CRISC Isaca Exam Lab Questions

According to the CRISC Review Manual (Digital Version), the primary reason a risk practitioner would be interested in an internal audit report is to evaluate the maturity of the risk management process, as it provides an independent and objective assessment of the effectiveness and efficiency of the risk management activities and controls. An internal audit report helps to:

Identify and evaluate the strengths and weaknesses of the risk management process and its alignment with the organization’s objectives and strategy

Detect and report any gaps, errors, or deficiencies in the risk identification, assessment, response, and monitoring processes and controls

Recommend and implement corrective actions or improvement measures to address the issues or findings in the risk management process

Communicate and coordinate the audit results and recommendations with the relevant stakeholders, such as the risk owners, the senior management, and the board

Enhance the accountability and transparency of the risk management process and its outcomes

References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 223-2241

The most critical factor when designing controls is the involvement of the process owner, who is the person responsible for the performance and outcomes of a business process. The process owner has the best knowledge and understanding of the process objectives, activities, inputs, outputs, resources, and risks. The process owner can provide valuable input and feedback on the design of controls that are relevant, effective, efficient, and aligned with the process goals. The process owner can also ensure that the controls are implemented, monitored, and improved as needed. The involvement of the process owner can also increase the acceptance and ownership of the controls by the process participants and stakeholders. The other options are less critical when designing controls. The involvement of internal audit can provide assurance and advice on the adequacy and effectiveness of the controls, but internal audit is not responsible for the design or implementation of the controls. The quantitative impact of the risk can help to prioritize and justify the controls, but it is not sufficient to determine the appropriate type and level of controls. The identification of key risk indicators can help to monitor and measure the risk and the performance of the controls, but it is not the main driver of the control design. References = Risk IT Framework, ISACA, 2022, p. 181

The business process owner should be the risk owner for the risk exposure due to weak technical controls in a newly implemented HR system, because they are responsible for the performance and outcomes of the HR business process, and they understand the business requirements, expectations, and impact of the HR system. The business process owner can also evaluate the trade-offs between the potential benefits and costs of the HR system, and the potential risks and consequences of a failure or breach of the system. The business process owner can also communicate and justify their risk acceptance or mitigation decision to the senior management and other stakeholders, and ensure that the risk is monitored and reviewed regularly. The other options are less appropriate to be the risk owner for this risk exposure. The chief risk officer is responsible for overseeing the enterprise-wide risk management framework and process, which includes ensuring the identification, assessment, and reporting of risks. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. The project manager is responsible for managing the implementation of the HR system, which includes ensuring the delivery of the system within the scope, time, and budget constraints. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. The chief information officer is responsible for managing the IT function and resources, which includes providing the technical support and security for the HR system. However, they are not the owner of the HR system or the HR business process, and they may not have the full knowledge or authority to accept or mitigate the risk on behalf of the business. References = Getting risk ownership right 1

According to the CRISC Review Manual (Digital Version), the organization’s culture is the most important factor affecting risk management in an organization, as it influences the risk awareness, risk attitude, risk behavior and risk communication of all stakeholders. The organization’s culture is defined as the shared values, beliefs, norms and expectations that guide the actions and interactions of the members of the organization. The organization’s culture affects how risk management is perceived, supported, implemented and integrated within the organization. A strong risk culture is one that:

Aligns with the organization’s vision, mission, strategy and objectives

Promotes a common understanding of risk and its implications for the organization

Encourages the identification, assessment, response and monitoring of risks at all levels

Fosters a proactive, collaborative and transparent approach to risk management

Empowers and rewards the stakeholders for taking ownership and accountability of risks

Enables continuous learning and improvement of risk management capabilities and maturity

References = CRISC Review Manual (Digital Version), Chapter 1: IT Risk Identification, Section 1.3: IT Risk Culture, pp. 23-251