Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?
Closed management action plans from the previous audit
Annual risk assessment results
An updated vulnerability management report
A list of identified generic risk scenarios
The audit planning process is the process of defining and describing the scope, objectives, and approach of the internal audit that is performed to assess and evaluate the adequacy and effectiveness of the organization’s governance, risk management, and control functions. The audit planning process involves identifying and prioritizing the audit areas, topics, or issues, and allocating the audit resources, time, and budget.
The most important information for a risk practitioner to provide to the internal audit department during the audit planning process is the annual risk assessment results, which are the outcomes or outputs of the risk assessment process that measures and compares the likelihood and impact of various risk scenarios, and prioritizes them based on their significance and urgency. The annual risk assessment results can help the internal audit department to plan the audit by providing the following information:
The level and priority of the risks that may affect the organization’s objectives and operations, and the potential consequences or impacts that they may cause for the organization if they materialize.
The gap or difference between the current and desired level of risk, and the extent or degree to which the risk responses or controls contribute to or affect the gap or difference.
The cost-benefit or feasibility analysis of the possible actions or plans to address or correct the risks and their responses, and the expected or desired outcomes or benefits that they may provide for the organization.
The other options are not the most important information for a risk practitioner to provide to the internal audit department during the audit planning process, because they do not provide the same level of detail and insight that the annual risk assessment results provide, and they may not be relevant or actionable for the internal audit department.
Closed management action plans from the previous audit are the actions or plans that have been implemented or completed by the management to address or correct the findings or recommendations from the previous internal audit that was performed. Closed management action plans from the previous audit can provide useful information on the progress and performance of the management in improving and optimizing the organization’s governance, risk management, and control functions, but they are not the most important information for a risk practitioner to provide to the internal audit department during the audit planning process, because they do not indicate the current or accurate state and performance of the organization’s risk profile, and they may not cover all the relevant or emerging risks that may exist or arise.
An updated vulnerability management report is a report that provides the information and status of the vulnerabilities or weaknesses in the organization’s assets, processes, or systems that can be exploited or compromised by the threats or sources of harm that may affect the organization’s objectives or operations. An updated vulnerability management report can provide useful information on the existence and severity of the vulnerabilities, and the actions or plans to mitigate or prevent them, but it is not the most important information for a risk practitioner to provide to the internal audit department during the audit planning process, because it does not indicate the likelihood and impact of the risk scenarios that are associated with the vulnerabilities, and the potential consequences or impacts that they may cause for the organization.
A list of identified generic risk scenarios is a list that contains the descriptions or representations of the possible or hypothetical situations or events that may cause or result in a risk for the organization, without specifying the details or characteristics of the risk source, event, cause, or impact. A list of identified generic risk scenarios can provide useful information on the types or categories of the risks that may affect the organization, but it is not the most important information for a risk practitioner to provide to the internal audit department during the audit planning process, because it does not indicate the level and priority of the risks, and the potential consequences or impacts that they may cause for the organization. References =
ISACA, CRISC Review Manual, 7th Edition, 2022, pp. 19-20, 23-24, 27-28, 31-32, 40-41, 47-48, 54-55, 58-59, 62-63
ISACA, CRISC Review Questions, Answers & Explanations Database, 2022, QID 188
CRISC Practice Quiz and Exam Prep
Which of the following would be the BEST way to help ensure the effectiveness of a data loss prevention (DLP) control that has been implemented to prevent the loss of credit card data?
Testing the transmission of credit card numbers
Reviewing logs for unauthorized data transfers
Configuring the DLP control to block credit card numbers
Testing the DLP rule change control process
A data loss prevention (DLP) control is a technology that tries to detect and stop sensitive data breaches, or data leakage incidents, in an organization. A DLP control is used to prevent sensitive data, such as credit card numbers, from being disclosed to an unauthorized person, whether it is deliberate or accidental1. The best way to help ensure the effectiveness of a DLP control that has been implemented to prevent the loss of credit card data is to test the transmission of credit card numbers. This is a technique to verify that the DLP control can successfully identify and block the credit card data when it is sent or received through various channels, such as email, messaging, or file transfers. Testing the transmission of credit card numbers can help to evaluate the accuracy and reliability of the DLP control, as well as to identify and correct any false positives or false negatives. The other options are not the best ways to help ensure the effectiveness of a DLP control that has been implemented to prevent the loss of credit card data, although they may be helpful and complementary. Reviewing logs for unauthorized data transfers is a technique to monitor and analyze the DLP control activities and incidents, such as who, what, when, where, and how the data was transferred. However, reviewing logs is a reactive and passive approach, while testing the transmission is a proactive and active approach. Configuring the DLP control to block credit card numbers is a technique to set up the DLP control rules and policies, such as defining the data patterns, the detection methods, and the response actions. However, configuring the DLP control is a prerequisite and a preparation step, while testing the transmission is a validation and a verification step. Testing the DLP rule change control process is a technique to ensure that the DLP control rules and policies are updated and maintained in a controlled and coordinated manner, such as obtaining approval, documenting the changes, testing the changes, and communicating the changes. However, testing the DLP rule change control process is a quality and governance step, while testing the transmission is a performance and functionality step. References = What is Data Loss Prevention (DLP)? | Digital Guardian1; CRISC Review Manual, pages 164-1652; CRISC Review Questions, Answers & Explanations Manual, page 833
After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:
recommend a program that minimizes the concerns of that production system.
inform the development team of the concerns, and together formulate risk reduction measures.
inform the process owner of the concerns and propose measures to reduce them
inform the IT manager of the concerns and propose measures to reduce them.
A risk assessment of a production system is a process of identifying, analyzing, evaluating, and treating the risks that may affect the performance, quality, or safety of the production system, which is a system that transforms inputs into outputs using various resources, processes, and technologies12.
The most appropriate action for the risk manager to take after undertaking a risk assessment of a production system is to inform the process owner of the concerns and propose measures to reduce them, which is a process of communicating and consulting with the person who is responsible for the design, operation, and improvement of the production system, and suggesting possible risk responses that can prevent, mitigate, transfer, or accept the risks34.
This action is the most appropriate because it ensures the involvement and collaboration of the process owner, who has the authority and accountability to implement and monitor the risk responses, and who can provide feedback and input on the feasibility and effectiveness of the proposed measures34.
This action is also the most appropriate because it supports the risk management process and objectives, which are to identify and address the risks that may affect the achievement of the organization’s goals and the delivery of value to the stakeholders34.
The other options are not the most appropriate actions, but rather possible alternatives or supplements that may have some limitations or drawbacks. For example:
Recommending a program that minimizes the concerns of the production system is an action that involves designing and planning a set of coordinated and interrelated activities and tasks that aim to reduce the likelihood or impact of the risks34. However, this action is notthe most appropriate because it does not involve the process owner, who is the key stakeholder and decision maker for the production system, and who may have different views or preferences on the risk responses34.
Informing the development team of the concerns, and together formulating risk reduction measures is an action that involves communicating and consulting with the group of people who are responsible for creating, testing, and deploying the products or services that are produced by the production system, and jointly developing possible risk responses34. However, this action is not the most appropriate because it does not involvethe process owner, who is the primary owner and user of the production system, and who may have different needs or expectations on the risk responses34.
Informing the IT manager of the concerns and proposing measures to reduce them is an action that involves communicating and consulting with the person who is responsible for managing and overseeing the IT resources, processes, and systems that support the production system, and suggesting possible risk responses34. However, this action is not the most appropriate because it does not involve the process owner, who is the main stakeholder and beneficiary of the production system, and who may have different requirements or constraints on the risk responses34. References =
1: Risk Assessment for the Production Process1
2: Risk Assessment for Industrial Equipment2
3: Risk IT Framework, ISACA, 2009
4: IT Risk Management Framework, University of Toronto, 2017
Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?
Key risk indicator (KRI) thresholds
Inherent risk
Risk likelihood and impact
Risk velocity
According to the CRISC Review Manual (Digital Version), key risk indicator (KRI) thresholds are the most likely elements of a risk register to change as a result of change in management’s risk appetite, as they reflect the acceptable levels of risk exposure for the organization. KRI thresholds are the values or ranges that trigger an alert or a response when the actual KRI values deviate from the expected or desired values. KRI thresholds help to:
Monitor and measure the current risk levels and performance of the IT assets and processes
Identify and report any risk issues or incidents that may require attention or action
Evaluate the effectiveness and efficiency of the risk response actions and controls
Align the risk management activities and decisions with the organization’s risk appetite and risk tolerance
If the management’s risk appetite changes, the KRI thresholds may need to be adjusted accordingly to ensure that the risk register reflects the current risk preferences and expectations of the organization.
References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.1: IT Risk Monitoring, pp. 217-2181
Copyright © 2021-2025 CertsTopics. All Rights Reserved
