Isaca CRISC Free Practice Questions

NEW QUESTION 1

Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

• A. A decrease in control layering effectiveness
• B. An increase in inherent risk
• C. An increase in control vulnerabilities
• D. An increase in the level of residual risk

Answer: D

NEW QUESTION 2

The PRIMARY purpose of IT control status reporting is to:

• A. ensure compliance with IT governance strategy.
• B. assist internal audit in evaluating and initiating remediation efforts.
• C. benchmark IT controls with Industry standards.
• D. facilitate the comparison of the current and desired states.

Answer: D

NEW QUESTION 3

A trusted third party service provider has determined that the risk of a client's systems being hacked is low. Which of the following would be the client's BEST course of action?

• A. Perform their own risk assessment
• B. Implement additional controls to address the risk.
• C. Accept the risk based on the third party's risk assessment
• D. Perform an independent audit of the third party.

Answer: C

NEW QUESTION 4

An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

• A. identify key risk indicators (KRls) for ongoing monitoring
• B. validate the CTO's decision with the business process owner
• C. update the risk register with the selected risk response
• D. recommend that the CTO revisit the risk acceptance decision.

Answer: A

NEW QUESTION 5

IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

• A. the cost associated with each control.
• B. historical risk assessments.
• C. key risk indicators (KRls).
• D. information from the risk register.

Answer: D

NEW QUESTION 6

Which of the following should be the PRIMARY input when designing IT controls?

• A. Benchmark of industry standards
• B. Internal and external risk reports
• C. Recommendations from IT risk experts
• D. Outcome of control self-assessments

Answer: B

NEW QUESTION 7

Which of the following is the PRIMARY purpose of periodically reviewing an organization's risk profile?

• A. Align business objectives with risk appetite.
• B. Enable risk-based decision making.
• C. Design and implement risk response action plans.
• D. Update risk responses in the risk register

Answer: B

NEW QUESTION 8

Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

• A. Configuration updates do not follow formal change control.
• B. Operational staff perform control self-assessments.
• C. Controls are selected without a formal cost-benefit
• D. analysis-Management reviews security policies once every two years.

Answer: A

NEW QUESTION 9

Which of the following risk register updates is MOST important for senior management to review?

• A. Extending the date of a future action plan by two months
• B. Retiring a risk scenario no longer used
• C. Avoiding a risk that was previously accepted
• D. Changing a risk owner

Answer: A

NEW QUESTION 10

When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

• A. business process objectives have been met.
• B. control adheres to regulatory standards.
• C. residual risk objectives have been achieved.
• D. control process is designed effectively.

Answer: C

NEW QUESTION 11

A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

• A. Recommend avoiding the risk.
• B. Validate the risk response with internal audit.
• C. Update the risk register.
• D. Evaluate outsourcing the process.

Answer: B

NEW QUESTION 12

Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

• A. Weak governance structures
• B. Senior management scrutiny
• C. Complex regulatory environment
• D. Unclear reporting relationships

Answer: D

NEW QUESTION 13

Which of the following would prompt changes in key risk indicator {KRI) thresholds?

• A. Changes to the risk register
• B. Changes in risk appetite or tolerance
• C. Modification to risk categories
• D. Knowledge of new and emerging threats

Answer: B

NEW QUESTION 14

Which of the following is the MOST important characteristic of an effective risk management program?

• A. Risk response plans are documented
• B. Controls are mapped to key risk scenarios.
• C. Key risk indicators are defined.
• D. Risk ownership is assigned

Answer: D

NEW QUESTION 15

Which of the following should be the HIGHEST priority when developing a risk response?

• A. The risk response addresses the risk with a holistic view.
• B. The risk response is based on a cost-benefit analysis.
• C. The risk response is accounted for in the budget.
• D. The risk response aligns with the organization's risk appetite.

Answer: D

NEW QUESTION 16

Which of the following is MOST critical when designing controls?

• A. Involvement of internal audit
• B. Involvement of process owner
• C. Quantitative impact of the risk
• D. Identification of key risk indicators

Answer: B

NEW QUESTION 17

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

• A. A high number of approved exceptions exist with compensating controls.
• B. Successive assessments have the same recurring vulnerabilities.
• C. Redundant compensating controls are in place.
• D. Asset custodians are responsible for defining controls instead of asset owners.

Answer: D

NEW QUESTION 18

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

• A. Reviewing access control lists
• B. Authorizing user access requests
• C. Performing user access recertification
• D. Terminating inactive user access

Answer: B

NEW QUESTION 19

A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

• A. The underlying data source for the KRI is using inaccurate data and needs to be corrected.
• B. The KRI is not providing useful information and should be removed from the KRI inventory.
• C. The KRI threshold needs to be revised to better align with the organization s risk appetite
• D. Senior management does not understand the KRI and should undergo risk training.

Answer: C

NEW QUESTION 20

A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

• A. conduct a gap analysis against compliance criteria.
• B. identify necessary controls to ensure compliance.
• C. modify internal assurance activities to include control validation.
• D. collaborate with management to meet compliance requirements.

Answer: A

NEW QUESTION 21

From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

• A. The organization gains assurance it can recover from a disaster
• B. Errors are discovered in the disaster recovery process.
• C. All business critical systems are successfully tested.
• D. All critical data is recovered within recovery time objectives (RTOs).

Answer: B

NEW QUESTION 22

To implement the MOST effective monitoring of key risk indicators (KRIs), which of the following needs to be in place?

• A. Threshold definition
• B. Escalation procedures
• C. Automated data feed
• D. Controls monitoring

Answer: A

NEW QUESTION 23

While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

• A. control is ineffective and should be strengthened
• B. risk is inefficiently controlled.
• C. risk is efficiently controlled.
• D. control is weak and should be removed.

Answer: B

NEW QUESTION 24
......