Isaca Updated CRISC Exam Questions and Answers by niall

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. One of the elements of risk appetite is the enterprise’s capacity to absorb loss, which is the maximum amount of loss that an organization can withstand without jeopardizing its existence or strategic objectives. The effectiveness of compensating controls, the residual risk affected by preventive controls, and the amount of inherent risk considered appropriate are not elements of risk appetite, but rather factors that influence the risk assessment and response processes. References = [CRISC Review Manual (Digital Version)], page 41; CRISC Review Questions, Answers & Explanations Database, question 196.

Key performance indicators (KPIs) are metrics that reflect how well an organization is achieving its goals and objectives. KPIs should be specific, measurable, achievable, relevant, and time-bound. The most important characteristic of a KPI is its relevance, meaning that it should be aligned with the organization’s vision, mission, strategy, and values. A relevant KPI should also be meaningful and useful for the intended audience, such as the management, the staff, or the stakeholders. A relevant KPI should provide insight into the performance and progress of the organization, as well as enable decision making and improvement actions. A KPI that is not relevant may be misleading, inaccurate, or irrelevant, and may not reflect the true state of the organization or its goals. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.2, p. 116-117

A report of deficiencies noted during controls testing is the best option to inform stakeholders risk decision-making, as it provides an accurate and timely assessment of the effectiveness and efficiency of the organization’s control environment. A report of deficiencies noted during controls testing is a document that summarizes the results of the testing activities performed on the organization’s internal controls, such as design, implementation, operation, and monitoring. A report of deficiencies noted during controls testing should include the following elements:

The scope, objectives, and methodology of the controls testing

The criteria and standards used to evaluate the controls

The findings and observations of the testing process

The root causes and impacts of the identified deficiencies

The recommendations and action plans to address the deficiencies

The roles and responsibilities of the stakeholders involved in the remediation process

A report of deficiencies noted during controls testing helps to inform stakeholders risk decision-making by providing them with relevant and reliable information on the current state of the organization’s control environment. It also helps to identify and prioritize the areas for improvement and enhancement of the control environment. A report of deficiencies noted during controls testing also facilitates the communication, collaboration, and accountability among the stakeholders involved in the risk management and control processes.

The other options are not the best options to inform stakeholders risk decision-making. The audit plan for the upcoming period is a document that outlines the scope, objectives, and methodology of the planned audit activities, but it does not provide any information on the actual performance of the organization’s control environment. Spend to date on mitigating control implementation is a measure of the resources and costs incurred to implement the risk response actions, but it does not indicate the effectiveness or efficiency of the control environment. A status report of control deployment is a document that tracks and monitors the progress and performance of the control implementation process, but it does not evaluate the quality or adequacy of the control environment. References = Internal Control Deficiencies: Identification,Reporting and Communication, IT Risk Resources | ISACA, Internal Control Testing: Techniques, Types, and Examples

An incident is an unplanned event that disrupts or degrades the normal operation or performance of an IT service, system, or network1. An incident can cause various negative impacts, such as service outages, data losses, security breaches, or customer dissatisfaction2. An incident can recur if the underlying cause or problem of the incident is not properly identified and resolved3.

The best course of action to help reduce the probability of an incident recurring is to perform root cause analysis. Root cause analysis is a systematic process of finding and eliminating the fundamental cause or problem that led to the incident4. Root cause analysis can help to:

Prevent or minimize the recurrence of the incident by addressing the source of the problem, not just the symptoms or effects

Identify and implement corrective or preventive actions that can effectively resolve or mitigate the problem

Learn from the incident and improve the IT service, system, or network quality and reliability

Enhance the incident management and problem management processes and capabilities5

References = What is an Incident?, Incident Management - Wikipedia, Problem Management - Wikipedia, Root Cause Analysis - Wikipedia, Root Cause Analysis: A Guide for Business Leaders