Isaca CRISC Questions Answers

According to the FIC Article by FSCA, accountable institutions remain fully accountable, responsible and liable for any compliance failures that may result from or be associated with an outsourcing arrangement and as such, liability and/or culpability for non-compliance with the FIC Act obligations cannot be transferred to a third-party service provider2. Therefore, even if a business process is outsourced to a cloud service provider, the organization still has the ultimate responsibility and accountability for the risk associated with the outsourced process. The other options are not correct, as they imply that the cloud service provider can take over the accountability or responsibility for the risk, or that the organization can mitigate the risk by acquiring insurance, which is not the case.

Monitoring the average time to complete tasks and monthly reporting of the findings during the month-end close process aligns with the definition of a Key Performance Indicator (KPI).

Understanding KPIs:

Performance Measurement:KPIs are used to measure how effectively a company is achieving its key business objectives. Monitoring the average time to complete tasks during the month-end close process provides a performance metric.

Tracking Efficiency:By reporting these findings monthly, management can track the efficiency and performance of the system load capabilities.

Specific Measure:

Task Completion Time:The average time to complete tasks is a specific, measurable indicator of performance. It helps in understanding how well the system handles load and identifies areas for improvement.

Continuous Improvement:Regular monitoring and reporting encourage continuous improvement, which is a core aspect of using KPIs.

References:

According to ISACA's guidelines on performance measurement, KPIs are critical for tracking the efficiency and effectiveness of processes and systems. They provide tangible metrics that help in decision-making and performance improvement.

Payroll system risk mitigation plans are the actions that are taken to reduce or eliminate the risk associated with payroll processing. When a migration from an in-house developed system to an external cloud-based solution is affecting a previously rated key risk scenario related to payroll processing, the first part of the risk register that should be updated is the payroll system risk mitigation plans. This is because the migration may introduce new risks or change the existing risks, and the risk mitigation plans may need to be revised or replaced accordingly. Updating the payroll system risk mitigation plans can help ensure that the risk level is acceptable and the payroll process is secure and reliable. According to the CRISC Review Manual 2022, one of the key risk treatment techniques is to update the risk action plan, which is a document that outlines the risk mitigation plans1. According to the CRISC Review Questions, Answers & Explanations Manual 2022, updating the risk mitigation plans is the correct answer to this question2.

Payroll system risk factors, payroll process owner, and payroll administrative controls are not the first part of the risk register that should be updated when a migration is affecting a key risk scenario. Payroll system risk factors are the sources or causes of risk, such as threats, vulnerabilities, or uncertainties. Payroll process owner is the person who is responsible for the payroll process and its outcomes. Payroll administrative controls are the policies, procedures, or guidelines that govern the payroll process. These parts of the risk register may also need to be updated, but they are not as urgent or critical as the risk mitigation plans. Updating the risk factors, process owner, and administrative controls can help identify, assess, and monitor the risk, but they do not directly address the risk response. The risk response is the most important part of the risk management process, as it determines how the risk is handled and controlled.

The second line of defense is responsible for challenging the risk decision making of the first line of defense, which is the business process owners and managers. The second line of defense also provides oversight, guidance, and support to the first line of defense in implementing and maintaining effective risk management practices. The second line of defense includes functions such as risk management, compliance, quality assurance, and internal audit. References = Risk and Information Systems Control Study Manual, Chapter 1: IT Risk Identification, Section 1.2: IT Risk Management Roles and Responsibilities, Page 14.