What is the ISACA CRISC Exam?
The Certified in Risk and Information Systems Control (CRISC) certification is a globally recognized credential awarded by ISACA. It validates your expertise in identifying and managing enterprise IT risk and implementing effective information system controls. CRISC professionals are trusted to align IT risk management with business objectives, making this certification essential for risk professionals, IT managers, and compliance officers.
What Will You Learn?
Our CRISC exam practice test is designed to prepare you thoroughly for the real exam by covering all four key domains:
Risk Identification, Assessment, and Evaluation
Risk Response and Mitigation
Risk and Control Monitoring and Reporting
Information Systems Control Design and Implementation
Through realistic, scenario-based questions and detailed explanations, you’ll develop a deep understanding of risk management principles, control frameworks, risk response strategies, and governance practices essential for effective IT risk management.
Key Topics Covered:
Enterprise risk management fundamentals
Risk appetite and tolerance
Control ownership and accountability
Risk registers and heat maps
Risk response strategies (avoidance, mitigation, transfer, acceptance)
Business continuity and disaster recovery planning
Control testing and monitoring
Third-party risk management
Communication and reporting of risk to stakeholders
Emerging technology risks and cloud security challenges
Why Choose Exam Sage for Your CRISC Exam Prep?
At Exam Sage, we specialize in delivering high-quality, up-to-date, and exam-focused practice tests that mimic the real ISACA CRISC exam environment. Our carefully crafted questions come with comprehensive explanations that clarify complex concepts, helping you not only pass but truly master the material. Whether you’re a beginner or looking to refresh your skills, our practice tests offer:
Realistic question formats aligned with the latest ISACA syllabus
Detailed answer rationales to strengthen your understanding
Flexible online access for study anytime, anywhere
Affordable pricing with instant download options
Join thousands of successful CRISC candidates who have trusted Exam Sage to boost their confidence and exam readiness. Prepare smarter, practice more, and succeed on your path to becoming a Certified in Risk and Information Systems Control professional.
Free CRISC Certified in Risk and Information Systems Control Exam
1. Which of the following best describes the PRIMARY goal of IT risk management?
A. Eliminate all IT risks
B. Ensure compliance with legal requirements
C. Align IT risk with business objectives
D. Implement security controls
Answer: C
Explanation:
The primary goal of IT risk management is to align IT risk with the organization’s business objectives, ensuring that risks are managed in accordance with the organization’s appetite and tolerance levels.
________________________________________
2. What is the PRIMARY purpose of risk appetite in enterprise risk management?
A. To eliminate uncertainty
B. To define thresholds for acceptable risk
C. To assign ownership to risk
D. To calculate residual risk
Answer: B
Explanation:
Risk appetite defines the amount and type of risk an organization is willing to accept in pursuit of its objectives, setting boundaries for acceptable risk levels.
________________________________________
3. Which of the following is MOST useful for evaluating the effectiveness of risk responses?
A. Key Risk Indicators (KRIs)
B. Key Performance Indicators (KPIs)
C. Internal audit findings
D. Control self-assessments
Answer: A
Explanation:
KRIs help monitor risk levels and are critical for evaluating whether implemented risk responses are effectively reducing or managing the identified risks.
________________________________________
4. Residual risk is best defined as:
A. Risk remaining after risk treatment
B. Initial risk identified during assessment
C. Risk transferred to a third party
D. Risk with the highest impact
Answer: A
Explanation:
Residual risk is the remaining level of risk after all mitigation and control measures have been implemented.
________________________________________
5. Which of the following is the MOST important reason to assign ownership of risk?
A. To create segregation of duties
B. To ensure accountability
C. To reduce insurance costs
D. To eliminate risk
Answer: B
Explanation:
Assigning ownership ensures accountability for monitoring, managing, and reporting on the status of the risk.
________________________________________
6. A risk register should be updated when:
A. Annual audits are conducted
B. Business objectives change
C. New users are added to the system
D. Risk thresholds are exceeded
Answer: B
Explanation:
Whenever there is a change in business objectives, the risk landscape may shift, necessitating an update to the risk register.
________________________________________
7. What is the PRIMARY focus of the CRISC certification?
A. Audit and assurance practices
B. Risk management and control implementation
C. System development lifecycle
D. Information security governance
Answer: B
Explanation:
The CRISC certification is specifically designed to validate an individual’s ability to identify and manage enterprise IT risk and implement controls.
________________________________________
8. The best way to assess the likelihood of a risk event occurring is to:
A. Review financial reports
B. Conduct historical data analysis and expert judgment
C. Use annual audit results
D. Rely on compliance checklists
Answer: B
Explanation:
Combining historical data analysis with expert judgment provides a more accurate estimation of risk likelihood.
________________________________________
9. What should be done FIRST when a critical IT risk is identified?
A. Develop a control
B. Notify the board
C. Assign a risk owner
D. Perform risk analysis
Answer: D
Explanation:
Before acting, it’s essential to analyze the risk to determine its impact and likelihood so that the appropriate response can be developed.
________________________________________
10. Which of the following is a characteristic of a strong risk culture?
A. Centralized decision-making
B. Acceptance of all IT changes
C. Open communication about risk
D. Strict IT policies with no exceptions
Answer: C
Explanation:
An effective risk culture promotes open communication and transparency about risk, enabling timely mitigation and decision-making.
11. What is the MOST important factor to consider when selecting a risk response option?
A. Cost of implementation
B. Risk owner’s availability
C. Risk appetite of the organization
D. Number of controls in place
Answer: C
Explanation:
The chosen risk response must align with the organization’s risk appetite to ensure the business is not exposed to unacceptable levels of risk.
________________________________________
12. Which of the following is the BEST example of a preventive control?
A. Audit logs
B. Antivirus software
C. Intrusion detection systems
D. Disaster recovery plans
Answer: B
Explanation:
Antivirus software helps prevent malware from infecting a system, making it a preventive control.
________________________________________
13. What is the PRIMARY role of governance in risk management?
A. Approve control procedures
B. Authorize user access
C. Set direction and define risk tolerance
D. Perform root cause analysis
Answer: C
Explanation:
Governance involves establishing the framework, direction, and boundaries (e.g., risk tolerance) within which risk management operates.
________________________________________
14. Which risk response strategy involves accepting the risk without taking any action?
A. Mitigation
B. Transfer
C. Avoidance
D. Acceptance
Answer: D
Explanation:
Acceptance is choosing to take no action to mitigate the risk, often because the cost of mitigation exceeds the risk impact.
________________________________________
15. Key Performance Indicators (KPIs) differ from Key Risk Indicators (KRIs) in that KPIs:
A. Measure how well controls are working
B. Identify early signs of risk
C. Measure business process performance
D. Quantify residual risk
Answer: C
Explanation:
KPIs track how effectively business processes meet objectives, while KRIs track potential exposure to risk.
________________________________________
16. Who should define the organization’s risk appetite?
A. Risk analyst
B. IT department
C. Executive management and board
D. Compliance officer
Answer: C
Explanation:
Executive leadership and the board define the risk appetite, ensuring it aligns with the organization’s strategic goals.
________________________________________
17. Which of the following BEST demonstrates compliance with risk management policies?
A. Number of training sessions conducted
B. Reduced audit findings
C. Updated risk register
D. Signed acknowledgment forms
Answer: B
Explanation:
Reduced audit findings indicate improved control effectiveness and adherence to risk management policies.
________________________________________
18. What is the BEST way to ensure continuous improvement in IT risk management?
A. Implement a ticketing system
B. Hire more IT auditors
C. Conduct periodic risk assessments
D. Outsource risk analysis
Answer: C
Explanation:
Periodic risk assessments help detect new risks, evaluate current controls, and guide continuous improvement efforts.
________________________________________
19. When should a risk be escalated to senior management?
A. When it exceeds predefined thresholds
B. If it occurs outside office hours
C. When audit recommends it
D. If the risk is documented in the register
Answer: A
Explanation:
Risks that exceed the organization’s risk thresholds should be escalated to senior management for decision-making.
________________________________________
20. Which of the following is a key benefit of risk aggregation?
A. Avoids duplication of audits
B. Provides a comprehensive enterprise-wide risk view
C. Increases user adoption of controls
D. Simplifies training sessions
Answer: B
Explanation:
Risk aggregation consolidates multiple risks to create a holistic enterprise risk view, aiding executive decision-making.
________________________________________
21. Which process BEST helps determine the effectiveness of risk response strategies?
A. SWOT analysis
B. Cost-benefit analysis
C. Control testing and monitoring
D. Benchmarking
Answer: C
Explanation:
Testing and monitoring of controls are essential to evaluate whether risk response strategies are effectively reducing risk.
________________________________________
22. The MOST appropriate metric to monitor control performance over time is:
A. KRI
B. ROI
C. KPI
D. SLA
Answer: C
Explanation:
Key Performance Indicators (KPIs) are used to measure the efficiency and effectiveness of controls and processes over time.
________________________________________
23. What is the PRIMARY purpose of control self-assessment (CSA)?
A. Perform internal audits
B. Identify redundant processes
C. Evaluate control effectiveness internally
D. Satisfy regulatory compliance
Answer: C
Explanation:
A CSA is a process where business units assess their own controls, enabling early detection of weaknesses.
________________________________________
24. Which of the following BEST describes a risk-aware culture?
A. Risk is addressed only during audits
B. Employees actively participate in managing risk
C. IT is solely responsible for all risk decisions
D. All risks are outsourced to third parties
Answer: B
Explanation:
A risk-aware culture encourages employee involvement at all levels in risk identification and mitigation.
________________________________________
25. A critical system vulnerability is discovered. What is the MOST appropriate immediate response?
A. Wait for the next scheduled patch cycle
B. Perform risk analysis and initiate mitigation
C. Document it in the next monthly report
D. Disable all network connectivity
Answer: B
Explanation:
Upon discovering a vulnerability, organizations must assess the risk and begin appropriate mitigation actions without delay.
________________________________________
26. The MOST appropriate time to conduct a business impact analysis (BIA) is:
A. After a security incident
B. During system development
C. Before risk assessments
D. Annually, regardless of changes
Answer: C
Explanation:
A BIA should precede risk assessments to identify critical assets and processes, enabling proper prioritization of risks.
________________________________________
27. Which of the following tools BEST helps visualize IT risk interdependencies?
A. Heat map
B. Gantt chart
C. Control matrix
D. Risk taxonomy
Answer: A
Explanation:
A risk heat map visually represents risk impact vs. likelihood, helping stakeholders understand risk priorities and relationships.
________________________________________
28. What is the PRIMARY objective of risk communication?
A. Reduce the need for audits
B. Share information and enable decision-making
C. Justify security expenditures
D. Train new employees
Answer: B
Explanation:
Effective risk communication ensures that all stakeholders are informed and able to make risk-based decisions.
________________________________________
29. A third-party vendor introduces a new technology. What is the BEST approach for assessing associated risk?
A. Review vendor’s reputation
B. Require a service level agreement
C. Conduct a third-party risk assessment
D. Ask for certification documents
Answer: C
Explanation:
A third-party risk assessment evaluates the potential impact of the vendor’s service or technology on your organization’s risk posture.
________________________________________
30. Which of the following is the BEST reason to perform a post-incident review?
A. To identify responsible employees
B. To assign blame
C. To improve future response and controls
D. To satisfy compliance
Answer: C
Explanation:
A post-incident review identifies lessons learned and opportunities to improve controls and incident response processes.
31. Which of the following is the PRIMARY reason to monitor residual risk?
A. To track control performance
B. To comply with audit recommendations
C. To ensure risk remains within tolerance
D. To meet service level agreements
Answer: C
Explanation:
Monitoring residual risk ensures it stays within the organization’s risk appetite and tolerance, confirming that risk responses are effective.
________________________________________
32. What is the MOST critical factor when prioritizing risk treatment actions?
A. Budget availability
B. Strategic alignment
C. Frequency of the risk
D. Control documentation
Answer: B
Explanation:
Strategic alignment ensures that resources are focused on treating risks that could impact the organization’s goals and objectives.
________________________________________
33. Which of the following BEST enables proactive risk management?
A. Annual audits
B. Incident reporting
C. Real-time risk monitoring tools
D. Regulatory inspections
Answer: C
Explanation:
Real-time monitoring provides immediate visibility into risk conditions, allowing proactive responses before issues escalate.
________________________________________
34. What is the PRIMARY benefit of integrating risk management into business processes?
A. Reduces IT staff workload
B. Eliminates need for separate controls
C. Improves decision-making and resilience
D. Decreases compliance requirements
Answer: C
Explanation:
Integration helps embed risk awareness into daily activities, improving decision-making and overall organizational resilience.
________________________________________
35. The PRIMARY role of a risk owner is to:
A. Conduct internal audits
B. Approve budget requests
C. Implement and monitor risk responses
D. Escalate all risks to executives
Answer: C
Explanation:
The risk owner is responsible for ensuring that the identified risk is managed appropriately, including monitoring controls and responses.
________________________________________
36. Which of the following best describes inherent risk?
A. The risk after controls are applied
B. The probability of a security breach
C. The risk that exists before any controls
D. A regulatory risk affecting operations
Answer: C
Explanation:
Inherent risk is the level of risk present before any mitigating controls are applied.
________________________________________
37. What is the MOST effective way to ensure third-party risk is continuously managed?
A. Perform due diligence during onboarding
B. Conduct annual contract reviews
C. Implement ongoing monitoring processes
D. Require ISO certifications
Answer: C
Explanation:
Ongoing monitoring ensures that third-party risks are assessed throughout the relationship, not just during onboarding.
________________________________________
38. Which tool BEST helps align IT risk management with business strategy?
A. Key performance indicators
B. Balanced scorecard
C. Firewall rules
D. Incident ticketing system
Answer: B
Explanation:
A balanced scorecard connects performance and risk metrics to strategic business objectives, improving alignment.
________________________________________
39. What is the PRIMARY objective of a risk register?
A. Store control audit logs
B. Summarize employee performance
C. Record, track, and manage risks
D. Define security policies
Answer: C
Explanation:
A risk register is used to document risks, assign ownership, track mitigation actions, and support decision-making.
________________________________________
40. Which of the following BEST reflects the concept of risk transference?
A. Accepting potential data breaches
B. Installing intrusion detection systems
C. Purchasing cybersecurity insurance
D. Eliminating system access
Answer: C
Explanation:
Risk transference shifts the financial burden of a risk to another party, often via insurance or outsourcing.
________________________________________
41. Which process ensures that risk management aligns with evolving business objectives?
A. Risk forecasting
B. Change management
C. Continuous risk assessment
D. Data classification
Answer: C
Explanation:
Continuous risk assessment helps organizations adapt their risk posture as business goals and environments change.
________________________________________
42. What is the PRIMARY purpose of conducting a gap analysis in risk management?
A. Determine root causes
B. Review security logs
C. Identify differences between current and desired states
D. Calculate ROI of controls
Answer: C
Explanation:
Gap analysis identifies the difference between existing risk practices and target or best practices.
________________________________________
43. What is the MOST important criterion when assigning a risk owner?
A. Seniority level
B. Access to reporting tools
C. Accountability and authority to act
D. Department size
Answer: C
Explanation:
The risk owner must have authority and accountability to implement and oversee mitigation efforts effectively.
________________________________________
44. Which of the following is an example of a detective control?
A. Encryption
B. Biometric authentication
C. Audit logs
D. Firewall blocking rules
Answer: C
Explanation:
Audit logs are detective controls that help identify events after they occur, enabling forensic analysis.
________________________________________
45. A high-impact risk has a very low probability. What is the BEST approach?
A. Accept the risk
B. Transfer the risk
C. Ignore the risk
D. Evaluate cost-effective mitigation
Answer: D
Explanation:
Even if a risk is unlikely, its high impact warrants analysis to determine if mitigation is cost-justified.
________________________________________
46. Which of the following is the BEST justification for risk mitigation?
A. It satisfies an external vendor
B. It prevents reputational damage
C. It reduces the number of employees
D. It removes the need for audits
Answer: B
Explanation:
Reputational risk can have serious consequences; mitigation helps protect the brand and stakeholder trust.
________________________________________
47. In a mature risk management program, which process is MOST likely to be automated?
A. Strategy development
B. Board reporting
C. Risk identification and scoring
D. Control implementation
Answer: C
Explanation:
Automated risk scoring and identification tools streamline risk assessments and ensure consistency and accuracy.
________________________________________
48. What is the PRIMARY goal of key risk indicators (KRIs)?
A. Estimate mitigation cost
B. Provide early warning of potential issues
C. Replace risk registers
D. Report historical losses
Answer: B
Explanation:
KRIs provide early signs of increasing risk exposure, allowing proactive intervention before escalation.
________________________________________
49. A risk response plan should include all of the following EXCEPT:
A. Risk owner
B. Mitigation steps
C. Risk appetite
D. Timeline and metrics
Answer: C
Explanation:
While risk appetite guides decisions, it is not part of a specific response plan, which focuses on actions and accountability.
________________________________________
50. Which of the following is a qualitative risk assessment technique?
A. Monte Carlo simulation
B. Annualized Loss Expectancy (ALE)
C. Probability-impact matrix
D. Net Present Value (NPV)
Answer: C
Explanation:
A probability-impact matrix is a qualitative tool that ranks risks based on likelihood and impact using descriptive categories.
________________________________________
51. The role of the control owner is to:
A. Report to the board
B. Execute and maintain controls
C. Define the risk tolerance
D. Approve risk mitigation plans
Answer: B
Explanation:
Control owners are responsible for the operation and maintenance of controls to ensure they mitigate assigned risks.
________________________________________
52. An organization uses the COSO ERM framework. What is its PRIMARY purpose?
A. Audit control effectiveness
B. Eliminate all IT risks
C. Provide a structured approach to enterprise risk management
D. Develop financial forecasts
Answer: C
Explanation:
The COSO ERM framework helps organizations structure, implement, and evaluate enterprise-wide risk management.
________________________________________
53. What is the BEST way to evaluate the effectiveness of security awareness training?
A. Number of attendees
B. Completion of surveys
C. Phishing simulation results
D. Training cost analysis
Answer: C
Explanation:
Phishing simulations measure whether employees can identify and respond to threats, providing real insight into training effectiveness.
________________________________________
54. What is the PRIMARY goal of embedding risk management into projects?
A. To avoid scope changes
B. To improve timelines
C. To identify and manage risks early
D. To reduce budget use
Answer: C
Explanation:
Integrating risk practices into projects ensures early detection and management of potential risks, reducing surprises.
________________________________________
55. An internal control that restricts user access based on job roles is an example of:
A. Compensating control
B. Preventive control
C. Directive control
D. Detective control
Answer: B
Explanation:
Role-based access control (RBAC) is a preventive measure that restricts unauthorized access and protects sensitive data.
________________________________________
56. Which document defines roles, responsibilities, and processes in a risk program?
A. Incident response plan
B. Risk register
C. Risk management charter
D. Business continuity plan
Answer: C
Explanation:
A risk management charter outlines the governance structure, roles, and authority levels for managing risk.
________________________________________
57. What is the PRIMARY purpose of a lessons-learned report after a risk event?
A. Identify employee failures
B. Report financial losses
C. Improve future risk responses
D. Validate policies
Answer: C
Explanation:
Lessons-learned reports help organizations refine strategies, update policies, and improve response plans for future risks.
________________________________________
58. Which approach provides the MOST objective risk analysis?
A. Historical interviews
B. Quantitative assessment
C. Stakeholder consensus
D. SWOT analysis
Answer: B
Explanation:
Quantitative assessments use measurable data, providing objective, repeatable insights into risk levels.
________________________________________
59. The risk of a supplier failing to deliver services is an example of:
A. Internal operational risk
B. Strategic risk
C. Third-party risk
D. Reputational risk
Answer: C
Explanation:
This is a classic case of third-party risk, where the organization’s exposure depends on the reliability of an external partner.
________________________________________
60. Which action BEST ensures that a control continues to perform as intended?
A. Perform periodic control testing
B. Review the control policy annually
C. Assign a new control owner
D. Update training documentation
Answer: A
Explanation:
Regular control testing helps verify its ongoing effectiveness, allowing prompt remediation if issues are found.
61. Which of the following is the PRIMARY purpose of implementing a key risk indicator (KRI)?
A. To identify potential control failures after they occur
B. To quantify the impact of a realized risk
C. To provide early warning of increasing risk exposure
D. To determine the root cause of an incident
Answer: C. To provide early warning of increasing risk exposure
Explanation: KRIs are metrics used to signal a rising risk exposure in time to take action before the risk materializes, supporting proactive risk management.
________________________________________
62. In which phase of the risk management lifecycle are controls first evaluated for effectiveness?
A. Risk identification
B. Risk assessment
C. Risk response
D. Risk monitoring
Answer: C. Risk response
Explanation: Controls are typically evaluated during the risk response phase to determine their adequacy in mitigating identified risks before implementation or enhancement.
________________________________________
63. Which risk analysis technique evaluates the probability and impact of risks using numerical values?
A. Qualitative analysis
B. Delphi technique
C. Quantitative analysis
D. SWOT analysis
Answer: C. Quantitative analysis
Explanation: Quantitative analysis uses numerical data and models to estimate risk impacts and probabilities, often producing monetary value or statistical outputs.
________________________________________
64. Which of the following roles is MOST appropriate for determining the enterprise risk appetite?
A. Risk analyst
B. IT manager
C. Senior management
D. Internal auditor
Answer: C. Senior management
Explanation: Senior management sets the organization’s risk appetite in alignment with strategic objectives and stakeholder expectations.
________________________________________
65. A new data privacy regulation has been introduced. What is the FIRST action a risk practitioner should take?
A. Implement immediate system changes
B. Conduct a gap analysis
C. Notify data processors and controllers
D. Update the risk register
Answer: B. Conduct a gap analysis
Explanation: A gap analysis helps determine the differences between current practices and regulatory requirements before implementing corrective measures.
________________________________________
66. Which of the following BEST illustrates an inherent risk?
A. A system vulnerability mitigated by a firewall
B. Data loss risk without any control in place
C. An outdated antivirus solution
D. A misconfigured access control policy
Answer: B. Data loss risk without any control in place
Explanation: Inherent risk represents the level of risk without any existing controls or mitigation strategies.
________________________________________
67. What is the PRIMARY purpose of a risk register?
A. Document internal audit findings
B. Record identified risks and their attributes
C. List security policies
D. Track regulatory compliance
Answer: B. Record identified risks and their attributes
Explanation: A risk register serves as a centralized repository of all identified risks, their impact, probability, mitigation strategies, and ownership.
________________________________________
68. Which of the following is a limitation of using historical data for risk assessment?
A. It reduces reliance on expert judgment
B. It may not reflect emerging risks
C. It enhances consistency
D. It promotes quantitative modeling
Answer: B. It may not reflect emerging risks
Explanation: Historical data is backward-looking and might not capture new or evolving threats, making it insufficient for forecasting novel risks.
________________________________________
69. Which of the following best defines residual risk?
A. Risk that is shared with a third party
B. Risk identified but not yet mitigated
C. Risk remaining after controls are applied
D. Risk with a low probability of occurring
Answer: C. Risk remaining after controls are applied
Explanation: Residual risk is the level of risk that persists after risk response strategies and controls have been implemented.
________________________________________
70. What is the PRIMARY objective of risk aggregation?
A. To reduce redundant controls
B. To provide a consolidated view of risk
C. To rank risks by cost
D. To identify root causes
Answer: B. To provide a consolidated view of risk
Explanation: Risk aggregation consolidates individual risk data to present an enterprise-wide risk profile, helping decision-makers prioritize and allocate resources.
71. Which of the following is MOST critical when defining an organization’s risk tolerance?
A. Availability of insurance
B. Regulatory requirements
C. Risk appetite
D. Incident response time
Answer: C. Risk appetite
Explanation: Risk tolerance is directly derived from the organization’s risk appetite, which reflects the amount of risk it is willing to accept to achieve objectives.
________________________________________
72. A control is identified as inefficient. What should be the FIRST course of action?
A. Remove the control
B. Reassess the associated risk
C. Immediately replace the control
D. Notify the audit team
Answer: B. Reassess the associated risk
Explanation: Before making changes, it’s important to reassess the risk to determine whether the control is still necessary and what alternatives may be more effective.
________________________________________
73. Which risk response is BEST when the cost of mitigation exceeds the expected loss?
A. Accept
B. Avoid
C. Transfer
D. Share
Answer: A. Accept
Explanation: Risk acceptance is appropriate when mitigation is not cost-effective and the risk falls within the organization’s tolerance.
________________________________________
74. What is the BEST reason to involve stakeholders during risk communication?
A. To validate risk calculations
B. To gather input and buy-in for decisions
C. To audit the risk process
D. To complete compliance documentation
Answer: B. To gather input and buy-in for decisions
Explanation: Engaging stakeholders improves transparency, fosters support, and ensures risk management aligns with business objectives.
________________________________________
75. Which of the following MOST clearly indicates a risk has been effectively mitigated?
A. Risk score is unchanged
B. Control maturity has improved
C. Residual risk falls within tolerance
D. A compliance audit passed
Answer: C. Residual risk falls within tolerance
Explanation: Effective mitigation reduces residual risk to a level acceptable to the organization.
________________________________________
76. What is the PRIMARY reason to use a heat map in risk analysis?
A. To calculate risk exposure in dollars
B. To prioritize risks visually
C. To align controls with business units
D. To replace risk registers
Answer: B. To prioritize risks visually
Explanation: Heat maps provide an intuitive visual representation of risks based on impact and likelihood, aiding prioritization.
________________________________________
77. When should a risk practitioner recommend risk transfer?
A. When a risk is within tolerance
B. When internal controls are strong
C. When risk impact is high and insurable
D. When risk is not identified
Answer: C. When risk impact is high and insurable
Explanation: Risk transfer (e.g., insurance) is best suited for high-impact risks that can be contractually transferred.
________________________________________
78. Which of the following MOST supports continuous improvement in risk management?
A. Monthly risk acceptance
B. Regular training programs
C. Periodic risk assessments
D. Quarterly audits only
Answer: C. Periodic risk assessments
Explanation: Ongoing assessments help identify emerging risks and adjust controls accordingly, supporting continuous improvement.
________________________________________
79. What is the PRIMARY role of the risk owner?
A. To design system controls
B. To accept and monitor the assigned risk
C. To conduct audits
D. To write security policies
Answer: B. To accept and monitor the assigned risk
Explanation: The risk owner is responsible for managing, monitoring, and making decisions about the assigned risk.
________________________________________
80. Which metric BEST reflects the effectiveness of a control?
A. Number of users trained
B. Reduction in residual risk
C. Cost to implement
D. Number of incidents reported
Answer: B. Reduction in residual risk
Explanation: A control’s effectiveness is demonstrated by its ability to reduce the residual risk to acceptable levels.
________________________________________
81. Which scenario BEST exemplifies risk avoidance?
A. Purchasing cybersecurity insurance
B. Shutting down a high-risk business unit
C. Implementing two-factor authentication
D. Outsourcing operations
Answer: B. Shutting down a high-risk business unit
Explanation: Risk avoidance involves eliminating the risk entirely by discontinuing the related activity.
________________________________________
82. Which of the following is the BEST approach to managing third-party risk?
A. Conducting regular vulnerability scans
B. Enforcing strong access controls
C. Performing due diligence and monitoring contracts
D. Implementing redundant firewalls
Answer: C. Performing due diligence and monitoring contracts
Explanation: Third-party risk management requires initial vetting and ongoing oversight to ensure compliance and reduce exposure.
________________________________________
83. The PRIMARY goal of a business impact analysis (BIA) is to:
A. Identify cybersecurity threats
B. Analyze compliance gaps
C. Determine the impact of business disruptions
D. Detect unauthorized access
Answer: C. Determine the impact of business disruptions
Explanation: A BIA evaluates the effect of potential disruptions to business functions, supporting continuity planning.
________________________________________
84. Which document defines the organization’s overall risk strategy and appetite?
A. Disaster recovery plan
B. Security policy
C. Risk management framework
D. Risk governance policy
Answer: D. Risk governance policy
Explanation: The risk governance policy outlines the organization’s approach to risk, including appetite, tolerance, and responsibilities.
________________________________________
85. Which of the following is a key output of the risk assessment phase?
A. Residual risk scores
B. Mitigation budget
C. Business process mapping
D. Root cause analysis
Answer: A. Residual risk scores
Explanation: Risk assessment outputs include inherent and residual risk scores, aiding decision-making for risk response.
________________________________________
86. Which scenario BEST illustrates an effective risk communication practice?
A. Sharing only critical risks with executives
B. Emailing the risk register to all staff
C. Tailoring risk messages to the audience
D. Posting risk scores on the intranet
Answer: C. Tailoring risk messages to the audience
Explanation: Effective communication considers the audience’s interests, responsibilities, and understanding to ensure clarity and action.
________________________________________
87. What is the BEST method to ensure risk controls remain effective over time?
A. One-time risk assessment
B. Quarterly penetration testing
C. Continuous monitoring and periodic reviews
D. Annual audit only
Answer: C. Continuous monitoring and periodic reviews
Explanation: Ongoing evaluations help maintain control effectiveness as the threat landscape evolves.
________________________________________
88. The use of key performance indicators (KPIs) in risk management helps to:
A. Replace internal audits
B. Measure control effectiveness
C. Identify unauthorized access
D. Eliminate all risk
Answer: B. Measure control effectiveness
Explanation: KPIs assess how well risk controls and processes perform in alignment with objectives.
________________________________________
89. What is the PRIMARY benefit of integrating IT risk management into enterprise risk management (ERM)?
A. Reduces system complexity
B. Simplifies technical documentation
C. Aligns IT risk with organizational goals
D. Eliminates need for external audits
Answer: C. Aligns IT risk with organizational goals
Explanation: Integration ensures IT risks are managed in the context of overall business objectives, enhancing strategic alignment.
________________________________________
90. What is the BEST reason to use scenario analysis in risk assessments?
A. To fulfill audit requirements
B. To identify unrelated business units
C. To evaluate the impact of multiple variables
D. To review only past incidents
Answer: C. To evaluate the impact of multiple variables
Explanation: Scenario analysis explores different possible outcomes, improving preparedness for complex risk situations.
________________________________________
91. What is a PRIMARY factor in prioritizing risk response actions?
A. Audit frequency
B. Control maturity level
C. Resource availability
D. Risk ranking (impact × likelihood)
Answer: D. Risk ranking (impact × likelihood)
Explanation: Risks are prioritized based on their potential impact and likelihood, guiding the urgency of response.
________________________________________
92. Which type of control is antivirus software considered?
A. Preventive
B. Detective
C. Corrective
D. Compensating
Answer: B. Detective
Explanation: Antivirus detects and alerts on malicious activity, making it a detective control.
________________________________________
93. A key metric shows a rising trend in failed login attempts. What is the MOST appropriate response?
A. Decrease password complexity
B. Disable user accounts
C. Investigate for potential brute-force attacks
D. Conduct a compliance audit
Answer: C. Investigate for potential brute-force attacks
Explanation: A rise in failed login attempts may indicate attempted unauthorized access and requires immediate investigation.
________________________________________
94. Which risk response is used when the organization collaborates with others to manage risk?
A. Accept
B. Avoid
C. Transfer
D. Share
Answer: D. Share
Explanation: Risk sharing involves partnerships or joint ventures to divide risk responsibility.
________________________________________
95. The PRIMARY reason to escalate a risk to senior management is when:
A. The risk affects multiple departments
B. The mitigation cost is low
C. The risk falls below the tolerance level
D. Controls have already been implemented
Answer: A. The risk affects multiple departments
Explanation: Risks with enterprise-wide implications or that exceed tolerance thresholds require senior management attention.
________________________________________
96. What is the BEST justification for conducting a risk reassessment?
A. Annual budget planning
B. Completion of a control audit
C. Change in business objectives or environment
D. Staff promotion
Answer: C. Change in business objectives or environment
Explanation: Significant organizational or environmental changes warrant re-evaluating risk posture and controls.
________________________________________
97. Who is ultimately responsible for managing enterprise risks?
A. Risk practitioners
B. Internal auditors
C. Senior leadership
D. Business unit heads
Answer: C. Senior leadership
Explanation: Senior leadership is accountable for ensuring that enterprise risks are appropriately managed and aligned with objectives.
________________________________________
98. What is the MAIN role of internal audit in the risk management process?
A. Own risks
B. Implement controls
C. Provide independent assurance
D. Accept risk decisions
Answer: C. Provide independent assurance
Explanation: Internal audit reviews the effectiveness of risk management activities and offers independent evaluations.
________________________________________
99. Which of the following would BEST ensure risk-related decisions are consistently made across an enterprise?
A. Use of multiple risk frameworks
B. Centralized governance and policies
C. Departmental autonomy
D. Outsourcing the risk function
Answer: B. Centralized governance and policies
Explanation: Centralized governance promotes consistency and alignment in how risks are assessed and handled.
________________________________________
100. Which of the following risks is MOST likely to increase when an organization moves to a cloud-based infrastructure?
A. Physical security
B. Data sovereignty
C. Hardware failure
D. Printer malfunctions
Answer: B. Data sovereignty
Explanation: Cloud adoption raises concerns about where data is stored and which jurisdiction’s laws apply, impacting compliance.
101. Which of the following BEST helps to validate the effectiveness of implemented risk controls?
A. Internal control self-assessments
B. Annual policy review
C. Vendor contract audits
D. Firewall rule changes
Answer: A. Internal control self-assessments
Explanation: Control self-assessments provide ongoing validation from within the organization, helping ensure controls work as intended.
________________________________________
102. What is the PRIMARY purpose of a risk register?
A. To store audit results
B. To track compliance issues
C. To document identified risks and their status
D. To map network infrastructure
Answer: C. To document identified risks and their status
Explanation: A risk register serves as a central repository for capturing, tracking, and managing risks throughout their lifecycle.
________________________________________
103. When conducting a risk assessment, the FIRST step is to:
A. Assign risk owners
B. Develop mitigation plans
C. Identify assets and threats
D. Create a control matrix
Answer: C. Identify assets and threats
Explanation: The risk assessment begins with identifying key assets and the threats that may affect them.
________________________________________
104. Which of the following is the MOST appropriate use of qualitative risk analysis?
A. When assigning monetary value to risks
B. When precise data is unavailable
C. During compliance audits
D. For reporting to shareholders
Answer: B. When precise data is unavailable
Explanation: Qualitative analysis is used when quantitative data is insufficient, relying on subjective risk ranking methods.
________________________________________
105. Which of the following is a key feature of a mature risk culture?
A. All risk decisions are centralized
B. Risk metrics are updated monthly
C. Risk awareness is embedded at all levels
D. Only top management handles risk
Answer: C. Risk awareness is embedded at all levels
Explanation: A mature risk culture involves consistent understanding and behavior toward risk throughout the organization.
________________________________________
106. What is the PRIMARY risk when terminating an employee with access to sensitive systems?
A. Compliance gap
B. Physical safety issues
C. Unauthorized data access
D. Salary disputes
Answer: C. Unauthorized data access
Explanation: Disgruntled or recently terminated employees with access to critical systems can pose insider threats.
________________________________________
107. The MOST effective way to evaluate third-party risk is to:
A. Review their marketing materials
B. Conduct a security audit
C. Examine their website privacy policy
D. Compare their products to competitors
Answer: B. Conduct a security audit
Explanation: A third-party security audit provides a comprehensive understanding of how vendors manage risks.
________________________________________
108. What is the PRIMARY goal of a control gap analysis?
A. Identify controls to eliminate
B. Assess financial performance
C. Highlight missing or weak controls
D. Document policy violations
Answer: C. Highlight missing or weak controls
Explanation: Control gap analysis identifies deficiencies in the control environment that may expose the organization to risk.
________________________________________
109. Which of the following would BEST support risk-based decision-making?
A. Uniform treatment of all risks
B. Risk analysis aligned with business goals
C. Applying the same control to every risk
D. Avoiding risks at all costs
Answer: B. Risk analysis aligned with business goals
Explanation: Decisions based on business-aligned risk analysis ensure priorities and resources are directed effectively.
________________________________________
110. An enterprise is undergoing a digital transformation. What should be the risk manager’s PRIMARY focus?
A. Reviewing legacy systems
B. Updating firewall settings
C. Identifying new risk exposures
D. Hiring more developers
Answer: C. Identifying new risk exposures
Explanation: Digital transformation often introduces new risks that must be assessed and managed proactively.
________________________________________
111. Which of the following is MOST critical to a successful control design process?
A. Control automation
B. Threat modeling
C. Business process understanding
D. Legal department approval
Answer: C. Business process understanding
Explanation: Effective controls must align with the business context in which they operate to avoid disruption and ensure risk mitigation.
________________________________________
112. The PRIMARY benefit of risk quantification is to:
A. Avoid all risk
B. Enable objective comparison of risks
C. Automate mitigation plans
D. Satisfy auditors
Answer: B. Enable objective comparison of risks
Explanation: Quantification provides measurable data to compare risks and prioritize actions.
________________________________________
113. Which of the following would be MOST useful in monitoring evolving risk trends?
A. Penetration tests
B. Root cause analysis
C. Key risk indicators (KRIs)
D. Static control lists
Answer: C. Key risk indicators (KRIs)
Explanation: KRIs are forward-looking metrics that provide early warnings of potential risk events.
________________________________________
114. Which of the following BEST describes inherent risk?
A. Risk remaining after controls
B. Risk before considering controls
C. Risk accepted by management
D. Risk with known impact but unknown likelihood
Answer: B. Risk before considering controls
Explanation: Inherent risk is the level of risk present before applying any risk mitigation or controls.
________________________________________
115. What is the MOST appropriate response when residual risk exceeds the organization’s risk tolerance?
A. Accept the risk
B. Do nothing
C. Implement additional controls
D. Reassess the business process
Answer: C. Implement additional controls
Explanation: If residual risk is too high, further risk treatment or controls are needed.
________________________________________
116. When is it MOST important to involve legal counsel in risk management?
A. During system upgrades
B. When outsourcing IT services
C. When reviewing marketing strategy
D. During routine system maintenance
Answer: B. When outsourcing IT services
Explanation: Legal counsel ensures that contracts and liabilities are clearly defined and compliant with regulations.
________________________________________
117. What is the PRIMARY concern with shadow IT from a risk perspective?
A. Increased IT spending
B. Innovation without approval
C. Lack of visibility and control
D. Delayed project timelines
Answer: C. Lack of visibility and control
Explanation: Shadow IT introduces risk by operating outside established governance, exposing the organization to vulnerabilities.
________________________________________
118. Which of the following would BEST improve user compliance with security policies?
A. Annual performance reviews
B. Executive-level memos
C. Interactive training and awareness
D. Complex password requirements
Answer: C. Interactive training and awareness
Explanation: Educating users increases understanding and support for security policies, improving compliance.
________________________________________
119. A control is found to be ineffective during a risk review. What is the NEXT step?
A. Retire the control
B. Notify the board of directors
C. Identify a replacement control
D. Reassess the related risk
Answer: D. Reassess the related risk
Explanation: Understanding the current level of risk without the control guides appropriate next actions.
________________________________________
120. What is the BEST method for evaluating the risk associated with new IT projects?
A. Qualitative brainstorming
B. Quantitative risk analysis
C. Control mapping
D. Business impact analysis (BIA)
Answer: D. Business impact analysis (BIA)
Explanation: A BIA helps identify and assess the potential impact of disruptions resulting from new technology implementations.
________________________________________
121. What role does a risk committee typically play?
A. Implements technical controls
B. Approves system architectures
C. Governs enterprise risk decisions
D. Maintains the incident response plan
Answer: C. Governs enterprise risk decisions
Explanation: A risk committee provides oversight, guidance, and prioritization for risk-related activities across the organization.
________________________________________
122. Which of the following BEST reduces the likelihood of regulatory noncompliance?
A. Well-documented IT policies
B. Real-time risk dashboards
C. Automated patching systems
D. Regular compliance reviews
Answer: D. Regular compliance reviews
Explanation: Compliance reviews identify regulatory gaps and help the organization adjust controls to remain compliant.
________________________________________
123. Which of the following should be considered FIRST when selecting a risk response strategy?
A. Cost-benefit of controls
B. Departmental goals
C. Stakeholder communication
D. Employee training
Answer: A. Cost-benefit of controls
Explanation: Effective response strategies balance control costs against the level of risk reduction they offer.
________________________________________
124. What is a benefit of maintaining a well-documented risk framework?
A. It eliminates the need for training
B. It simplifies asset management
C. It ensures consistent risk management practices
D. It guarantees compliance
Answer: C. It ensures consistent risk management practices
Explanation: A documented framework promotes uniformity and repeatability across the enterprise.
________________________________________
125. Which of the following is MOST helpful in gaining executive support for risk mitigation?
A. Technical analysis
B. Threat detection tools
C. Risk-to-objectives impact statements
D. Control maturity ratings
Answer: C. Risk-to-objectives impact statements
Explanation: Executives respond better when risks are connected to business goals and outcomes.
________________________________________
126. Which of the following is the GREATEST risk of poor documentation in the risk management process?
A. Lower control costs
B. Legal liability
C. Limited stakeholder engagement
D. Inconsistent risk response
Answer: D. Inconsistent risk response
Explanation: Poor documentation can result in varied and uncoordinated approaches to handling risks.
________________________________________
127. The PRIMARY purpose of a control library is to:
A. Store incident reports
B. Archive obsolete policies
C. Provide reusable controls for risk treatment
D. Track regulatory changes
Answer: C. Provide reusable controls for risk treatment
Explanation: Control libraries offer a catalog of standardized controls to improve consistency and reduce redundancy.
________________________________________
128. Which of the following would BEST indicate a need to revise risk tolerance levels?
A. Increase in help desk tickets
B. A major cybersecurity incident
C. Changes in team size
D. Annual user training completion
Answer: B. A major cybersecurity incident
Explanation: A serious incident may reveal that existing tolerance levels are inadequate and need reevaluation.
________________________________________
129. The PRIMARY reason to perform risk assessments regularly is to:
A. Reduce IT staffing
B. Maximize tool usage
C. Adapt to a changing risk landscape
D. Meet contractual obligations
Answer: C. Adapt to a changing risk landscape
Explanation: As the environment evolves, risks change, and assessments help maintain effective risk posture.
________________________________________
130. Which of the following is MOST helpful in aligning IT risk with business objectives?
A. Business-aligned KRIs
B. IT training programs
C. Automated ticketing systems
D. IT performance benchmarks
Answer: A. Business-aligned KRIs
Explanation: KRIs tailored to business priorities enable proactive risk management and better alignment with objectives.
131. What is the PRIMARY purpose of a business impact analysis (BIA)?
A. To evaluate technical controls
B. To prioritize compliance requirements
C. To determine the criticality of business functions
D. To assess risk likelihood
Answer: C. To determine the criticality of business functions
Explanation: A BIA identifies essential business functions and the potential impact of disruptions to prioritize recovery strategies.
________________________________________
132. In risk communication, which of the following is MOST critical?
A. Using technical language
B. Delivering detailed reports
C. Tailoring the message to the audience
D. Ensuring data confidentiality
Answer: C. Tailoring the message to the audience
Explanation: Effective risk communication depends on adjusting the message for clarity and relevance to the target audience.
________________________________________
133. Which of the following is the BEST indication of control effectiveness?
A. The absence of recent incidents
B. Audit pass rates
C. Reduction in risk exposure
D. Regulatory compliance
Answer: C. Reduction in risk exposure
Explanation: Effective controls should directly reduce identified risks and exposures, making this the best indicator.
________________________________________
134. The MOST important factor when prioritizing risk mitigation efforts is:
A. Control automation capabilities
B. Compliance deadlines
C. Risk impact and likelihood
D. Senior management preference
Answer: C. Risk impact and likelihood
Explanation: Prioritization is driven by how severe and probable a risk is, ensuring the most critical risks are handled first.
________________________________________
135. What is a key objective of using a risk appetite statement?
A. To define all possible risks
B. To eliminate all high risks
C. To guide decision-making within acceptable boundaries
D. To monitor competitors’ risk strategies
Answer: C. To guide decision-making within acceptable boundaries
Explanation: The risk appetite outlines the level of risk an organization is willing to accept in pursuit of its goals.
________________________________________
136. Which of the following poses the GREATEST threat to the reliability of risk assessments?
A. Incomplete data
B. Use of automated tools
C. Frequent reassessments
D. Stakeholder input
Answer: A. Incomplete data
Explanation: Risk assessments depend on accurate and complete data. Gaps can lead to misjudging threats or missing risks entirely.
________________________________________
137. The PRIMARY reason for implementing controls is to:
A. Avoid regulatory penalties
B. Address audit findings
C. Manage risk within acceptable limits
D. Eliminate all threats
Answer: C. Manage risk within acceptable limits
Explanation: Controls help reduce risk to levels that align with the organization’s risk appetite and tolerance.
________________________________________
138. What should a risk practitioner do FIRST after identifying a new critical risk?
A. Escalate to senior management
B. Apply controls immediately
C. Add it to the asset inventory
D. Schedule a training session
Answer: A. Escalate to senior management
Explanation: Critical risks require timely communication to leadership for prioritization and approval of response actions.
________________________________________
139. Which of the following BEST supports continuous risk monitoring?
A. Annual penetration tests
B. Real-time dashboards and KRIs
C. Quarterly compliance reports
D. Security awareness programs
Answer: B. Real-time dashboards and KRIs
Explanation: Real-time monitoring through dashboards and key risk indicators allows organizations to react swiftly to emerging threats.
________________________________________
140. In risk response planning, risk transference is BEST exemplified by:
A. Creating a business continuity plan
B. Implementing new software patches
C. Purchasing cyber insurance
D. Installing surveillance cameras
Answer: C. Purchasing cyber insurance
Explanation: Risk transference involves shifting the risk to another party, such as through insurance.
________________________________________
141. What is the GREATEST risk of not aligning risk management with organizational objectives?
A. Overly complex controls
B. Increased audit workload
C. Ineffective resource allocation
D. Delays in IT projects
Answer: C. Ineffective resource allocation
Explanation: If risk management is misaligned, efforts may not support business goals, wasting resources.
________________________________________
142. A third-party service provider fails a security audit. What should the organization do FIRST?
A. Terminate the contract
B. Notify customers
C. Reassess the associated risks
D. Ignore the finding unless a breach occurs
Answer: C. Reassess the associated risks
Explanation: The audit failure introduces new risks, requiring reassessment to decide on the appropriate response.
________________________________________
143. Which of the following BEST describes residual risk?
A. Risk identified by stakeholders
B. Risk that cannot be avoided
C. Risk remaining after implementing controls
D. All known organizational risks
Answer: C. Risk remaining after implementing controls
Explanation: Residual risk is what remains after controls have reduced inherent risk.
________________________________________
144. Which of the following tools is MOST useful for mapping risk dependencies and relationships?
A. Gantt charts
B. Risk heat maps
C. Risk bow-tie diagrams
D. SWOT analysis
Answer: C. Risk bow-tie diagrams
Explanation: Bow-tie diagrams visualize the cause-effect relationship of risks, showing preventive and reactive controls.
________________________________________
145. Which risk response strategy is MOST appropriate for a low-likelihood, high-impact risk?
A. Transfer
B. Accept
C. Ignore
D. Exploit
Answer: A. Transfer
Explanation: For rare but potentially devastating events, transferring the risk (e.g., via insurance) is a prudent strategy.
________________________________________
146. Which of the following MOST contributes to improved risk culture?
A. Mandating security training
B. Top-down communication and leadership support
C. Weekly risk reports
D. Publishing internal audit findings
Answer: B. Top-down communication and leadership support
Explanation: Leadership commitment influences organizational behavior and drives risk-aware culture.
________________________________________
147. Which document typically defines how often risk assessments should be conducted?
A. Compliance checklist
B. Risk management policy
C. Audit charter
D. Incident response plan
Answer: B. Risk management policy
Explanation: This policy sets the guidelines, including assessment frequency and methodology.
________________________________________
148. Which of the following is MOST likely to reduce the likelihood of insider threats?
A. Background checks and least privilege access
B. Antivirus software updates
C. Firewalls and intrusion prevention systems
D. Redundancy of critical systems
Answer: A. Background checks and least privilege access
Explanation: These practices directly mitigate insider threats by preventing misuse of access.
________________________________________
149. What is the PRIMARY goal of IT governance in risk management?
A. To develop risk heat maps
B. To align IT initiatives with business strategy
C. To reduce operational complexity
D. To implement firewalls
Answer: B. To align IT initiatives with business strategy
Explanation: Governance ensures IT delivers value and supports enterprise objectives, including risk oversight.
________________________________________
150. What is the MOST important reason for maintaining an up-to-date risk register?
A. To satisfy auditors
B. To track asset depreciation
C. To enable timely and informed risk decisions
D. To reduce document storage needs
Answer: C. To enable timely and informed risk decisions
Explanation: A current risk register ensures decision-makers have accurate information for prioritizing actions.
________________________________________
151. Which of the following is the BEST way to evaluate the success of a risk mitigation plan?
A. Stakeholder satisfaction surveys
B. Comparison of residual and acceptable risk levels
C. Post-project review
D. External consultant opinion
Answer: B. Comparison of residual and acceptable risk levels
Explanation: The plan is effective if residual risk falls within the organization’s acceptable threshold.
________________________________________
152. An organization’s risk tolerance is MOST influenced by:
A. Audit findings
B. Management preferences and business objectives
C. Vendor policies
D. Security awareness levels
Answer: B. Management preferences and business objectives
Explanation: Risk tolerance reflects how much risk leadership is willing to accept based on business needs.
________________________________________
153. Which of the following should be documented during a control assessment?
A. Number of IT personnel
B. Control effectiveness and coverage
C. Corporate mission and vision
D. Organizational policies
Answer: B. Control effectiveness and coverage
Explanation: These metrics help determine whether controls are operating as intended and where gaps exist.
________________________________________
154. The PRIMARY purpose of a risk heat map is to:
A. Visualize and prioritize risks
B. Track regulatory changes
C. Communicate IT metrics
D. Allocate project resources
Answer: A. Visualize and prioritize risks
Explanation: Risk heat maps use color-coded matrices to show the severity and likelihood of risks.
________________________________________
155. Which of the following is MOST critical when performing a risk-based audit?
A. Identifying internal fraud
B. Allocating staff fairly
C. Focusing on high-risk areas
D. Limiting scope to IT systems
Answer: C. Focusing on high-risk areas
Explanation: A risk-based audit approach targets areas with the greatest potential impact.
156. Risk aggregation is used to:
A. Break large risks into small parts
B. Group related risks to assess overall exposure
C. Increase total risk ratings artificially
D. Assign risk to multiple owners
Answer: B. Group related risks to assess overall exposure
Explanation: Aggregation shows how multiple low-level risks can combine to create significant impact.
________________________________________
157. When should risk response plans be reviewed and updated?
A. Every five years
B. Only during external audits
C. After significant organizational or risk changes
D. After budget approval
Answer: C. After significant organizational or risk changes
Explanation: Response plans must adapt to new threats, technologies, or business directions.
________________________________________
158. A control fails during an audit. What is the MOST appropriate immediate action?
A. Escalate to IT
B. Create a corrective action plan
C. Fire the control owner
D. Update the risk register
Answer: B. Create a corrective action plan
Explanation: Immediate remediation planning is critical for resolving control failures.
________________________________________
159. Risk scenarios are useful for:
A. Defining KRIs
B. Conducting internal audits
C. Evaluating budget constraints
D. Modeling potential threats and responses
Answer: D. Modeling potential threats and responses
Explanation: Scenarios help visualize risk events and guide proactive response planning.
________________________________________
160. What is the PRIMARY purpose of control testing in risk management?
A. Train users
B. Reduce audit scope
C. Validate control effectiveness
D. Impress regulators
Answer: C. Validate control effectiveness
Explanation: Control testing confirms whether the implemented control works as designed.
