, not content.

170
MCQeasy

An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?

A.Percentage of loans that are in default or non-performing.
B.Number of employees who completed cybersecurity training.
C.Percentage of network uptime over the past month.
D.Employee turnover rate in the finance department.
AnswerA

This directly measures credit risk.

Why this answer

A key risk indicator (KRI) for credit risk must directly measure the likelihood or impact of a borrower failing to meet their obligations. The percentage of loans that are in default or non-performing is a direct, quantitative measure of credit risk exposure, as it reflects the actual realization of credit losses. This aligns with the CRISC focus on monitoring risk levels to trigger timely responses.

Exam trap

The trap here is that candidates confuse KRIs with KPIs or operational metrics, selecting a generic performance measure (like training completion or uptime) instead of a risk-specific indicator that directly quantifies credit exposure.

How to eliminate wrong answers

Option B is wrong because the number of employees who completed cybersecurity training is a key performance indicator (KPI) for security awareness, not a KRI for credit risk; it measures activity, not the creditworthiness of borrowers. Option C is wrong because percentage of network uptime is an operational risk KRI related to IT availability, not a measure of credit risk. Option D is wrong because employee turnover rate in the finance department is a human resources metric that may indicate operational inefficiency but does not directly measure the probability of default or credit loss.

171
MCQhard

A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?

A.The service account has excessive database privileges
B.The failed login events were not logged in real time
C.Failed logins indicate a possible brute force attack
D.A service account is authenticating with a password rather than a certificate
AnswerD

Service accounts should use strong, non-password authentication.

Why this answer

The correct answer is B. The most significant issue is that a service account used for backup is authenticating with a password instead of a certificate or key, which is a security weakness. Option A is true but less significant than the authentication method.

Option C is not indicated (no excessive privileges). Option D is about logging, which is present.

172
MCQeasy

An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?

A.Implement the auditor's recommendation immediately
B.Develop a remediation plan with the control owner
C.Update the risk register with the auditor's finding
D.Assess the impact of the control deficiency on residual risk
AnswerD

Understanding impact drives prioritization.

Why this answer

The correct answer is A. The risk practitioner should first assess the impact of the control deficiency on the risk level. Options B and C are actions that follow the assessment.

Option D is reactive and may be part of remediation but not first.

173
MCQeasy

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

A.Loss of confidence in the control by management.
B.Increased risk of missing actual security incidents.
C.Reduced system performance due to alert processing.
D.Increased cost of investigating alerts.
AnswerB

Alert fatigue causes real incidents to be overlooked.

Why this answer

Option D is correct because high false positives can cause alert fatigue, leading to missed real incidents. Option A is a secondary effect. Option B is not directly caused by false positives.

Option C is a possible result but not the most significant.

174
MCQmedium

A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?

A.Disable the alerting during peak hours
B.Implement manual review of all alerts during peak hours
C.Apply dynamic thresholding that adjusts based on historical baseline
D.Increase the alert threshold to 15,000 transactions per hour
AnswerC

Dynamic thresholding adapts to regular patterns, reducing false positives.

Why this answer

Option B is correct because dynamic thresholding adjusts based on historical baseline, reducing false positives during predictable spikes. Option A is wrong because manual review is inefficient and does not address the root cause. Option C is wrong because increasing threshold may miss true anomalies during normal periods.

Option D is wrong because disabling alerts would eliminate monitoring entirely.

175
MCQhard

Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?

A.Unauthorized GET operations from within the trusted IP range.
B.Unauthorized PUT operations from within the trusted IP range.
C.Unauthorized DELETE operations from any IP.
D.Unauthorized PUT operations from outside the trusted IP range.
AnswerC

DELETE operations are not covered by the policy at all, so they would not be monitored.

Why this answer

Option C is correct. The policy only covers PutObject and GetObject actions. DeleteObject is not monitored, so unauthorized DELETE operations would go undetected.

Option A is not a risk because the policy denies PUT from the trusted IP range? Actually it denies PUT from trusted IP? Wait: the policy denies PutObject from the trusted IP range, but that might be intended. However, PUT from outside trusted range is not covered? The policy only has a rule for trusted IP; outside IPs are not addressed? But the question asks for potential risk not detected. Option C is clearest: DELETE operations are completely unmonitored.

Option B is not a risk because GET is allowed from trusted IP (may be intentional). Option D is not a risk because PUT from trusted IP is denied (if that matches intent). So C is correct.

← PreviousPage 3 of 3 · 175 questions total

Ready to test yourself?

Try a timed practice session using only Risk and Control Monitoring and Reporting questions.