ISACA CRISC - Certified in Risk and Information Systems Control Certification Exam
Question #6 (Topic: Demo Questions)
Which of the following provides the MOST useful information to assess the magnitude of identified deficiencies in the IT control environment?
Correct Answer: B
Explanation:
Internal audit reports provide the most useful information to assess the magnitude of identified deficiencies in the IT control environment. Internal audit reports are independent and objective evaluations of the design and operating effectiveness of the IT controls, as well as the compliance with policies, standards, and regulations. Internal audit reports also provide recommendations for improvement and follow-up actions for the control deficiencies. Internal audit reports can help measure the impact and severity of the control deficiencies, and prioritize the remediation efforts. Peer benchmarks, business impact analysis (BIA) results, and threat analysis results are not as directly related to the assessment of the control deficiencies, although they may provide some contextual or comparative information. References = Risk and Information Systems Control Study Manual, Chapter 1, Section 1.4.1, page 1-19.
Question #7 (Topic: Demo Questions)
Which of the following approaches would BEST help to identify relevant risk scenarios?
Correct Answer: A
Explanation:
The best approach to identify relevant risk scenarios is to engage line management in risk assessment workshops. Risk scenarios are hypothetical situations that describe how a risk event could occur and what the consequences could be1. Identifying risk scenarios can help to understand and communicate the nature and impact of the risks, and to design and evaluate the risk responses2. To identify relevant risk scenarios, it is important to involve the people who are responsible for or affected by the risks, such as the line managers. Line managers are the managers who oversee the operational activities and processes of the organization, and whoreport to the senior or executive management3. By engaging line managers in risk assessment workshops, the organization can: