Isaca Updated CRISC Exam Questions and Answers by yasmine

Code review could BEST detect an in-house developer inserting malicious functions into a web-based application, because it is a process that involves examining and verifying the source code of the application for any errors, vulnerabilities, or malicious functions. Code review can help to identify and remove any unauthorized or harmful code that the developer may have inserted, either intentionally or unintentionally, and to ensure that the application meets the quality and security standards and requirements. The other options are not as effective as code review, because:

Option A: Segregation of duties is a control that involves separating the roles and responsibilities of the developer from those of the tester, the approver, and the deployer, to prevent any conflict of interest or misuse of authority. Segregation of duties can help to reduce the risk of the developer inserting malicious functions into the web-based application, but it does not detect them.

Option C: Change management is a process that involves controlling and documenting any changes to the web-based application, such as new features, enhancements, or bug fixes, to ensure that they are authorized, tested, and approved. Change management can help to track and monitor the changes that the developer may have made to the web-based application, but it does not detect the malicious functions.

Option D: Audit modules are components that are embedded in the web-based application to record and report the activities and transactions that occur within the application, such as user login, data input, or data output. Audit modules can help to audit and review the performance and functionality of the web-based application, but they do not detect the malicious functions. References = Risk and Information Systems Control Study Manual, 7th Edition, ISACA, 2020, p. 214.

 The best way to facilitate the development of effective IT risk scenarios is to utilize a cross-functional team. A cross-functional team is a group of people with different skills, expertise, and perspectives who work together to achieve a common goal. A cross-functional team can help to create realistic, comprehensive, and relevant IT risk scenarios by bringing diverse knowledge, experience, and insights from various domains and functions. A cross-functional team can also help to identify and address the interdependencies, interactions, and impacts of IT risks across the organization. The other options are not the best ways to facilitate the development of effective IT risk scenarios, although they may be useful or necessary depending on the context and nature of the IT risks. Participation by IT subject matter experts is important, but it is not sufficient, as IT risks may affect or be affected by non-IT factors and stakeholders. Integration of contingency planning is a part of the risk response process, which follows the risk scenario development process, but it is not the same as creating the risk scenarios. Validation by senior management is a quality assurance step that ensures the accuracy and completeness of the risk scenarios, but it is not the same as facilitating the development of the risk scenarios. References = Six Steps to Using Risk Scenarios for Improved Risk Management, IT Risk Scenarios - Morland-Austin, IT Risk Resources | ISACA

A root cause analysis is a systematic process of identifying the underlying factors that caused the noncompliant conditions during the review of a control procedure. A root cause analysis can help to prevent the recurrence of the noncompliance, improve the effectiveness of the control procedure, and enhance the risk management process. A root cause analysis can be performed using various tools and techniques, such as the 5 whys, fishbone diagram, Pareto chart, or fault tree analysis. The other options are not as appropriate as a root cause analysis, because they do not address the source of the problem, but rather the symptoms or consequences of the noncompliance. References = Risk and Information Systems Control Study Manual, Chapter 4, Section 4.3.3, page 130.

Conducting regular independent reviews will provide the best measure of compliance with IT policies, as this ensures that the policies are implemented and followed consistently and effectively across the organization. Independent reviews can also identify any gaps, weaknesses, or violations in the compliance process, and recommend corrective actions or improvements. Independent reviews can be performed by internal or external auditors, regulators, or consultants, depending on the scope and purpose of the review. Evaluating past policy review reports, performing penetration testing, and testing staff on their complianceresponsibilities are not the best measures of compliance with IT policies, although they may be useful or complementary methods. Evaluating past policy review reports can provide some historical and comparative data, but it may not reflect the current or accurate situation of the compliance status. Performing penetration testing can assess the security and vulnerability of the IT systems and networks, but it does not measure the compliance with all the IT policies, such as those related to governance, operations, or quality. Testing staff on their compliance responsibilities can evaluate the awareness and knowledge of the staff, but it does not measure the actual behaviour or performance of the staff in complying with the IT policies. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 187.