Isaca Updated CRISC Exam Questions and Answers by khalid

 The best way to measure the effectiveness of the subsidiary’s IT systems controls is to review metrics and key performance indicators (KPIs), as they provide quantitative and qualitative measures of the performance and outcomes of the IT systems and processes, and how well they meet the predefined standards and expectations. Metrics and KPIs can help to evaluate the efficiency, reliability, security, and quality of the IT systems and controls, and to identify any gaps, weaknesses, or issues that need to be addressed. Metrics and KPIs can also help to compare and benchmark the subsidiary’s IT systems and controls with those of the parent organization or other similar entities. The other options are not the best ways to measure the effectiveness of the subsidiary’s IT systems controls, although they may be useful or complementary methods. Implementing IT systems in alignment with business objectives is a good practice, but it does not measure the effectiveness of the IT systems controls, as it focuses on the alignment and integration of the IT systems with the business strategy and goals. Reviewing design documentation of IT systems can provide some information on the specifications and requirements of the IT systems, but it does not measure the effectiveness of the IT systems controls, as it does not reflect the actual implementation and operation of the IT systems. Evaluating compliance with legal and regulatory requirements can ensure that the subsidiary’s IT systems and controls meet the minimum standards and obligations of the foreign country, but it does not measure the effectiveness of the IT systems controls, as it does not consider the performance and outcomes of the IT systems and processes. References = Risk and Information Systems Control Study Manual, Chapter 5: Risk and Control Monitoring and Reporting, page 187.

Risk policies provide the best indication of an organization’s risk tolerance, as they define the acceptable level of risk and the risk appetite of the organization. Risk policies also establish the roles and responsibilities, methodologies, and reporting mechanisms for risk management. Risk sharing strategy, risk transfer agreements, and risk assessments are not the best indicators of risk tolerance, as they are more related to risk response, risk mitigation, and risk identification, respectively. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 1, Section 1.2.1.2, page 19.

Key performance indicators (KPIs) are metrics that measure the achievement of objectives and the effectiveness of processes. KPIs can help management report on risk by providing quantitative and qualitative information on the risk profile, the risk appetite, the risk response, and the risk outcomes. KPIs can also help monitor and communicate the progress and results of risk management activities, such as risk identification, assessment, mitigation, and reporting. KPIs can be aligned with the strategic, operational, and tactical goals of the organization, and can be tailored to the specific needs and expectations of different stakeholders. References = Risk and Information Systems Control Study Manual, Chapter 4: Risk and Control Monitoring and Reporting, Section 4.2: Key Risk Indicators and Key Performance Indicators, p. 197-199.

 A detective control is a type of internal control that seeks to uncover problems in a company’s processes once they have occurred. Examples of detective controls include physical inventory checks, reviews of account reports and reconciliations, as well as assessments of current controls1. A periodic access review is a detective control that involves verifying the access rights and privileges of users to ensure that they are appropriate and authorized. A periodic access review can help to detect any unauthorized or inappropriate access, such as excessive or redundant permissions, segregation of duties violations, or dormant or orphaned accounts23. The other options are not detective controls, but rather preventive controls, which are designed to prevent errors or fraud from occurring in the first place. A limit check is a preventive control that validates the input data against a predefined range or limit, and rejects any data that falls outside the acceptable range4. Access control software is a preventive control that restricts the access to information systems or resources based on the identity, role, or credentials of the user5. Rerun procedures are preventive controls that ensure the accuracy and completeness of data processing by repeating the same process and comparing the results6. References = Detective Control: Definition, Examples, Vs. Preventive Control; Detective Control - What Is It, Examples, Vs Preventive Control; Limit Check - an overview | ScienceDirect Topics; Access Control Software - an overview | ScienceDirect Topics; Rerun Procedures - an overview | ScienceDirect Topics