CCNA Risk Control Monitoring Questions

75 of 175 questions · Page 1/3 · Risk Control Monitoring topic · Answers revealed

1
MCQhard

A board member asks for a summary of the top five risks. The risk practitioner has 10 risks with current residual risk levels. Which approach BEST supports board-level reporting?

A.Present the top five by residual risk level, including a trend indicator
B.Only highlight risks that have increased since last quarter
C.List risks alphabetically with current control status
D.Provide a detailed risk register with all 10 risks and full risk analysis
AnswerA

Trend shows direction and urgency.

Why this answer

The correct answer is A. Reporting should include both current status and trend to inform decision-making. Option B is too granular.

Option C omits risk level. Option D is incomplete without trend.

2
MCQmedium

A manufacturing company uses Internet of Things (IoT) sensors to monitor equipment temperature and vibration on the production floor. The sensor data is automatically sent to a central system, but there is a manual log maintained by operators that records their visual inspections. Recently, there have been instances where the sensor data indicated abnormal readings, but the operator logs showed normal conditions, leading to delayed maintenance actions and two equipment breakdowns. The risk manager investigates and finds that operators sometimes forget to update logs or misinterpret sensor alerts. The company wants to improve the reliability of the monitoring process. What should be the primary action?

A.Reduce reliance on IoT sensors and increase manual inspections.
B.Replace all IoT sensors with newer models that have better accuracy.
C.Provide additional training to operators on how to accurately fill in logs and respond to sensor alerts.
D.Implement automated reconciliation between sensor data and operator logs, flagging discrepancies in real time.
AnswerD

Directly addresses the inconsistency and enables timely corrective action.

Why this answer

Automated reconciliation between sensor data and operator logs would highlight discrepancies immediately, allowing quick investigation. Replacing all sensors (A) is costly and not focused; training (C) alone may not overcome human error; reducing sensor reliance (D) ignores the value of automated alerts.

3
MCQeasy

A small online retailer with 15 employees sells handmade crafts through its e-commerce website. The company processes payments via a third-party gateway. The owner manually reviews transaction logs once a week for fraud indicators, but recently discovered three chargebacks due to unauthorized transactions. The retailer has limited IT budget and no dedicated security staff. The owner wants to improve detection of fraudulent transactions without significant investment. The current manual process takes about two hours per week and often results in delayed detection. The payment gateway offers basic fraud detection features such as IP geolocation and velocity checks, but these are not enabled. What is the most practical first step?

A.Enable the built-in fraud detection features offered by the payment gateway.
B.Hire a part-time fraud analyst to review logs daily.
C.Purchase an automated fraud detection system from a third-party vendor.
D.Accept the current risk and set aside a reserve fund for chargebacks.
AnswerA

Leverages existing capability at no additional cost; immediate improvement.

Why this answer

Enabling existing fraud detection features in the payment gateway is quick, low-cost, and can immediately improve detection. Buying a new system (A) is expensive; hiring a staff (C) is not feasible; accepting the risk (D) is not acceptable given recent chargebacks.

4
Multi-Selecthard

Which THREE of the following are common challenges when implementing a risk monitoring dashboard? (Select exactly three.)

Select 3 answers
A.Data quality and consistency issues
B.Lack of clear ownership for monitoring
C.Reduced need for manual controls
D.Overwhelming amount of information displayed
E.Improved decision-making
AnswersA, B, D

Common due to multiple sources.

Why this answer

Data quality and consistency issues (A) are a common challenge because risk monitoring dashboards aggregate data from multiple sources, each with its own format, timeliness, and accuracy. Inconsistent data leads to unreliable metrics and false alarms, undermining the dashboard's purpose of providing a single source of truth for risk posture.

Exam trap

The trap here is confusing the challenges of implementation with the benefits or outcomes of the dashboard, leading candidates to select 'reduced need for manual controls' or 'improved decision-making' as challenges instead of recognizing them as positive results.

5
MCQmedium

A financial institution has implemented a continuous monitoring solution for its core banking application. The monitoring team receives an alert indicating that the average response time for a critical transaction has exceeded the threshold for the past 15 minutes. The transaction volume during this period is within normal range. What should be the FIRST step in the incident response process?

A.Contact the application vendor to report a potential performance issue.
B.Verify the alert by reviewing real-time logs and metrics, then assess the potential impact on business operations.
C.Compare current response time with historical baselines to determine if this is an anomaly.
D.Escalate the alert to the IT operations manager and the application owner immediately.
AnswerB

Verification and impact assessment are the correct first steps.

Why this answer

The first step in incident response is to validate the alert by reviewing real-time logs and metrics to confirm it is not a false positive, and then assess the potential impact on business operations. This aligns with the NIST SP 800-61 incident response lifecycle, where detection and analysis precede containment or escalation. Without verification, subsequent actions like vendor contact or escalation may be premature and waste resources.

Exam trap

The trap here is that candidates may confuse 'analysis' (comparing to baselines) or 'escalation' as the first step, but CRISC emphasizes that verification and impact assessment must precede any further action to avoid wasted effort on false alarms.

How to eliminate wrong answers

Option A is wrong because contacting the application vendor should occur only after the alert is verified and the issue is confirmed to be a software defect, not as a first step. Option C is wrong because comparing with historical baselines is part of analysis but should follow verification of the current alert data; it is not the immediate first action. Option D is wrong because immediate escalation without verification risks unnecessary alarm and misdirected effort; escalation is appropriate only after confirming a genuine incident and assessing its severity.

6
MCQeasy

Which of the following is the PRIMARY benefit of using a risk register for monitoring?

A.Provides real-time alerts.
B.Centralized repository of all risks.
C.Eliminates the need for KRIs.
D.Automates control testing.
AnswerB

A risk register provides a single source of truth for risk information.

Why this answer

A risk register serves as a centralized repository for all identified risks, enabling consistent monitoring and reporting. Option A is correct. Option B is incorrect because risk registers do not automate testing.

Option C is wrong as KRIs complement the register. Option D is not a primary benefit; real-time alerts are typically from other tools.

7
MCQmedium

A healthcare organization operates a legacy electronic health record (EHR) system that is manually monitored for access anomalies by a small IT team. The organization is planning to migrate to a new cloud-based EHR with integrated logging and monitoring. However, due to budget constraints, the migration will take two years. In the interim, the risk manager wants to improve monitoring for unauthorized access to patient data. The current manual process involves weekly log reviews, but recent audits have identified instances of delayed detection (up to two weeks) and missed incidents. The IT team can dedicate only 10 additional hours per week for monitoring. What is the best approach to enhance monitoring during the transition period?

A.Outsource the monitoring to a third-party managed security service provider.
B.Implement a full automation suite for access monitoring immediately.
C.Use a phased risk-based approach, prioritizing monitoring of high-risk areas such as privileged accounts and sensitive patient data.
D.Accept the current monitoring state as adequate given the upcoming migration.
AnswerC

Targets the highest risks with limited resources; feasible and effective.

Why this answer

A phased approach focusing on high-risk areas (e.g., privileged accounts, sensitive data) optimizes limited resources. Full automation (A) is too costly; outsourcing (C) may have data privacy issues; accepting the state (D) is irresponsible given audit findings.

8
Multi-Selectmedium

Which TWO of the following are primary purposes of risk and control monitoring? (Choose two.)

Select 2 answers
A.To identify opportunities for implementing new controls.
B.To ensure compliance with all regulatory requirements.
C.To verify that controls are operating as intended.
D.To provide assurance to stakeholders on risk management.
E.To eliminate all residual risk.
AnswersC, D

Verification of control effectiveness is a core monitoring objective.

Why this answer

Options A and D are correct. Monitoring ensures controls are operating effectively and provides evidence for assurance. Option B is wrong because eliminating all risk is not possible; monitoring helps manage but not eliminate risk.

Option C is wrong because implementing new controls is a response, not a purpose of monitoring. Option E is wrong because compliance is a result, but the primary purpose is to assess effectiveness.

9
Matchingmedium

Match each risk assessment method to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Uses numerical values like ALE and SLE

Uses ordinal scales like high/medium/low

Combines numeric values with qualitative scales

Evaluates risks based on hypothetical events

Why these pairings

Risk assessment methods vary in how they measure and communicate risk.

10
MCQhard

During a quarterly risk review, it is discovered that a previously accepted risk has materialized due to a change in the external environment. What is the MOST appropriate response?

A.Report to regulators.
B.Increase insurance coverage.
C.Accept the impact.
D.Re-evaluate the risk treatment plan.
AnswerD

A materialized risk indicates the original plan is no longer adequate, requiring reassessment.

Why this answer

When a risk materializes, the treatment plan must be re-evaluated to address the new circumstances. Option A is correct. Option B accepts the impact without action.

Option C is a specific treatment that may not be appropriate. Option D is premature without assessment.

11
MCQeasy

Which of the following is the BEST practice for determining the frequency of control monitoring activities?

A.Standardize all controls to quarterly monitoring
B.Monitor only after a control failure is detected
C.Set frequency based solely on regulatory minimum requirements
D.Align monitoring frequency with risk level and control effectiveness assessment
AnswerD

Risk-based monitoring ensures resources are focused on higher risks.

Why this answer

Option C is correct because monitoring frequency should be based on risk level and control effectiveness. Option A is wrong because fixed intervals ignore risk changes. Option B is wrong because monitoring only after incidents is reactive.

Option D is wrong because regulatory requirements are a minimum, not necessarily optimal.

12
MCQeasy

A risk manager notices that a key risk indicator (KRI) for failed login attempts has exceeded the threshold for three consecutive weeks. Which of the following should be the FIRST action?

A.Investigate the root cause of the increase.
B.Adjust the threshold to reduce false positives.
C.Report the breach to the senior management immediately.
D.Ignore the trend as a statistical anomaly.
AnswerA

First step is to investigate root cause.

Why this answer

Option B is correct because the first step is to investigate the root cause to determine if there is a control failure or a false positive. Option A is wrong because ignoring may lead to undetected risk. Option C is wrong because adjusting threshold without analysis is inappropriate.

Option D is wrong because reporting without investigation may cause unnecessary alarm.

13
MCQmedium

An organization deployed a new intrusion detection system (IDS) that generates many alerts. The security team is overwhelmed and has started ignoring some alerts. What is the BEST way to address this issue?

A.Implement a SIEM to filter and prioritize alerts.
B.Deactivate the IDS until it can be properly configured.
C.Tune the IDS to reduce false positive alerts.
D.Hire additional security analysts to handle the alert volume.
AnswerC

Reducing false positives improves efficiency.

Why this answer

Option C is correct because tuning the IDS to reduce false positives will make alerts more actionable. Option A is wrong because hiring more staff may not be efficient. Option B is wrong because deactivating is risky.

Option D is wrong because filtering without tuning may still miss real threats.

14
MCQmedium

A retail company uses a manual control to verify that all credit card transactions are processed by authorized payment terminals. The control requires a store manager to compare a daily transaction log against a list of approved terminal IDs. The company processes an average of 10,000 transactions per day across 200 stores. During a recent internal audit, it was found that 15% of stores had not completed the reconciliation for the past month. The audit also revealed that several unauthorized terminals had been used to process transactions, resulting in a data breach of customer payment information. The company's risk appetite for payment card data security is very low. The current monitoring approach includes a quarterly review of control performance by the internal audit team. The risk manager needs to recommend improvements to the monitoring of this control. Which of the following is the BEST recommendation?

A.Increase internal audit reviews of the control to monthly.
B.Implement disciplinary actions for store managers who skip reconciliations.
C.Automate the reconciliation by integrating the transaction log with the approved terminal list.
D.Provide refresher training to all store managers on the procedure.
AnswerC

Automation enforces the control, reduces manual effort, and provides real-time monitoring.

Why this answer

Option D is correct because automating the reconciliation process ensures it is performed consistently and promptly, eliminating the manual gaps. Option A is wrong increasing audit frequency does not prevent the control from being skipped. Option B is wrong disciplinary actions may motivate compliance but do not address the process inefficiency.

Option C is wrong additional training may help but does not guarantee consistent performance.

15
MCQhard

A company's internal audit function reports that a detective control (manual review of transactions) is operating effectively based on a sample of 50 transactions showing no issues. However, the continuous monitoring system shows that 100 suspicious transactions were not reviewed during the same period. The control owner argues the control is effective. What is the BEST conclusion?

A.The control is effective because the monitoring system is too sensitive.
B.The control is ineffective because the monitoring system is unreliable.
C.The control is ineffective because the audit sample size is too small to detect the actual failure rate.
D.The control is effective because the sample showed no issues.
AnswerC

The large number of unreviewed suspicious transactions indicates a control weakness that the sample missed.

Why this answer

Option D is correct because the audit sample of 50 did not include the suspicious transactions that the continuous monitoring flagged, indicating the sample size was insufficient to detect the actual failure rate. Option A is wrong because the sample alone does not prove effectiveness across all transactions. Option B is wrong because the monitoring system is likely reliable.

Option C is wrong because the monitoring system is not necessarily too sensitive; it revealed actual failures.

16
Multi-Selecthard

A multinational corporation is implementing continuous monitoring of its compliance with data privacy regulations across multiple jurisdictions. Which TWO of the following are significant challenges to this approach?

Select 2 answers
A.Inconsistent regulatory requirements across jurisdictions.
B.The need for manual data collection.
C.High cost of automation tools.
D.Difficulty in establishing a single data repository.
E.Lack of skilled personnel.
AnswersA, D

Different laws require tailored monitoring criteria, complicating a unified system.

Why this answer

Options A and E are correct. A: Inconsistent regulatory requirements make it hard to define a single monitoring standard. E: Data residency and sovereignty issues complicate establishing a unified data repository.

B is a generic challenge but not specific to multi-jurisdiction. C is generic. D: Continuous monitoring by definition automates data collection, so it's not a challenge.

17
MCQmedium

A risk practitioner notices that a key control is tested only once a year, but the associated risk has a high velocity of change. What is the BEST recommendation?

A.Remove the control if it cannot be tested more often
B.Wait for a control failure before increasing frequency
C.Continue annual testing because it meets regulatory requirements
D.Increase testing frequency to quarterly or monthly
AnswerD

Aligns monitoring with risk velocity.

Why this answer

The correct answer is B. For high velocity risks, more frequent monitoring is needed. Option A does not address velocity.

Option C is reactive. Option D negates the control.

18
MCQmedium

Based on the exhibit, which aspect of risk monitoring is MOST concerning?

A.The vulnerability has been open for three months with no evidence of monitoring or remediation despite a patch being available.
B.The vulnerability severity is critical.
C.The last scan was three months after the initial detection.
D.The risk was accepted by the system owner.
AnswerA

Indicates lack of ongoing monitoring of accepted risks.

Why this answer

Option C is correct because a critical vulnerability with a patch available has been open for nearly three months with no remediation; risk acceptance alone does not substitute for active monitoring of the accepted risk. Option A is wrong because severity is already labeled critical. Option B is wrong because the risk was accepted, but the monitoring of that acceptance is the issue.

Option D is wrong because the acceptance is recent; the concern is lack of follow-up.

19
MCQhard

A company uses a risk control self-assessment (RCSA) process that is conducted annually. During a quarterly review, management discovers that several high-risk controls are no longer effective due to changes in the business environment. Which of the following is the BEST way to enhance the monitoring of these controls?

A.Increase the frequency of the RCSA to quarterly.
B.Assign a risk owner to perform manual checks monthly.
C.Implement compensating controls to reduce the risk.
D.Deploy automated control monitoring tools for continuous assessment.
AnswerD

Continuous monitoring provides timely and objective evidence of control effectiveness.

Why this answer

Option C is correct because implementing continuous control monitoring provides real-time insights into control effectiveness. Option A is wrong because annual RCSA is too infrequent for rapidly changing risks. Option B is wrong while compensating controls may help, they do not directly improve monitoring of the existing controls.

Option D is wrong because increasing the frequency of RCSA to quarterly still relies on periodic self-assessments, which may not be timely.

20
MCQmedium

A medium-sized e-commerce company has a risk monitoring program that tracks key risk indicators (KRIs) monthly. One KRI is the percentage of orders with failed payment transactions. The threshold is 2%, but for the past three months, the KRI has been 2.5%, 3.1%, and 2.8%. The risk owner says this is due to a seasonal increase in fraudulent transactions and expects it to return to normal next month. The company has a compensating control that manually reviews flagged transactions. The internal audit team recently tested the compensating control and found it to be 100% effective. The risk committee wants to know if the KRI breach requires action. What should the risk practitioner recommend?

A.Immediately implement additional automated controls to reduce the KRI.
B.Escalate the issue to the board and recommend a risk acceptance.
C.Acknowledge the breach but note that the compensating control is effective, so no immediate action is required; continue to monitor.
D.Lower the KRI threshold to 3% to accommodate seasonal variations.
AnswerC

Appropriate response given the circumstances.

Why this answer

Option C is correct because the compensating control (manual review of flagged transactions) has been tested as 100% effective, meaning the residual risk is within acceptable tolerance despite the KRI breach. The risk owner attributes the breach to a seasonal spike, and the risk monitoring program should continue to track the KRI monthly to confirm a return to normal. Immediate action is not warranted when the compensating control fully mitigates the risk, and the risk committee should be informed that the control is effective.

Exam trap

The trap here is that candidates assume any KRI breach automatically requires immediate remediation or escalation, ignoring the critical role of compensating controls in reducing residual risk to an acceptable level.

How to eliminate wrong answers

Option A is wrong because implementing additional automated controls without evidence of control failure is an overreaction that wastes resources; the existing compensating control is 100% effective, so the residual risk is already managed. Option B is wrong because escalation to the board and risk acceptance are premature—the breach is temporary and the compensating control mitigates the risk, so the issue does not meet the threshold for board-level acceptance. Option D is wrong because lowering the KRI threshold to 3% would mask the underlying risk trend and violate the principle of maintaining consistent, objective risk indicators; thresholds should be adjusted only after a formal risk assessment, not to accommodate seasonal variations without analysis.

21
MCQhard

A multinational financial services company has implemented a continuous monitoring program for its trading systems. The program uses automated scripts to check system configurations against a baseline every hour. Recently, the company experienced a significant security incident where a malicious actor exploited a misconfigured firewall rule to exfiltrate sensitive customer data. Post-incident analysis revealed that the misconfiguration had been present for 72 hours before detection. The monitoring scripts did not detect the change because the baseline had been updated two weeks prior to include the misconfiguration as part of a planned change that was later reversed without updating the baseline. The company's change management process requires that all configuration changes be approved and documented, but the reversal of the change was not documented. The incident response team was only alerted when a customer reported suspicious activity. The risk practitioner is tasked with recommending improvements to prevent recurrence. Which of the following is the BEST course of action?

A.Enhance incident response procedures to include notification of customers within 24 hours.
B.Implement a change detection system that compares current configurations to an approved, immutable baseline and alerts on any deviation, with strict change control for baseline updates.
C.Increase the frequency of monitoring scripts to every 30 minutes.
D.Require manual review of all configuration changes by a second analyst.
AnswerB

Addresses root cause of baseline manipulation.

Why this answer

Option B is correct because the root cause is that the baseline was updated to include the misconfiguration, and the subsequent reversal was not documented or reflected in the baseline. A change detection system that compares current configurations to an approved, immutable baseline and alerts on any deviation, with strict change control for baseline updates, directly addresses this by ensuring that only approved changes are in the baseline and any unapproved deviation (including reversals) triggers an alert. This prevents the monitoring system from accepting unauthorized changes as normal.

Exam trap

The trap here is that candidates focus on the monitoring frequency or manual review, but the real failure is the baseline integrity—the monitoring system was working correctly but against a corrupted baseline, so the solution must enforce that the baseline itself is immutable and only updated through strict change control.

How to eliminate wrong answers

Option A is wrong because enhancing incident response procedures to notify customers within 24 hours addresses notification timing after detection, not the root cause of the detection failure—the baseline was corrupted and the monitoring scripts did not detect the misconfiguration. Option C is wrong because increasing the frequency of monitoring scripts to every 30 minutes does not solve the problem; the scripts were already running hourly but failed to detect the change because the baseline had been incorrectly updated, so more frequent checks against a corrupted baseline would still miss the misconfiguration. Option D is wrong because requiring manual review of all configuration changes by a second analyst adds a human check but does not address the automated baseline update process that allowed the misconfiguration to be included without detection; the reversal was not documented, so manual review would not catch the baseline corruption unless the reviewer specifically compares against an immutable approved state.

22
MCQeasy

A financial institution monitors the number of unauthorized access attempts to its core banking system. The risk owner recommends increasing the monitoring frequency from daily to hourly because a recent attack exploited a delayed detection. Which of the following is the PRIMARY benefit of this change?

A.Faster detection of anomalies
B.Lower cost of monitoring
C.Increased system performance
D.Reduced false positive rate
AnswerA

Hourly monitoring detects anomalies sooner than daily, reducing the attack window.

Why this answer

Option C is correct because faster detection reduces the window of exposure. Option A is wrong because frequency increase may increase false positives. Option B is wrong because it may degrade system performance.

Option D is wrong because increasing frequency typically increases cost.

23
MCQmedium

A security analyst notices that the number of failed login attempts has significantly increased over the past week. The SIEM alerts are not being triggered because the threshold was set too high. What is the MOST effective immediate action to improve monitoring?

A.Implement a new authentication system with biometrics.
B.Lower the threshold for failed login alerts in the SIEM.
C.Enable all SIEM rules to capture every event.
D.Review logs manually each day to identify anomalies.
AnswerB

Directly fixes the issue of missed alerts.

Why this answer

B is correct because the immediate issue is that the SIEM alert threshold is set too high, causing failed login attempts to go undetected. Lowering the threshold directly addresses the monitoring gap by ensuring that the SIEM generates alerts for anomalous failed login activity, enabling timely incident response without requiring a system overhaul.

Exam trap

The trap here is that candidates may choose a more 'secure' but non-immediate option like biometrics (A) or a broad-brush approach like enabling all rules (C), failing to recognize that the question specifically asks for the 'most effective immediate action' to fix the monitoring gap caused by a misconfigured threshold.

How to eliminate wrong answers

Option A is wrong because implementing a new authentication system with biometrics is a long-term control improvement that does not address the immediate monitoring failure; it also introduces new costs and complexity without fixing the SIEM threshold issue. Option C is wrong because enabling all SIEM rules to capture every event would generate excessive noise, overwhelming analysts with false positives and potentially causing alert fatigue, which degrades monitoring effectiveness. Option D is wrong because reviewing logs manually each day is reactive, inefficient, and does not scale; it fails to provide real-time alerting and relies on human attention, which is error-prone and unsustainable for detecting a surge in failed logins.

24
Multi-Selectmedium

Which THREE are best practices for control monitoring?

Select 3 answers
A.Use a risk-based approach to prioritize.
B.Test controls at least annually.
C.Rely solely on control owners.
D.Combine automated and manual monitoring.
E.Document results and actions.
AnswersA, D, E

Focuses monitoring efforts on highest risk areas.

Why this answer

Best practices include using a risk-based approach, combining automated and manual monitoring, and documenting results. Options A, C, and D are correct. Testing controls at least annually (B) is too prescriptive and not always necessary.

Relying solely on control owners (E) lacks independence.

25
MCQeasy

A risk owner wants to implement continuous monitoring for a set of critical controls. Which of the following is the PRIMARY benefit of continuous monitoring over periodic testing?

A.Timely detection of control failures.
B.Elimination of manual testing.
C.Compliance with regulatory requirements.
D.Reduced cost of control testing.
AnswerA

Continuous monitoring enables immediate awareness of failures.

Why this answer

Option B is correct because continuous monitoring provides real-time or near-real-time detection of control failures, allowing faster response. Option A is wrong because continuous monitoring can be more expensive. Option C is wrong because manual testing may still be needed for some controls.

Option D is wrong while compliance is a benefit, timely detection is the primary advantage.

26
MCQhard

A bank's risk committee reviews a monthly risk report that includes KRIs. One KRI shows that the number of failed transactions due to system errors is trending upward. The control owner states that the trend is within the risk appetite. However, the report also shows that the number of customer complaints is stable. What should the risk manager do FIRST?

A.Escalate to the board of directors.
B.Accept the control owner's assessment and continue monitoring.
C.Investigate the root cause of the increasing failed transactions.
D.Recommend increasing the monitoring frequency.
AnswerC

Understanding the cause is essential before any decision.

Why this answer

Option B is correct because an upward trend in a KRI, even if within appetite, warrants investigation to understand the root cause and prevent escalation. Option A is wrong because accepting without investigation misses potential emerging issues. Option C is wrong because increasing frequency is premature without understanding why.

Option D is wrong because escalation is not needed before investigation.

27
MCQeasy

During a control monitoring review, a risk analyst discovers that the control owner has not been performing the required monthly reconciliations. What should the analyst do FIRST?

A.Contact the control owner to understand the reason for non-performance.
B.Escalate to the risk committee for immediate action.
C.Update the risk register to reflect control deficiency.
D.Recommend removal of the control as it is not being followed.
AnswerA

Understanding the cause helps determine the appropriate response.

Why this answer

Option B is correct because the analyst should first confirm with the control owner to understand why the control was not performed, as it may be a temporary issue or training gap. Option A is wrong escalating immediately without understanding the context is premature. Option C is wrong updating the risk register should follow the investigation.

Option D is wrong assuming the control is ineffective without investigation is not appropriate.

28
MCQmedium

A risk practitioner is designing a risk dashboard for the executive team. The organization has a high risk appetite for revenue-generating activities but a low risk appetite for regulatory compliance. Which combination of metrics should be prominently displayed?

A.Key risk indicators (KRIs) for revenue-related risks and regulatory compliance status.
B.Percentage of controls tested and employee training completion rates.
C.Vendor risk ratings and number of security incidents.
D.Number of open remediation items and budget variance for risk projects.
AnswerA

Directly aligns to the stated risk appetites.

Why this answer

Option A is correct because KRIs that measure current risk levels against appetite thresholds, along with regulatory compliance status, directly address the dual risk appetites. Option B is wrong because control test results and training completion are input/metrics, not direct risk measures. Option C is wrong because vendor risk ratings and incident counts are important but not specific to the stated appetites.

Option D is wrong because remediation timelines and budget variance are operational metrics.

29
MCQmedium

A retail company has a risk monitoring program that tracks key risk indicators (KRIs) for its e-commerce platform. One KRI measures the number of failed payment transactions as a percentage of total transactions. The threshold is set at 2%. Over the past quarter, the KRI has been fluctuating between 1.8% and 2.5%, breaching the threshold several times. Each time the KRI exceeded the threshold, the risk owner performed a manual investigation and found that the failures were due to transient network issues that resolved on their own. The risk owner has now requested that the threshold be raised to 3% to avoid unnecessary investigations. The risk practitioner is evaluating this request. What should the risk practitioner do?

A.Approve the threshold increase since investigations have not found any significant issues.
B.Suggest implementing automated remediation for network issues instead of raising the threshold.
C.Recommend a root cause analysis to determine why network issues are recurring before considering a threshold change.
D.Reject the request and require investigation of every breach.
AnswerC

Addresses the underlying issue.

Why this answer

Option C is correct because the recurring network issues causing threshold breaches indicate an underlying problem that needs to be addressed, not just a threshold adjustment. Raising the threshold without understanding the root cause could mask a significant risk to transaction integrity and revenue. A root cause analysis (RCA) would identify whether the transient network issues stem from infrastructure, configuration, or external dependencies, enabling a proper control response.

Exam trap

The trap here is that candidates may assume raising the threshold is a simple risk acceptance decision, but CRISC emphasizes that risk responses must be based on understanding the root cause, not just adjusting metrics to avoid investigations.

How to eliminate wrong answers

Option A is wrong because approving the threshold increase without investigation ignores the fact that the 2% threshold was set based on risk appetite; raising it to 3% could allow an unacceptable level of failed transactions to go unmonitored, potentially leading to customer dissatisfaction and financial loss. Option B is wrong because suggesting automated remediation assumes the network issues are fully understood and can be programmatically resolved, but without root cause analysis, automation might address symptoms rather than the underlying cause, and could introduce new risks if misconfigured. Option D is wrong because requiring investigation of every breach without considering the pattern of transient, self-resolving issues is inefficient and could lead to alert fatigue, but it does not address the need to understand why the network issues recur.

30
MCQeasy

Which TWO of the following are best practices for risk reporting to senior management?

A.Provide actionable recommendations based on risk trends
B.Avoid discussing risk appetite to prevent confusion
C.Present detailed technical analysis for every risk
D.Focus on key risk areas and exceptions
E.Include all available risk data for transparency
AnswerA, D

Actionable insights drive decision-making.

Why this answer

Options A and D are correct. Reporting should highlight key risk areas (A) and provide actionable insights (D). Option B is wrong because overwhelming amount of data obscures key messages.

Option C is wrong because senior management needs aggregated summaries. Option E is wrong because reporting should address management's risk appetite.

31
Multi-Selectmedium

Which TWO of the following are essential components of an effective control monitoring program?

Select 2 answers
A.A defined baseline for normal system behavior.
B.A comprehensive list of all controls in the organization.
C.A manual checklist for each control reviewed daily.
D.Real-time alerting for all control failures.
E.Clearly defined roles and responsibilities for monitoring activities.
AnswersA, E

Baselines help identify deviations.

Why this answer

A defined baseline for normal system behavior is essential because it provides the reference point against which monitoring tools can detect anomalies, deviations, or potential control failures. Without a baseline, it is impossible to distinguish routine activity from suspicious or unauthorized changes, rendering monitoring alerts meaningless. This baseline is typically established through statistical modeling, threshold tuning, or historical analysis of logs and metrics.

Exam trap

The trap here is that candidates confuse 'control inventory' (Option B) with 'monitoring program components,' or assume that all control failures must trigger real-time alerts (Option D), when in fact effective monitoring prioritizes based on risk and uses baselines to reduce noise.

32
MCQhard

A large financial institution has implemented a risk monitoring framework that includes KRIs for operational risk. Recently, a critical KRI related to trade settlement errors has been showing an upward trend, but it remains within the approved threshold. The risk manager is concerned because the trend indicates potential control degradation. The control owner argues that since the KRI is still within threshold, no action is needed. The risk manager wants to determine the best course of action to address the trend before it breaches the threshold. The organization's risk policy requires proactive monitoring. What should the risk manager do?

A.Conduct a detailed analysis to understand the root cause and consider adjusting the threshold or implementing control enhancements.
B.Implement additional controls immediately.
C.Report the trend to the audit committee.
D.Update the threshold to reflect the new normal.
AnswerA

Root cause analysis enables informed decision-making aligned with proactive monitoring.

Why this answer

Proactive monitoring requires understanding the root cause of the trend and considering whether the threshold remains appropriate. Option C is correct. Option A adjusts the threshold without analysis, masking the issue.

Option B implements controls without understanding. Option D reports to audit committee prematurely.

33
MCQeasy

Refer to the exhibit. A SIEM correlation rule 'Brute_Force_SSH' has fired excessively due to traffic from internal monitoring servers. What is the BEST course of action?

A.Disable the correlation rule to stop false alerts.
B.Increase the threshold to reduce false positives.
C.Investigate the monitoring servers for compromise.
D.Add an exception in the rule to exclude internal monitoring server IPs.
AnswerD

Targeted tuning reduces false positives.

Why this answer

Option C is correct because the rule is generating false positives from legitimate monitoring servers; tuning the rule to exclude known monitoring sources will reduce noise. Option A is wrong because disabling the rule removes detection for real brute force. Option B is wrong because not addressing false positives may lead to alert fatigue.

Option D is wrong because the traffic is from known servers, not suspicious.

34
MCQhard

Refer to the exhibit. The control test failed because unauthorized access attempts were detected. The remediation plan suggests additional logging. Is this remediation appropriate?

A.No, the control test methodology is flawed.
B.Yes, because the control is detective in nature.
C.Yes, additional logging will help detect future attempts.
D.No, the remediation should focus on strengthening access controls.
AnswerD

Root cause is unauthorized access; need stronger preventive controls.

Why this answer

Option D is correct because the control test failure was due to unauthorized access attempts, which indicates a weakness in preventive controls. Adding logging (a detective control) does not address the root cause; the remediation should focus on strengthening access controls (e.g., tightening authentication, authorization, or firewall rules) to prevent unauthorized access in the first place. Logging alone would only record future incidents without reducing their likelihood.

Exam trap

The trap here is that candidates confuse 'detecting' with 'preventing' and assume that adding logging is always a valid remediation, but CRISC emphasizes that remediation must address the root cause of the control failure, not just add monitoring.

How to eliminate wrong answers

Option A is wrong because the control test methodology is not inherently flawed; the test correctly identified unauthorized access attempts, so the issue lies with the control's effectiveness, not the testing approach. Option B is wrong because while the control may be detective in nature, the remediation of adding logging is still inappropriate—it fails to address the preventive weakness that allowed unauthorized access, and detective controls should complement, not replace, preventive measures. Option C is wrong because although additional logging will help detect future attempts, detection without prevention does not remediate the underlying vulnerability; the goal should be to stop unauthorized access, not just log it.

35
MCQmedium

Refer to the exhibit. A security analyst reviews firewall logs and sees repeated authentication failures for VPN tunnel attempts between two IP addresses. What is the MOST appropriate action?

A.Block the source IP (203.0.113.5) at the firewall.
B.Contact the destination IP owner to verify credentials.
C.Update the VPN policy to allow all authentication methods.
D.Ignore the logs as routine failed attempts.
AnswerA

Blocking the attacking IP mitigates threat.

Why this answer

Option B is correct because repeated authentication failures indicate a potential brute-force attack or misconfiguration. Blocking the source IP can prevent further attempts. Option A is wrong because ignoring may allow continued attack.

Option C is wrong because updating policy for all sources is too broad. Option D is wrong because contacting the destination without investigation is premature.

36
MCQmedium

An organization has implemented a continuous monitoring solution for its critical applications. The IT team reports that the monitoring tool generates a high volume of false positives. What is the BEST course of action?

A.Refine the monitoring rules and thresholds to reduce false positives.
B.Disable the monitoring for applications that generate the most false positives.
C.Increase the size of the monitoring team to handle the alerts.
D.Implement additional detective controls for all false positive alerts.
AnswerA

Tuning the tool reduces noise and enhances monitoring effectiveness.

Why this answer

Option B is correct because reducing false positives improves the efficiency and effectiveness of the monitoring program. Option A is wrong because increasing the number of analysts does not address the root cause. Option C is wrong because ignoring false positives may lead to missing real incidents.

Option D is wrong because removing controls that trigger false positives could increase risk exposure.

37
MCQhard

A multinational organization uses multiple risk management systems that do not integrate with each other. The risk team manually consolidates data into a spreadsheet for reporting. This process is error-prone and time-consuming. Which of the following is the BEST long-term solution to improve risk monitoring and reporting?

A.Standardize the spreadsheet format across all departments
B.Implement a centralized governance, risk, and compliance (GRC) platform with automated data feeds
C.Train risk owners on how to better manually report risks
D.Assign dedicated staff to perform additional manual reviews of the spreadsheet
AnswerB

A GRC platform streamlines data integration and reporting.

Why this answer

Option B is correct because implementing a centralized GRC platform with data feeds from all systems automates integration and reduces errors. Option A is wrong because simply adding more manual reviews increases overhead. Option C is wrong because standardizing spreadsheets still requires manual consolidation.

Option D is wrong because training does not address the system integration issue.

38
MCQmedium

Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?

A.Implement a ticketing system to track alert handling.
B.Hire additional security analysts to handle peak loads.
C.Increase the threshold to reduce false positives.
D.Configure automatic escalation to a secondary response team if the alert is not acknowledged within a set time.
AnswerD

Ensures alerts are not ignored.

Why this answer

Option D is correct because it directly addresses the monitoring gap caused by analyst unavailability. By configuring automatic escalation to a secondary response team if an alert is not acknowledged within a set time, the organization ensures that no alert is left unattended even when the primary team is occupied. This is a standard operational resilience control in SIEM workflows, often implemented via playbook automation or SOAR integration.

Exam trap

The trap here is that candidates often choose 'Hire additional security analysts' (Option B) as a capacity solution, but the question specifically tests the concept of operational resilience through automated failover, not just staffing levels.

How to eliminate wrong answers

Option A is wrong because a ticketing system tracks alert handling but does not automatically reassign or escalate unacknowledged alerts; it only logs the event, leaving the gap unaddressed. Option B is wrong because hiring additional analysts increases capacity but does not guarantee coverage during peak loads or when the team is already engaged; it is a scaling solution, not a failover mechanism. Option C is wrong because increasing the threshold to reduce false positives may suppress legitimate alerts, increasing the risk of missing real incidents; it does not solve the problem of unacknowledged alerts.

39
MCQeasy

A risk practitioner discovers that a critical control deficiency has been open for six months beyond the agreed remediation date. What is the MOST appropriate reporting action?

A.Report the overdue deficiency to senior management for escalation.
B.Notify the control owner and request an updated remediation plan.
C.Accept the delay and extend the remediation date by six months.
D.Update the risk register to reflect the increased residual risk and close out the deficiency.
AnswerA

Timely escalation is key for unresolved critical issues.

Why this answer

Option C is correct because overdue remediation should be escalated to senior management to ensure attention and resource allocation. Option A is wrong because only escalating to the control owner may not drive action. Option B is wrong because adjusting the date without addressing the delay is inappropriate.

Option D is wrong because updating the risk register is a secondary step.

40
MCQeasy

A risk manager notices that a key risk indicator (KRI) for system downtime has exceeded the threshold for two consecutive months. What is the MOST appropriate immediate action?

A.Revise the KRI threshold to a higher value.
B.Archive the current KRI and define a new one.
C.Update the risk register with the new KRI value.
D.Escalate to the risk owner for investigation.
AnswerD

The risk owner should assess the situation and determine corrective actions.

Why this answer

Option C is correct because exceeding the KRI threshold indicates a potential risk increase, and the risk manager should escalate to the risk owner for investigation. Option A is wrong because updating the risk register alone does not address the immediate concern. Option B is wrong because revising the KRI threshold without understanding the cause may mask the issue.

Option D is wrong because the KRI is already defined and monitored; changing it may not be appropriate.

41
MCQeasy

A company implements a new automated control to monitor user access rights. The control sends a daily report of any users with excessive privileges. What is the PRIMARY benefit of this control?

A.Enables timely remediation of access violations
B.Reduces the number of user access reviews
C.Eliminates the need for manual checks
D.Provides real-time alerts for critical changes
AnswerA

Daily reports allow prompt action to reduce risk.

Why this answer

Option D is correct because the control enables timely identification and remediation of access violations. Option A is not necessarily true as reviews may still be needed. Option B is false because manual remediation is still required.

Option C is not real-time since reports are daily.

42
MCQhard

A large financial services firm recently deployed a new security information and event management (SIEM) system to monitor thousands of servers, network devices, and applications. The system is generating over 1,000 alerts per hour, of which 80% are false positives. The security operations center (SOC) team is overwhelmed and has started ignoring all but the most critical alerts. As a result, a real attack recently went undetected for 48 hours. The risk manager is asked to recommend improvements. The SOC team has 12 analysts working in shifts. The SIEM is properly configured but the correlation rules are broad and noisy. The firm cannot add more staff due to budget freeze. What should the risk manager prioritize?

A.Disable all low-priority alerts to reduce volume immediately.
B.Implement a machine learning algorithm to automatically classify alerts.
C.Tune the alerting rules and adopt risk-based prioritization to filter out known false positives.
D.Request budget to hire five additional SOC analysts.
AnswerC

Reduces false positives while retaining meaningful alerts; improves SOC efficiency.

Why this answer

Tuning alerting rules with risk-based prioritization reduces noise and ensures the SOC focuses on true positives. Disabling low-priority alerts (A) may cause missing important events; hiring (C) is not feasible; machine learning (D) is complex and still needs tuning.

43
MCQeasy

During a control self-assessment, an operational manager reports that a manual review control is performed quarterly instead of monthly as documented. What should the risk practitioner do?

A.Accept the change without documentation since risk level is unchanged
B.Escalate the deviation to senior management for disciplinary action
C.Update the control frequency in the risk register and assess residual risk
D.Require the manager to resume monthly reviews immediately
AnswerC

Accurate documentation and risk assessment are key.

Why this answer

The correct answer is D. The practitioner should update the control documentation to reflect the actual frequency and assess if the quarterly review still provides adequate risk mitigation. Options A and B are punitive and not collaborative.

Option C assumes risk level unchanged without analysis.

44
MCQhard

A company uses a dashboard to monitor KRIs. One KRI shows a warning level, but the data is two months old. What is the primary concern?

A.The KRI is not relevant.
B.The dashboard is not user-friendly.
C.The threshold is too low.
D.The monitoring is not timely.
AnswerD

Outdated data prevents timely identification and response to risk changes.

Why this answer

For monitoring to be effective, data must be timely. Old data undermines the ability to respond promptly. Option B is correct.

Options A, C, and D are secondary or irrelevant.

45
MCQmedium

After a security incident, a company implements a new control and begins monitoring its effectiveness. Which of the following metrics would BEST indicate that the control is achieving its objective?

A.Decrease in the number of successful attacks.
B.Reduction in the number of vulnerabilities.
C.Number of incidents reported.
D.Time to detect incidents.
AnswerA

Directly reflects the control's ability to prevent or mitigate attacks.

Why this answer

Option D is correct because the control's objective is to prevent or mitigate incidents, so a decrease in successful attacks directly measures success. Option A is wrong because incident reports include both successful and attempted. Option B is wrong because time to detect is a response metric, not control effectiveness.

Option C is wrong because vulnerability count is a separate risk factor.

46
MCQmedium

A bank's fraud detection system generates an alert for a transaction, but subsequent investigation finds it false. What should be done?

A.Document the false positive for trend analysis.
B.Report to the board.
C.Ignore future similar alerts.
D.Reduce the sensitivity of the detection system.
AnswerA

Tracking false positives helps identify patterns and improve the detection logic.

Why this answer

False positives should be documented for trend analysis to improve detection accuracy. Option B is correct. Option A reduces sensitivity blindly.

Option C ignores potential patterns. Option D is not appropriate for a single false positive.

47
MCQhard

A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?

A.Accept the control owner's assurance and close the finding.
B.Request evidence of the fix and perform a sample test of recent transactions.
C.Recommend a compensating control until the fix is confirmed.
D.Report the issue to the audit committee.
AnswerB

Ensures the issue is resolved.

Why this answer

Option B is correct because the risk practitioner must independently verify that the system glitch has been resolved before closing the finding. Requesting evidence of the fix (e.g., change logs, patch notes) and performing a sample test of recent transactions provides objective assurance that the control is now operating effectively. This aligns with the CRISC principle that control owner assurances alone are insufficient without validation, especially for automated controls where residual risk from the glitch could persist.

Exam trap

The trap here is that candidates assume a control owner's assurance is sufficient (Option A) or that a compensating control is always needed (Option C), but CRISC emphasizes independent verification of control fixes before closure.

How to eliminate wrong answers

Option A is wrong because accepting the control owner's assurance without evidence violates the risk practitioner's duty to independently validate control effectiveness; a verbal fix claim does not confirm the system glitch is resolved. Option C is wrong because recommending a compensating control is premature—the fix is already claimed to be implemented, and the practitioner should first verify it before adding compensating controls, which could introduce unnecessary complexity or cost. Option D is wrong because reporting directly to the audit committee bypasses normal escalation and management review; the issue should first be addressed with the control owner and management, and only escalated if the fix is not confirmed or if residual risk remains unacceptable.

48
MCQhard

A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?

A.Conduct a root cause analysis to identify why errors increased.
B.Immediately implement an automated data entry solution.
C.Increase the frequency of monitoring to detect errors sooner.
D.Assign additional staff to double-check data entries.
AnswerA

Identifies underlying issues to inform corrective actions.

Why this answer

A root cause analysis (RCA) is the best course of action because it systematically identifies the underlying reasons for the increased manual data entry errors, such as inadequate training, unclear procedures, or system interface issues. Without understanding the root cause, any corrective action (like automation or additional staff) may address symptoms rather than the actual problem, leading to wasted resources or recurring control failures. This aligns with the CRISC principle that control effectiveness must be restored by addressing the fundamental cause of degradation, not just the symptoms.

Exam trap

The trap here is that candidates often choose immediate automation (Option B) because it seems like a modern, efficient fix, but the CRISC exam emphasizes that risk treatment must be based on root cause analysis to avoid ineffective or counterproductive controls.

How to eliminate wrong answers

Option B is wrong because immediately implementing an automated data entry solution without first conducting a root cause analysis may introduce new risks (e.g., integration issues, cost overruns, or data mapping errors) and does not address why manual errors increased—automation might not be necessary if the root cause is, for example, a training gap. Option C is wrong because increasing monitoring frequency only detects errors sooner but does not prevent them or fix the underlying cause; it is a detective control, not a corrective one, and may increase monitoring costs without improving control effectiveness. Option D is wrong because assigning additional staff to double-check data entries is a compensating control that adds cost and potential for human error, but it does not address why the original errors increased—it merely adds a layer of review without resolving the root cause.

49
MCQeasy

A manufacturing company's board of directors receives a monthly risk report. Which key performance indicator (KPI) is MOST relevant for the board to assess the effectiveness of internal controls?

A.Number of audit findings per business unit.
B.Number of risk assessments completed this month.
C.Percentage of employees completing annual compliance training.
D.Percentage of control tests passed within the reporting period.
AnswerD

Directly measures control effectiveness.

Why this answer

Option B is correct because the percentage of control tests passed directly indicates control effectiveness, which is a core board concern. Option A is wrong because the number of risk assessments conducted is an activity metric, not an effectiveness measure. Option C is wrong because the number of audit findings is an output, not a proactive control measure.

Option D is wrong because the percentage of employees trained is a compliance metric, not a control effectiveness measure.

50
MCQeasy

A risk analyst is reviewing control monitoring results and notices that a detective control has a high false positive rate. What is the BEST action to improve the control's efficiency?

A.Adjust the control's threshold or criteria
B.Accept the false positives as operational tolerance
C.Increase the monitoring frequency
D.Convert the control to a preventive control
AnswerA

Fine-tuning thresholds can reduce false positives while keeping detection effective.

Why this answer

Option B is correct because adjusting thresholds or criteria reduces false positives while maintaining detection capability. Option A is not feasible as transforming the control type is a design change. Option C may increase false positives.

Option D does not improve efficiency.

51
MCQmedium

A risk practitioner is designing a monitoring dashboard for operational risk. Which of the following is the most important consideration?

A.Automate the generation of reports.
B.Use real-time data feeds.
C.Tailor the information to the needs of the target audience.
D.Include all available risk indicators.
AnswerC

Ensures actionable insights.

Why this answer

Option C is correct because the primary goal of a monitoring dashboard is to enable effective decision-making. Tailoring information to the target audience ensures that stakeholders receive relevant, actionable data, reducing cognitive load and preventing alert fatigue. Without this alignment, even the most technically sophisticated dashboard fails its core purpose of supporting risk-informed decisions.

Exam trap

The trap here is that candidates confuse technical capability (real-time data, automation, completeness) with the business requirement of relevance, leading them to choose a technically impressive but contextually inappropriate option like B or D.

How to eliminate wrong answers

Option A is wrong because automating report generation addresses efficiency, not the fundamental requirement of relevance; a dashboard can be fully automated yet still present irrelevant or overwhelming data. Option B is wrong because real-time data feeds are not always necessary for operational risk monitoring—latency tolerance varies by risk type, and real-time feeds can introduce noise and false positives without proper context. Option D is wrong because including all available risk indicators violates the principle of materiality; excessive indicators obscure critical signals and violate the 'less is more' heuristic for effective dashboards.

52
MCQhard

An organization uses a risk register that includes inherent risk, control effectiveness, and residual risk. During a quarterly review, the risk owner updates control effectiveness from 'partially effective' to 'effective'. What effect does this have on the residual risk rating?

A.Inherent risk changes
B.Residual risk decreases
C.Residual risk increases
D.Residual risk remains unchanged
AnswerB

Better controls reduce residual risk.

Why this answer

Option A is correct because improved control effectiveness reduces the likelihood or impact, thus lowering residual risk. Option B is opposite. Option C is incorrect because residual risk changes.

Option D is wrong because inherent risk does not change based on controls.

53
MCQeasy

A control owner reports that a preventive control is operating as designed, but the risk owner is concerned that residual risk remains high. What should the risk practitioner do NEXT?

A.Update the risk register to reflect the high residual risk.
B.Recommend additional compensating controls.
C.Escalate the issue to the risk committee.
D.Perform a control effectiveness test to validate the control.
AnswerD

Verifies if control mitigates risk as intended.

Why this answer

The risk practitioner must first validate the control's effectiveness before taking any further action. Even though the control owner reports the preventive control is operating as designed, the risk owner's concern about high residual risk suggests the control may not be adequately mitigating the risk. Performing a control effectiveness test (D) provides objective evidence to determine whether the control is actually reducing risk to an acceptable level, which is the necessary next step before updating the risk register, recommending compensating controls, or escalating.

Exam trap

The trap here is that candidates assume the control owner's report of 'operating as designed' is sufficient evidence, but CRISC emphasizes that control effectiveness must be independently validated through testing before concluding on residual risk.

How to eliminate wrong answers

Option A is wrong because updating the risk register to reflect high residual risk should only occur after the control's effectiveness has been validated; prematurely updating without evidence could misrepresent the risk posture. Option B is wrong because recommending additional compensating controls is premature without first determining whether the existing control is effective; if the control is effective, compensating controls may be unnecessary and introduce unnecessary cost and complexity. Option C is wrong because escalating to the risk committee is a governance action that should be taken only after the risk practitioner has gathered sufficient evidence through testing; escalation without validation could cause unnecessary alarm or misdirect committee attention.

54
MCQhard

An organization is considering moving from periodic control testing to continuous monitoring for its critical financial controls. What is the PRIMARY benefit of this transition?

A.Simplification of the control environment.
B.Reduction in monitoring costs.
C.Faster identification of control failures.
D.Elimination of all control failures.
AnswerC

Continuous monitoring reduces detection time.

Why this answer

Option A is correct because continuous monitoring allows for faster detection and response to control failures. Option B is wrong because continuous monitoring often requires more resources. Option C is wrong because control failures are still possible but detected sooner.

Option D is wrong because continuous monitoring is often more complex.

55
MCQmedium

Refer to the exhibit. What is the most appropriate immediate action for the control failure?

A.Ignore as it was followed by a pass.
B.Escalate to the board.
C.Accept the control failure due to subsequent pass.
D.Investigate the root cause of the failure because it occurred before the pass.
AnswerD

Root cause analysis is needed to determine why the control failed.

Why this answer

The control failure requires investigation even though it later passed. The root cause of the failure must be understood to prevent recurrence. Option B is correct.

Option A accepts risk without analysis. Option C ignores a potential issue. Option D escalates prematurely.

56
MCQeasy

Refer to the exhibit. What action should the risk practitioner recommend FIRST?

A.Escalate to the board of directors.
B.Initiate a patch management process to apply critical patches.
C.Adjust the threshold to 10%.
D.Schedule a root cause analysis for next month.
AnswerB

Directly addresses the KRI.

Why this answer

The exhibit shows that critical vulnerabilities have been identified with a high risk score, and the current patch management process is not addressing them in a timely manner. The risk practitioner should first initiate a patch management process to apply critical patches, as this directly reduces the exposure to known exploits and aligns with the principle of treating the highest risks immediately. Delaying action or adjusting thresholds without remediation would leave the organization vulnerable.

Exam trap

The trap here is that candidates may confuse 'escalation' with 'first action' and choose Option A, not realizing that operational remediation (patching) must precede escalation unless the risk is beyond the risk appetite and requires immediate board-level decision-making.

How to eliminate wrong answers

Option A is wrong because escalating to the board of directors is a governance step that should occur after operational remediation actions have been attempted or if there is a systemic failure, not as the first action for a specific technical vulnerability. Option C is wrong because adjusting the threshold to 10% would arbitrarily lower the risk acceptance level without addressing the underlying vulnerabilities, potentially masking critical risks and violating risk management best practices. Option D is wrong because scheduling a root cause analysis for next month delays immediate remediation of critical vulnerabilities, which should be patched urgently to prevent exploitation; root cause analysis can be performed in parallel or after patching.

57
MCQhard

A risk practitioner is reviewing the results of a control self-assessment (CSA) and finds that the control owner rated a control as 'effective' but an independent audit found control weaknesses. What is the BEST explanation for this discrepancy?

A.The control owner may have a biased perception of control effectiveness.
B.The CSA was conducted too long ago.
C.The control owner did not understand the control objectives.
D.The audit used a different definition of 'effective'.
AnswerA

Self-assessments often have inherent bias.

Why this answer

The control owner's self-assessment is inherently subjective and may be influenced by personal bias, lack of objectivity, or a desire to report favorable results. An independent audit provides an objective, evidence-based evaluation, so a discrepancy where the owner rates a control as 'effective' while the audit finds weaknesses strongly suggests the owner's perception is skewed. This is the most direct and common explanation for such a conflict in control self-assessment (CSA) results.

Exam trap

The trap here is that candidates may choose Option D (different definition of 'effective') because it seems like a logical technical reason, but the question asks for the 'BEST' explanation, and bias is a more common and fundamental cause of CSA-audit discrepancies than definitional differences.

How to eliminate wrong answers

Option B is wrong because the question does not provide any information about the timing of the CSA relative to the audit; even if the CSA was conducted recently, the discrepancy could still exist due to bias. Option C is wrong because while a control owner might misunderstand objectives, the more fundamental issue is that the owner's rating is a subjective judgment, not a technical misunderstanding of the control's purpose. Option D is wrong because while different definitions could cause a discrepancy, the audit and CSA typically use the same organizational standard for 'effective'; the more likely root cause is the owner's biased perception rather than a definitional mismatch.

58
MCQhard

An organization uses a risk appetite statement that limits operational losses to $2 million per quarter. A new risk reporting dashboard shows that current operational losses are $1.8 million with two weeks remaining in the quarter. The head of risk management wants to ensure that losses remain within appetite. Which of the following control monitoring reports would be MOST useful for proactive decision-making?

A.A projected loss report based on current trends and remaining period
B.A report on current loss amounts per business unit
C.A summary of historical operational losses by month
D.A detailed KRI report showing loss frequency by category
AnswerA

Projected reports allow management to take preemptive actions to stay within appetite.

Why this answer

Option D is correct because a projected loss report using trend analysis enables proactive action. Option A is wrong because a historical report is backward-looking. Option B is wrong because a KRI summary by category is too granular and may not show the overall projected trajectory.

Option C is wrong because loss per business unit does not provide a consolidated projection against appetite.

59
MCQhard

A large organization is implementing a continuous monitoring program for its critical systems. Which of the following is the MOST important factor for the program's success?

A.Use of advanced analytics and machine learning.
B.Integration with automated incident response workflows.
C.Support from senior management.
D.Clear definition of monitoring scope and objectives.
AnswerB

Automation ensures timely response to alerts.

Why this answer

Integration with automated incident response workflows is the most important factor because continuous monitoring is only effective if detected anomalies or threats can be acted upon in near real-time. Without automated response, alerts may be ignored or delayed, rendering the monitoring program ineffective. This aligns with the CRISC focus on reducing risk through timely remediation, not just detection.

Exam trap

The trap here is that candidates often choose 'Support from senior management' (Option C) because it seems universally important, but the question specifically asks for the 'MOST important factor for the program's success' in a technical monitoring context, where operational integration with response is the key differentiator.

How to eliminate wrong answers

Option A is wrong because advanced analytics and machine learning are enhancements, not foundational requirements; they can introduce false positives and complexity without guaranteeing success if response workflows are manual. Option C is wrong because while senior management support is necessary for funding and policy, it does not directly ensure the operational success of the monitoring program's technical execution. Option D is wrong because clear scope and objectives are prerequisites, but they alone do not ensure that monitoring leads to risk reduction; without automated response, even well-defined monitoring can fail to mitigate threats in time.

60
MCQeasy

Which of the following is an example of a leading indicator?

A.Number of security incidents.
B.Percentage of employees trained.
C.Audit findings count.
D.Loss amount from fraud.
AnswerB

Training coverage can predict future compliance or security outcomes.

Why this answer

Leading indicators predict future risk events. Percentage of employees trained is a leading indicator for security incidents. Options A, C, and D are lagging indicators that report past events.

61
MCQhard

An organization is implementing a new cloud-based customer relationship management (CRM) system. The risk practitioner is designing the control monitoring plan. Which approach BEST ensures continuous monitoring of controls across both the application and infrastructure layers?

A.Implement a generic Security Information and Event Management (SIEM) system with standard rules.
B.Deploy an automated monitoring tool that ingests audit logs from the CRM and cloud infrastructure APIs to trigger alerts on anomalies.
C.Rely on the CRM vendor's SOC 2 Type II report for control assurance.
D.Schedule quarterly manual reviews of user access logs and system configurations.
AnswerB

Enables continuous, real-time monitoring across both layers.

Why this answer

Option C is correct because an automated monitoring framework that integrates with the CRM's audit logs and cloud provider's API enables continuous, real-time monitoring across layers. Option A is wrong because manual periodic reviews cannot provide continuous monitoring. Option B is wrong because relying solely on the vendor's SOC report is insufficient for real-time monitoring.

Option D is wrong because a generic framework without customization may miss application-specific risks.

62
MCQhard

A company monitors key risk indicators (KRIs) using a dashboard. The risk manager notices that a KRI has a green status but the underlying control testing shows a high failure rate. What action should the risk manager take FIRST?

A.Escalate to the risk committee
B.Change the KRI threshold to amber
C.Investigate the KRI calculation methodology
D.Re-test the control
AnswerC

The KRI might be using incorrect data or outdated baselines.

Why this answer

Option C is correct because the discrepancy suggests the KRI calculation may be flawed. Option A jumps to adjusting thresholds without understanding the root cause. Option B may be premature if the control testing is accurate.

Option D escalates without first analyzing the issue.

63
Multi-Selecteasy

Which TWO of the following are examples of control monitoring activities?

Select 2 answers
A.Periodic manual testing of a sample of transactions for compliance with approval policy.
B.Automated alerts when a system control fails to execute.
C.Assigning owners to each control in the control framework.
D.Reporting key risk indicator values to the risk committee.
E.Updating the risk register based on control test results.
AnswersA, B

Direct testing verifies control operation.

Why this answer

Options A and C are correct. Automated alerts on control failures and manual testing of controls are direct monitoring activities. Option B is wrong because assigning ownership is part of control design, not monitoring.

Option D is wrong because updating risk register is a risk management activity, not direct control monitoring. Option E is wrong because the wording is confusing; KRIs are risk metrics, not control monitoring.

64
MCQhard

You are the risk manager for a multinational corporation that relies heavily on a cloud-based ERP system. The system is critical for financial reporting and supply chain management. Recently, the company experienced a significant increase in the number of failed user authentication attempts, which were traced to a misconfiguration in the identity management module. The misconfiguration was detected by the security operations center (SOC) through log analysis, but it took three days to identify and resolve. The root cause was a change made by a cloud administrator without following the change management process. The incident resulted in a temporary denial of service for external users. The company's risk appetite for system availability is low, with a tolerance for downtime of no more than one hour per month. The current monitoring controls include quarterly access reviews and SOC monitoring of logs with a 24-hour review cycle. The board has requested a report on the incident and recommendations to prevent recurrence. What is the MOST effective recommendation to improve monitoring and reduce the likelihood of similar incidents?

A.Implement automated real-time monitoring of critical configuration changes with alerts.
B.Require all change requests to be approved by the change advisory board (CAB).
C.Increase the frequency of access reviews to monthly.
D.Provide additional training to cloud administrators on security policies.
AnswerA

Real-time monitoring would detect and alert on unauthorized changes immediately.

Why this answer

Option B is correct because implementing real-time monitoring of critical configuration changes would have detected the misconfiguration immediately, preventing the extended downtime. Option A is wrong because while increasing change management oversight is important, it does not directly improve monitoring of the configuration itself. Option C is wrong because user awareness training does not address the configuration change issue.

Option D is wrong because quarterly access reviews are too infrequent to catch unauthorized changes in a timely manner.

65
Multi-Selecthard

Which THREE of the following are key considerations when designing a risk reporting framework? (Choose three.)

Select 3 answers
A.Timeliness of the information provided.
B.Including all operational data for completeness.
C.Consistency in definitions and metrics over time.
D.Aligning with industry best practices for risk reporting.
E.Tailoring the report to the target audience.
AnswersA, C, E

Timely information allows management to act promptly.

Why this answer

Options A, B, and D are correct. Risk reporting should be timely to support decision-making, tailored to the audience, and consistent over time for trend analysis. Option C is wrong because including all detailed data can overwhelm management.

Option E is wrong because reporting should generally align with the organization's risk appetite, not external benchmarks.

66
MCQhard

A financial institution has a control that manually reviews all wire transfers over $10,000. During an audit, it was found that the review is completed within 24 hours for 95% of transactions, but the target is 99%. The process owner wants to improve the control's effectiveness. Which of the following would be the MOST effective remediation?

A.Implement a second level of approval for all wire transfers.
B.Automate the review process using an application control.
C.Increase the number of staff performing the reviews.
D.Adjust the target to 95% to reflect current performance.
AnswerB

Automation reduces manual effort, errors, and improves timeliness.

Why this answer

Option D is correct because automating the review process ensures consistent and timely completion without relying on manual effort. Option A is wrong simply setting a stricter target does not address the underlying process issue. Option B is wrong increasing staff may help but is less efficient than automation.

Option C is wrong adding another approval step would further delay the process.

67
MCQeasy

A risk manager notices that a key risk indicator (KRI) for network downtime has been steadily increasing over the past three months. The current value is 15% above the risk tolerance threshold. Which of the following is the BEST immediate action?

A.Lower the risk tolerance threshold to trigger more frequent alerts
B.Accept the increased risk without further analysis because the trend is gradual
C.Alert the risk owner and initiate a root cause analysis
D.Increase the risk tolerance threshold to match the current level
AnswerC

This follows the standard escalation process for KRI breaches.

Why this answer

Option C is correct because the KRI has exceeded the risk tolerance threshold, indicating a potential control failure or emerging threat. The immediate action is to alert the risk owner, who has accountability for the risk, and initiate a root cause analysis to identify why network downtime is increasing. This aligns with the CRISC process of monitoring KRIs and escalating when thresholds are breached.

Exam trap

The trap here is that candidates may confuse adjusting the threshold (a control metric) with managing the risk itself, but CRISC emphasizes that thresholds are set to trigger action, not to be moved to avoid action.

How to eliminate wrong answers

Option A is wrong because lowering the tolerance threshold would increase alert frequency but does not address the underlying cause of the increasing downtime; it merely changes the measurement baseline. Option B is wrong because accepting the risk without analysis violates the principle of proactive risk management; a gradual trend does not justify ignoring a threshold breach, as it may indicate a systemic issue. Option D is wrong because raising the tolerance threshold to match the current level effectively normalizes the breach, eliminating the early warning function of the KRI and masking the problem.

68
MCQeasy

An organization has a risk indicator that shows the number of failed login attempts per day. The threshold is 100. Last week, the number spiked to 200 on two days. What does this indicate?

A.The system is experiencing a denial-of-service attack.
B.There may be a brute-force attack in progress.
C.The password policy needs to be updated.
D.Users have forgotten their passwords.
AnswerB

High failed logins suggest password guessing.

Why this answer

A spike in failed login attempts from a baseline of 100 to 200 per day is a classic indicator of a brute-force attack, where an attacker systematically tries multiple username/password combinations. This risk indicator directly measures authentication failures, which are the primary symptom of such an attack. The threshold breach signals that the control (account lockout or rate limiting) may be insufficient or failing.

Exam trap

The trap here is that candidates confuse a spike in failed logins with a DoS attack, but DoS attacks target availability (e.g., SYN flood) rather than authentication failures, which are a confidentiality/integrity concern.

How to eliminate wrong answers

Option A is wrong because a denial-of-service (DoS) attack typically causes a spike in traffic volume or resource exhaustion, not specifically failed login attempts; a DoS would likely overwhelm the entire system, not just authentication. Option C is wrong because a password policy update (e.g., complexity or expiration) would not cause a sudden two-day spike in failed logins; policy changes affect long-term compliance, not immediate authentication failure rates. Option D is wrong because users forgetting passwords would cause a consistent, low-level increase in failed logins, not a sharp spike to 200% of the threshold on only two days; such a pattern is more indicative of automated malicious activity.

69
MCQmedium

A control owner reports that a control is operating effectively, but the internal audit found a deficiency. What should the risk manager do?

A.Re-test the control independently.
B.Update the control description.
C.Remove the control from monitoring.
D.Accept audit's finding.
AnswerA

Independent testing provides objective evidence to resolve the discrepancy.

Why this answer

When there is a conflict between self-assessment and audit findings, independent re-testing is needed to determine the truth. Option B is correct. Option A accepts audit without verification.

Option C changes description without evidence. Option D removes monitoring prematurely.

70
MCQmedium

An S3 bucket policy is configured as shown. During a monitoring review, the risk practitioner notices that the 'DenyAll' policy is never evaluated because of an explicit allow? What is the MOST likely monitoring gap?

A.No KRI is defined for unauthorized access attempts
B.Server-side encryption is not enabled for the bucket
C.No automated test validates that the DenyAll policy is effective
D.User access reviews are not performed quarterly
AnswerC

Without testing, policy misconfiguration may go unnoticed.

Why this answer

The correct answer is C. The DenyAll policy is overridden by the AllowRead policy because evaluation logic gives precedence to explicit deny over allow only if the deny is evaluated; but here the allow is explicit and matches, so the deny is not evaluated? Actually AWS evaluates explicit allow and explicit deny; an explicit deny always overrides allows. However, the exhibit shows two statements; the DenyAll would deny all actions, but the AllowRead allows GetObject.

In AWS, explicit deny overrides allow, so the DenyAll should block GetObject unless the condition? But the condition on AllowRead is 10.0.0.0/8. A request from 10.x.x.x would match AllowRead but then DenyAll would also match and deny. The key monitoring gap is that there is no mechanism to check if DenyAll is properly evaluated; the risk practitioner likely missed that the condition on AllowRead makes it only effective for a specific IP range, and the DenyAll might unintentionally block legitimate access.

But the question says 'never evaluated' which indicates a logic error: In AWS, explicit deny always overrides, so the DenyAll should be evaluated. However, the statement says 'because of an explicit allow' which is false; the proper gap is that the policy lacks monitoring to detect unintended deny effects. The intended correct answer is that the monitoring did not include policy validation tests.

Option A is about KRI, not policy validation. Option B is about access review, not policy. Option D is about encryption, unrelated.

So answer C.

71
Multi-Selectmedium

Which TWO of the following are characteristics of an effective key risk indicator (KRI)?

Select 2 answers
A.Leading indicators that provide early warning.
B.Large number of indicators to cover all risks.
C.Measurable and quantifiable metrics.
D.Lagging indicators that confirm past events.
E.Qualitative assessments based on expert opinion.
AnswersA, C

Leading indicators are predictive.

Why this answer

Option A and D are correct because KRIs should be leading (predictive) and measurable. Option B is wrong because lagging indicators are not predictive (though may be used). Option C is wrong because too many KRIs cause overload.

Option E is wrong because qualitative measures are sometimes needed but quantitative is preferred.

72
MCQeasy

You are the risk manager at a financial institution that processes online transactions. The organization relies on a legacy system for transaction authorization, which is monitored via manual log reviews performed weekly by a junior analyst. Recently, the internal audit team identified that several unauthorized transactions were not detected for over two weeks. The logs showed that the authorization control failed intermittently due to a known software bug, but the bug had been documented in the risk register with a low residual risk rating. The CRO asks you to recommend the most effective improvement to the control monitoring process. Which of the following would be the BEST course of action?

A.Implement an automated real-time monitoring tool that alerts on authorization failures.
B.Increase the frequency of log reviews to daily.
C.Update the risk register to increase the residual risk rating for the bug.
D.Retrain the junior analyst on log analysis techniques.
AnswerA

Automated monitoring provides immediate detection and reduces reliance on manual reviews.

Why this answer

Implementing an automated real-time monitoring tool that alerts on authorization failures directly addresses the root cause: the detection delay caused by manual weekly log reviews. Unlike manual reviews, automated monitoring provides immediate notification of control failures, enabling rapid response to intermittent software bugs and reducing the window of exposure for unauthorized transactions.

Exam trap

The trap here is that candidates often choose to increase review frequency (Option B) because it seems like a direct improvement, but they fail to recognize that manual reviews, regardless of frequency, still suffer from human delay and cannot match the immediacy of automated monitoring for intermittent control failures.

How to eliminate wrong answers

Option B is wrong because increasing log review frequency to daily still relies on manual analysis, which introduces human latency and potential oversight; it does not eliminate the detection gap for intermittent failures that occur between reviews. Option C is wrong because updating the risk register to increase the residual risk rating is a documentation change that does not improve the actual monitoring or detection capability; it merely acknowledges the problem without fixing it. Option D is wrong because retraining the junior analyst on log analysis techniques does not address the fundamental issue of manual review latency and the inability to detect failures in near real-time; even a highly skilled analyst cannot overcome the delay inherent in periodic manual checks.

73
Multi-Selecthard

Which THREE of the following should be included in a board-level risk report to effectively communicate the organization's risk profile?

Select 3 answers
A.Emerging risks and trend analysis of key risk indicators over the past quarter.
B.A list of the most recent security incidents with root cause analysis.
C.Detailed descriptions of all controls mitigating the top risks.
D.A risk heat map showing the current likelihood and impact of top risks.
E.A summary of current risk exposure relative to the board-approved risk appetite.
AnswersA, D, E

Trends and emerging risks support proactive oversight.

Why this answer

Options A, C, and E are correct. A risk heat map visualizes key risks; emerging risks and trend analysis provide context for forward-looking decisions; and risk appetite limits help the board assess alignment. Option B is wrong because detailed control descriptions are too granular for board level.

Option D is wrong because individual incident details are operational; aggregated trend is more appropriate.

74
Multi-Selectmedium

Which THREE of the following are characteristics of leading key risk indicators (KRIs)?

Select 3 answers
A.They are predictive in nature.
B.They are based on historical data.
C.They measure past events and losses.
D.They provide early warning of potential risk events.
E.They enable proactive risk mitigation.
AnswersA, D, E

Leading indicators predict future risk levels.

Why this answer

Leading key risk indicators (KRIs) are predictive in nature because they track forward-looking metrics that signal potential future risk events before they occur. Unlike lagging indicators that measure past outcomes, leading KRIs use trend analysis and threshold monitoring to forecast changes in risk exposure, enabling organizations to anticipate and address issues proactively.

Exam trap

The trap here is that candidates often confuse leading KRIs with lagging indicators, mistakenly selecting options that describe historical or past-event measurements because they think all KRIs are backward-looking, but CRISC emphasizes that leading KRIs are forward-looking and predictive.

75
Multi-Selecteasy

A risk manager is designing monthly risk reports for senior management. Which THREE of the following should be included in an effective risk report? (Choose three.)

Select 3 answers
A.Names of individual employees responsible for control failures.
B.Changes in the risk landscape.
C.Key risk indicators (KRIs) and their trends.
D.Detailed control test results for every control.
E.Status of risk treatment plans.
AnswersB, C, E

Keeps management informed of external and internal changes.

Why this answer

Options A, C, and D are correct. KRIs and trends provide a high-level view, status of risk treatment plans shows progress, and changes in the risk landscape highlight emerging risks. Option B is wrong because detailed test results are too granular for senior management.

Option E is wrong because naming individuals is inappropriate and not constructive.

Page 1 of 3 · 175 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Risk Control Monitoring questions.