Isaca Updated CRISC Exam Questions and Answers by elian

A purchase order approval process is a set of procedures that companies use to authorize the purchase of goods or services from suppliers1. This process typically involves multiple levels of approvals, ensuring that purchases are compliant with company regulations and policies, and within budget limitations1. Sometimes, a department may be granted an exception to bypass the existing approval process for purchase orders, for example, due to urgency, emergency, or special circumstances2. However, such exceptions should not compromise the effectiveness and integrity of the purchase order approval process, and should be properly documented and justified2. Therefore, the risk practitioner should verify that the exception has been approved by senior management, as they are ultimately responsible for setting and overseeing the purchase order approval process, and for ensuring that the exceptions are reasonable and aligned with the company’s objectives and risk appetite3. Internal audit is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Internal audit’s role is to provide independent assurance and advice on the adequacy and effectiveness of the purchase order approval process and its controls, and to report any issues or recommendations for improvement4. Control owner is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Control owner’s role is to design, implement, and operate the controls that support the purchase order approval process, and to monitor and report on the performance and compliance of the controls5. Risk manager is not the correct answer, as they are not involved in approving the purchase order approval process or its exceptions. Risk manager’s role is to identify, assess, and mitigate the risks associated with the purchase order approval process, and to communicate and report on the risk status and issues6. References = 1: A Step-by-Step Guide to a Purchase Order Approval Process2: Purchase Order Exceptions | Fordham3: Purchase Order (PO) Approval Process and Approval Workflow - ProcureDesk4: IT Risk Resources | ISACA5: CRISC Resources [updated 2021] | Infosec6: Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Risk Monitoring, pp. 189-191.

 The FIRST thing that the organization should do to reduce the risk of data exposure when modifying its system to enable acceptance of credit card payments is to conduct a risk assessment, because it is a process that involves identifying and analyzing the potential risks, threats, and vulnerabilities that may affect the system and the data, and their likelihood and impact on the business objectives and processes. A risk assessment can help to determine the current risk level and exposure, and to provide the basis for selecting and implementing the appropriate risk responses and controls. The other options are not the first thing that the organization should do, because:

Option B: Updating the security strategy is a result of conducting a risk assessment, but not the first thing that the organization should do. A security strategy is a plan that defines the security objectives, policies, standards, and procedures for the system and the data, and it should be aligned with the risk assessment results and the business requirements and expectations.

Option C: Implementing additional controls is a response to the risk assessment results, but not the first thing that the organization should do. Controls are the measures that are designed and implemented to prevent or reduce the occurrence or impact of the risks, threats, and vulnerabilities, and to ensure the confidentiality, integrity, and availability of the system and the data.

Option D: Updating the risk register is a part of the risk assessment process, but not the first thing that the organization should do. A risk register is a tool that documents and tracks the identified risks, their characteristics, their status, and their responses, and it should be updated regularly to reflect the current risk profile and exposure of the system and the data. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 108.

Control testing is the process of verifying that the risk mitigation controls are designed and operating effectively, and that they achieve the intended objectives and outcomes. Control testing can involve various methods, such as observation, inspection, inquiry, re-performance, or simulation. Control testing results can provide evidence and assurance that the implementation of a risk mitigation control has been completed as intended, and that the control is functioning properly and consistently. Control testing results can also identify any issues or deficiencies in the control design or operation, and recommend corrective actions or improvements. The other options are not as helpful as control testing results, because they do not provide a direct and objective verification of the control implementation, but rather focus on other aspects or outputs of the risk management process, as explained below:

A. An updated risk register is a document that records and tracks the identified risks, their characteristics, and their status. An updated risk register can reflect the changes in the risk profile and exposure after the implementation of a risk mitigation control, but it does not verify that the control implementation has been completed as intended, or that the control is effective and reliable.

B. Risk assessment results are the outputs of the risk analysis and evaluation process, which measure the impact and likelihood of the risks, and assign a risk rating and priority. Risk assessment results can indicate the level of risk exposure and the need for risk mitigation controls, but they do not verify that the control implementation has been completed as intended, or that the control is effective and reliable.

C. Technical control validation is the process of ensuring that the technical aspects of a control, such as hardware, software, or network components, are configured and functioning correctly. Technical control validation can verify that the control implementation meets the technical specifications and requirements, but it does not verify that the control implementation has been completed as intended, or that the control is effective and reliable from a business perspective. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.3, page 130.

Awareness training is the most likely control that failed in this scenario, as it is designed to educate employees on the proper handling and protection of sensitive data, and the consequences of violating the organizational policy. Awareness training can help to prevent or reduce the occurrence of human errors, such as inadvertently removing a file from the premises, that may result in data loss or breach. The other options are not the most likely controls that failed, as they are either not directly related to the scenario or not sufficient to prevent the incident. Background checks are used to verify the identity, qualifications, and trustworthiness of potential or current employees, but they do not ensure that employees will always follow the policy or avoid mistakes. User access is used to restrict the access to information systems or resources based on the identity, role, or credentials of the user, but it does not prevent the user from copying or removing the data once they have access. Policy management is used to create, communicate, and enforce the organizational policy, but it does not ensure that employees will understand or comply with the policy. References = Sensitive Data Essentials – The Lifecycle Of A Sensitive File; Personal data breach examples | ICO; How do I prevent staff accidentally sending personal information … - GCIT; 10 Ways to Protect Sensitive Employee Information; My personal data has been lost after a breach, what are my rights …