Isaca Updated CRISC Exam Questions and Answers by miriam

Completing a gap analysis identifies discrepancies between current controls and the requirements of the IT control framework, ensuring a focused approach to compliance. This supports Risk Assessment for Compliance Requirements.

Implementing an asset tiering model to establish the appropriate level of impact is best served by a quantitative risk assessment methodology. This approach provides a numeric value to the risk levels, which is crucial for accurately tiering assets.

Quantitative Risk Assessment:

Numeric Values: Quantitative methods assign numerical values to the probability and impact of risks, which allows for precise calculations of risk levels. This precision is essential when establishing tiers for assets based on their impact levels.

Data-Driven Decisions: These methods use statistical data and models to predict potential losses and the probability of various risk events, leading to more informed decision-making.

Asset Tiering Model:

Impact Assessment: Quantitative methods allow for detailed impact assessments. By using numeric values, it is easier to compare the potential impacts of different assets and categorize them into appropriate tiers.

Resource Allocation: Precise risk calculations help in the effective allocation of resources. Higher-tier assets (those with higher impact) can be allocated more resources for protection.

References:

According to the CRISC Review Manual, quantitative risk assessment methods are suitable for situations requiring precise impact assessments and detailed analysis, as they provide a clear, numeric representation of risks​​.

A RACI matrix clearly defines roles and responsibilities, making it the primary reference for identifying accountability. This aligns with Risk Governance Practices for clarifying ownership.

The best course of action for a system administrator who suspects a colleague may be intentionally weakening a system’s validation controls in order to pass through fraudulent transactions is B. Share the concern through a whistleblower communication channel1

According to the CRISC Review Manual, a whistleblower communication channel is a mechanism that allows employees to report suspected fraud or unethical behavior without fear of retaliation or reprisal. A whistleblower communication channel is part of an effective fraud detection and prevention framework, and it helps to promote a culture of integrity and accountability within the organization2

The other options are not as effective or appropriate as sharing the concern through a whistleblower communication channel, because:

•A. Implementing compensating controls to deter fraud attempts may not address the root cause of the problem, and it may also create additional complexity and cost for the system. Moreover, it may not prevent the colleague from finding other ways to bypass the controls or collude with external parties.

•C. Monitoring the activity to collect evidence may expose the system administrator to legal or ethical risks, especially if the monitoring is done without proper authorization or due process. It may also delay the reporting and resolution of the issue, and potentially allow more fraudulent transactions to occur.

•D. Determining whether the system environment has flaws that may motivate fraud attempts may be useful for understanding the context and the factors that contribute to the fraud risk, but it does not address the immediate concern of reporting the suspected fraud. It may also imply that the system administrator is trying to justify or rationalize the colleague’s behavior, rather than holding them accountable.

1: CRISC Review Questions, Answers & Explanations Database, Question ID: 100002 2: CRISC Review Manual, 7th Edition, page 224